Hotel Hippo website goes belly-up after massive security failure

Hippo gone belly-upLast week I wrote about the catalogue of disasters that the Hotel Hippo accommodation booking website had brought upon itself after not taking its customers privacy and security seriously.

When the BBC reported on the issue, the site - which had previously been ignoring the concerns of security researcher Scott Helme - was taken down "for maintenance".

Here's what you would have seen if you visited hotelhippo.com:

hotel-hippo

Well, if you visit the site today you'll see this slightly different message.

Hotel Hippo closed

Website Permanently Closed

If you have any queries, please call us on 08446 606 000 or email info@hotelhippo.com

We sincerely apologise for the inconvenience caused.

Hmm. Goodbye and good riddance, methinks.

Clearly HotelStayUK, who own Hotel Hippo, decided it was too daunting a task to fix the multitude of privacy and security problems - and so have just decided to call it quits.

HotelStayUKIn fact, according to a statement issued by the company, it really is the end of the road for the site.

HotelHippo has shut down and will not reopen. Our investigations showed that just 24 customers were affected by the issues with HotelHippo. This was a small very little used site. But for even one customer, it is obviously completely unacceptable and we are very sorry. We have therefore contacted all these customers and have offered them compensation. We have also set up a helpline where customers can contact us by calling 08446 606 007.

Security of our customers’ data is of the upmost importance to us. Despite there being no issues with our other sites, as the login process is quite different, as a precaution, we advised affected customers and took down all sites in the group one by one to put them through rigorous testing by independent experts to ensure their safety and security. These independent experts will be employed on an on-going basis to regularly test our sites.

One hopes that the other websites run by HotelStayUK are being carefully examined for their own security vulnerabilities and privacy holes, and will only return online once the company is confident that it has a handle on the situation.

For a further detailed discussion of the Hotel Hippo disaster, make sure to read this commentary by software tester Neil Studd, as well as the original revelations by security researcher Scott Helme.

Tags: ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

,

3 Responses

  1. Gulraj Rijhwani

    July 8, 2014 at 3:03 am #

    I wonder, when one company acquires another it is now part of the due diligence process to scrutinise the security considerations and vulnerabilities of associated web sites to the same extent that other potentially costly exposures are investigated. I'm suspecting not.

    • Coyote in reply to Gulraj Rijhwani.

      July 8, 2014 at 9:00 pm #

      Not even close. They haven't even sorted out the problem where employee is fired or leaves and the administrator forget (read: neglect) to remove his/her account, make sure they didn't leave any backdoors (or anyone else did for that matter, scanning that regularly!), and in general lock them out for good….The other problem is when an administrator leaves, does the new admin take care of the old admin? Not always. I know of many instances of exactly this happening. It would be good practice for them to get that down and indeed for corporations to do what you suggest, but let's be real. It's 2014 and the Internet (observe: not the web) is not exactly young (the web isn't either technology wise, but it is a lot younger than the Internet)… this problem will never be resolved, not even as a de facto standard ("standard"). Indeed, humans are the source of the errors and the source of problems in general…. I would be very surprised if this ever changes, as much as one would like to believe otherwise (the problem is no one is perfect and furthermore some are afraid to admit they are not perfect).

      Oh, and this goes for governments too. They as well have not figured this out….

  2. Coyote

    July 8, 2014 at 8:53 pm #

    Indeed: good riddance. I don't know if you made that image with the hippo upside down (based on the title of the post I could see it..) but it is well done either way.

Leave a Reply