Kayak acknowledges that a third party — it turns out to be one of its hotel customers — was able to match a last name on the site with the last four digits of people’s credit cards, and that others could have done so, too.
In a blog post, entitled Update on Booking Feature, Kayak CTO Paul English says the “flaw” enabled “a third party to see some hotel transaction information by matching a last name with the last four digits of a stored credit card.”
“This flaw left the potential for someone to view other people’s customer contact info and dates of travel,” English says. “We were able to fix this problem within a few hours of it being first reported.”
The snafu was discovered, according to published reports, by Kayak customer Kevin Hunt, who retrieved hotel transaction details, home addresses, phone numbers, email addresses, credit card expiration dates and, according to English, the last four digits of credit cards belonging to Kayak customers with the same last name.
Kayak has a feature which enables customers to find a Kayak booking by entering a confirmation number or record locator, and a last name.
Alternately, customers can enter an email address and Kayak will forward all bookings associated with that email address, with the exception of travel completed more than 90 days ago.
Ironically, if you enter your email address and there are no “Kayak bookings,” Kayak emails you that it is “a search engine” and that if you booked your travel on another site, then your booking “information is held securely and privately with that site.”
Hunt apparently used the feature to research a Kayak charge he found on his credit card statement and retrieved private information about the trips of several people with the same last name.
Someone with the screen name “huntk” posted about the issue on a FlyerTalk forum, informed Kayak, alerted the press and later wrote that the issue had been resolved.
Why would Kayak have credit card information and itinerary information anyway?
English apologized for the error and wrote “no confidential credit card or payment data was exposed, and there was no systematic access.”
However, clearly there was a problem that compromised customers’ privacy, and it can be debated whether or not the release of personal information and the last four digits of credit card numbers and expiration dates rises to the level of exposure of “confidential credit card information.”
Certainly, it does not mean that entire credit card numbers were exposed.
A Kayak spokesperson argues that the incident didn’t constitute “an actual breach, just a feature that was too open and left the potential…”
English writes that the problem was fixed within a few hours and “I am personally reviewing our technology and processes to minimize the chance of anything like this happening again.”