According to reports, a troubling security breach involving spyware on the check-in systems of several Wyndham hotels across the United States has surfaced. The spyware, a consumer-grade app called pcTattletale, has been clandestinely capturing screenshots of guest information and leaking them onto the internet due to a security flaw.

The Discovery

Security researcher Eric Daigle discovered the issue during an investigation into consumer-grade spyware, often referred to as “stalkerware” due to its potential misuse for tracking individuals without their consent. Daigle found that pcTattletale was running on the check-in systems of at least three Wyndham hotels, capturing and transmitting screenshots of guest details, including partial payment card numbers and reservation information. The flaw in the spyware’s design allows anyone with knowledge of the vulnerability to access these screenshots from pcTattletale’s servers.

Exposure of Sensitive Data

The screenshots show sensitive guest information from two Wyndham hotels, displayed through a web portal provided by travel tech giant Sabre. Another screenshot revealed access to Booking.com’s administration portal used by a third Wyndham hotel to manage reservations. These breaches expose guests to significant risks, including identity theft and financial fraud.

Wyndham’s Response

Wyndham spokesperson Rob Myers clarified that Wyndham operates as a franchise organization, with each hotel independently owned and operated. Myers did not confirm whether Wyndham was aware of pcTattletale’s presence on their franchisees’ systems or if the use of such spyware aligns with Wyndham’s policies.

Industry-Wide Implications

This incident highlights broader cybersecurity issues within the hotel industry. Booking.com spokesperson Angela Cavis emphasized that while their systems were not directly compromised, the incident underscores how cybercriminals target hotel systems through sophisticated phishing tactics, leading to unauthorized access and potential financial fraud.

Recurring Issue with Stalkerware

This is not the first time pcTattletale has exposed sensitive information due to a security flaw. The spyware’s previous incidents and similar issues with other consumer-grade spyware apps raise significant concerns about the safety and legality of such software. While these apps are often marketed for legitimate purposes, such as monitoring employees or children, they also pose serious risks when misused for tracking individuals without consent, which is illegal.

Ongoing Investigations

Booking.com is investigating the current incident to determine if it is linked to previous breaches where cybercriminals accessed hotel administration portals to deceive customers. The company has noted an increase in phishing attacks targeting their accommodation partners, aiming to extract payments from unsuspecting customers.

The Need for Stronger Regulations

The repeated exposure of sensitive data due to flawed spyware calls for stricter regulations and enforcement actions. Government regulators have occasionally intervened in similar cases, but the growing prevalence of stalkerware demands more robust oversight to protect consumers’ privacy and security.

Conclusion

The discovery of spyware on hotel check-in systems and the subsequent data leaks underline a critical vulnerability in the hospitality sector’s cybersecurity measures. It serves as a stark reminder of the potential dangers posed by consumer-grade spyware and the urgent need for heightened security protocols and regulatory scrutiny to safeguard personal information in the digital age.