Hotel Hippo website goes belly-up after massive security failure

Graham Cluley

Hippo gone belly-upLast week I wrote about the catalogue of disasters that the Hotel Hippo accommodation booking website had brought upon itself after not taking its customers privacy and security seriously.

When the BBC reported on the issue, the site – which had previously been ignoring the concerns of security researcher Scott Helme – was taken down “for maintenance”.

Here’s what you would have seen if you visited hotelhippo.com:

hotel-hippo

Well, if you visit the site today you’ll see this slightly different message.

Hotel Hippo closed

Website Permanently Closed

If you have any queries, please call us on 08446 606 000 or email info@hotelhippo.com

We sincerely apologise for the inconvenience caused.

Hmm. Goodbye and good riddance, methinks.

Clearly HotelStayUK, who own Hotel Hippo, decided it was too daunting a task to fix the multitude of privacy and security problems – and so have just decided to call it quits.

HotelStayUKIn fact, according to a statement issued by the company, it really is the end of the road for the site.

HotelHippo has shut down and will not reopen. Our investigations showed that just 24 customers were affected by the issues with HotelHippo. This was a small very little used site. But for even one customer, it is obviously completely unacceptable and we are very sorry. We have therefore contacted all these customers and have offered them compensation. We have also set up a helpline where customers can contact us by calling 08446 606 007.

Security of our customers’ data is of the upmost importance to us. Despite there being no issues with our other sites, as the login process is quite different, as a precaution, we advised affected customers and took down all sites in the group one by one to put them through rigorous testing by independent experts to ensure their safety and security. These independent experts will be employed on an on-going basis to regularly test our sites.

One hopes that the other websites run by HotelStayUK are being carefully examined for their own security vulnerabilities and privacy holes, and will only return online once the company is confident that it has a handle on the situation.

For a further detailed discussion of the Hotel Hippo disaster, make sure to read this commentary by software tester Neil Studd, as well as the original revelations by security researcher Scott Helme.

Graham Cluley Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.

3 Replies to “Hotel Hippo website goes belly-up after massive security failure”

  1. I wonder, when one company acquires another it is now part of the due diligence process to scrutinise the security considerations and vulnerabilities of associated web sites to the same extent that other potentially costly exposures are investigated. I'm suspecting not.

    1. Not even close. They haven't even sorted out the problem where employee is fired or leaves and the administrator forget (read: neglect) to remove his/her account, make sure they didn't leave any backdoors (or anyone else did for that matter, scanning that regularly!), and in general lock them out for good….The other problem is when an administrator leaves, does the new admin take care of the old admin? Not always. I know of many instances of exactly this happening. It would be good practice for them to get that down and indeed for corporations to do what you suggest, but let's be real. It's 2014 and the Internet (observe: not the web) is not exactly young (the web isn't either technology wise, but it is a lot younger than the Internet)… this problem will never be resolved, not even as a de facto standard ("standard"). Indeed, humans are the source of the errors and the source of problems in general…. I would be very surprised if this ever changes, as much as one would like to believe otherwise (the problem is no one is perfect and furthermore some are afraid to admit they are not perfect).

      Oh, and this goes for governments too. They as well have not figured this out….

  2. Indeed: good riddance. I don't know if you made that image with the hippo upside down (based on the title of the post I could see it..) but it is well done either way.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Never miss a thing. Sign up for the free GCHQ newsletter from Graham Cluley.
GET EMAIL UPDATES