Hotel Hippo Shuts Down After Data Breach

Travel website Hotel Hippo has shut down permanently, following a data breach that revealed names, numbers, and booking details of customers.

hotel hippo

The vulnerabilities were discovered by Scott Helme from Pentest Ltd., who made his concerns public on July 1. The site initially ignored his concerns before responding by temporarily suspending service. Operator HotelStayUK has now opted to permanently shut down the site.

Helme discovered that your booking confirmation does not authenticate the user and can be viewed by anyone and by simply changing a few things around in the URL, Helme could view other customers’ bookings.

This was just one of a litany of problems discovered by Helme. When he contacted Hotel Hippo, he was ignored until the BBC and other news outlets picked up on the story.

“HotelHippo has shut down and will not reopen,” said HotelStayUK, “Our investigations showed that just 24 customers were affected by the issues with HotelHippo. This was a small very little used site. But for even one customer, it is obviously completely unacceptable and we are very sorry.”

HotelStayUK say it is offering compensation to those affected via the contact information that is available on the page where the site once was.

“Security of our customers’ data is of the upmost importance to us. Despite there being no issues with our other sites, as the login process is quite different, as a precaution, we advised affected customers and took down all sites in the group one by one to put them through rigorous testing by independent experts to ensure their safety and security. These independent experts will be employed on an on-going basis to regularly test our sites.”

The UK regulator Information Commissioner’s Office (ICO) is believed to be conducting its own investigation into the breach.

Security expert Graham Cluley has not been very forgiving of the damage done to the website in his assertions of the situation.

“Who knows how much money the website downtime must be costing the company?” he wrote. “Frankly, I couldn’t give a monkey’s about the financial losses inflicted to the business at the moment, as its website was treating its customers’ security with such disdain and recklessness.”

“And, if Hotel Hippo – who are owned by HotelStayUK – hired a third party to create the website for them I hope they are having a chat with their solicitors about how they might be able to claim some compensation for the shoddy work.”