Hey Martin and Kim, hope you enjoyed your Easter Island tour from May 3rd-9th.

If your name is John Smith, you may not need to worry too much, but if your name is at all unique, or your social media profiles are easily viewed, this may be one of the creepiest things we’ve seen in quite a long time. Thanks to a tip off, we’ve found that many of the most rudimentary travel booking sites, for things like tours, guides and the like reveal your personal details, including email address, amount paid and more, with an ease that’s nothing short of appalling. In fact, we were able to view names, details, pick up points and amount paid for over 1700 bookings in mere minutes. And that’s just one site…

Easter Island, Anyone?

If you’ve ever been to Easter Island, or are going – there’s a very fair chance you booked with EasterIsland.Travel. It’s the #1 rated tour, hotel package and travel company in Easter Island, and without a doubt – it’s a great choice. There’s just one problem. They’re practically publicly broadcasting all of your personal information, which tour, how much you paid and your email address – oh – and where you’re getting picked up.

Serious Implications

This may not sound like too big of a deal to some, but with this information there’s just so much bad that could be done. The information could: allow someone to cancel or amend your booking, let burglars know you’re away, expose your hotel and personal travel plans, add your name to spam email lists (as if we don’t already get enough of them). And that’s just with basic Google searches. Anyone with the aim to cause harm could do much worse with this internet security flaw.

Privacy Breached

No one wants their privacy breached, but you could easily figure out how to pull up the details of anyone who booked. Yes, you. This isn’t some high level spy novel. The screenshots provided show just how easy it was, simply by switching out numbers. By doing so, anyone could quickly gain quite a lot of detail about unwitting strangers Easter Island plans, tours and where someone is staying. For a celebrity, this would be an absolute nightmare travel nightmare. If you ever come across a booking site, which seems to put a unique number into the web address after booking, be weary. By changing any number before yours you may be able to open pandoras box. Yikes.

Are There More

The answer is yes. In fact, it’s been proven in the past. A 2014 story from Current Affair, picked up widely across the media highlighted a similar such security flaw. After consulting tech experts, we were told this sort of issue is extremely common, especially within smaller travel businesses which rely on basic web tools. In a world of GDPR and other protections, it’s simply inexcusable. And as we’ve said – downright creepy. Lets hope this reputable tour company makes their online profile match their real life offerings, without any further public data leaking about you.