Last week I wrote about the catalogue of disasters that the Hotel Hippo accommodation booking website had brought upon itself after not taking its customers privacy and security seriously.
When the BBC reported on the issue, the site – which had previously been ignoring the concerns of security researcher Scott Helme – was taken down “for maintenance”.
Here’s what you would have seen if you visited hotelhippo.com:
Well, if you visit the site today you’ll see this slightly different message.
Website Permanently Closed
If you have any queries, please call us on 08446 606 000 or email [email protected]
We sincerely apologise for the inconvenience caused.
Hmm. Goodbye and good riddance, methinks.
Clearly HotelStayUK, who own Hotel Hippo, decided it was too daunting a task to fix the multitude of privacy and security problems – and so have just decided to call it quits.
In fact, according to a statement issued by the company, it really is the end of the road for the site.
HotelHippo has shut down and will not reopen. Our investigations showed that just 24 customers were affected by the issues with HotelHippo. This was a small very little used site. But for even one customer, it is obviously completely unacceptable and we are very sorry. We have therefore contacted all these customers and have offered them compensation. We have also set up a helpline where customers can contact us by calling 08446 606 007.
Security of our customers’ data is of the upmost importance to us. Despite there being no issues with our other sites, as the login process is quite different, as a precaution, we advised affected customers and took down all sites in the group one by one to put them through rigorous testing by independent experts to ensure their safety and security. These independent experts will be employed on an on-going basis to regularly test our sites.
One hopes that the other websites run by HotelStayUK are being carefully examined for their own security vulnerabilities and privacy holes, and will only return online once the company is confident that it has a handle on the situation.
For a further detailed discussion of the Hotel Hippo disaster, make sure to read this commentary by software tester Neil Studd, as well as the original revelations by security researcher Scott Helme.
Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.
3 comments on “Hotel Hippo website goes belly-up after massive security failure”
I wonder, when one company acquires another it is now part of the due diligence process to scrutinise the security considerations and vulnerabilities of associated web sites to the same extent that other potentially costly exposures are investigated. I'm suspecting not.
Not even close. They haven't even sorted out the problem where employee is fired or leaves and the administrator forget (read: neglect) to remove his/her account, make sure they didn't leave any backdoors (or anyone else did for that matter, scanning that regularly!), and in general lock them out for good….The other problem is when an administrator leaves, does the new admin take care of the old admin? Not always. I know of many instances of exactly this happening. It would be good practice for them to get that down and indeed for corporations to do what you suggest, but let's be real. It's 2014 and the Internet (observe: not the web) is not exactly young (the web isn't either technology wise, but it is a lot younger than the Internet)… this problem will never be resolved, not even as a de facto standard ("standard"). Indeed, humans are the source of the errors and the source of problems in general…. I would be very surprised if this ever changes, as much as one would like to believe otherwise (the problem is no one is perfect and furthermore some are afraid to admit they are not perfect).
Oh, and this goes for governments too. They as well have not figured this out….
Indeed: good riddance. I don't know if you made that image with the hippo upside down (based on the title of the post I could see it..) but it is well done either way.