Airbnb has become the latest holiday brand to suffer a major data breach after the company was forced to admit to an incident that has exposed hosts’ private inboxes to users across the global platform.
The home-sharing business, whose European HQ is based in Dublin, has reported itself to the Irish Data Protection Commission, although given the regulator’s current record – and bulging inbox – it could be a while yet before any enforcement action is taken.
The Irish DPC currently has more than 65 statutory GDPR investigations under way, two dozen of which are into tech multinationals; more than half relate to Facebook, eight directly focus on the main site, two for WhatsApp and one into Instagram. It also has three probes into Apple, and one each into LinkedIn, Quantcast, Verizon and Tinder.
Like the UK Information Commissioner’s Office, the Irish DPC has made just one GDPR ruling since the law came into force in May 2018.
The Airbnb issue first emerged late last week when users reported a “glitch” in online group discussions, with screenshots of the errors shared on social networks such as Reddit, Twitter and private group chats.
When contacted, Airbnb’s 24-7 support line recommended users clear browser cookies or use a different Internet browser if and when hosts could see others reporting the same issue.
In a statement, the company said that “technical issues resulted in a small subset of users inadvertently viewing limited amounts of information from other users’ accounts” and that it had “fixed the issue quickly”.
It insists that no personal information has been misused and payment information was not accessible at any point during the three-hour outage, although this is a standard response to any data breach.
Back in July, when US cloud computing and education software giant Blackbaud admitted to paying off hackers to delete a stolen copy of sensitive data, it assured customers that debit and credit card information was not affected. It has since emerged that bank account details were compromised.
Perhaps unsurprisingly, Airbnb hosts have voiced concerns that their personal data, including passcodes or payment information, may have been compromised and open to hackers.
Mark Simpson, founder of direct bookings resource Boostly, said: “It is shocking to see accommodation hosts’ data revealed. Not only that but I could see other hosts’ sensitive information including passwords, phone numbers and key access codes for their units. A global company should take better care of their paying hosts and guests.”
The travel industry has one of the worst records when it comes to data security. Last month, an investigation carried out by Which? into 98 travel firms, including major airlines, tour operators and hotel chains, many are leaving millions of customers open to data theft through serious security vulnerabilities on their websites.
Marriott International, British Airways and easyJet, which have been responsible for three of the highest profile data breaches of recent years, were in the worst five companies with the most risks identified.
At the time, Which? Travel editor Rory Boland said: “Travel companies must up their game and better protect their customers from cyber threats, otherwise the ICO must be prepared to step in with punitive action, including heavy fines that are actually enforced.”
From bad to worse: Blackbaud admits finance data loss
Will they never learn? Top travel websites ‘full of holes’
Will it ever end? Now Marriott wins further GDPR delay
Irish data regulator issues first GDPR ruling in two years
ICO issues first GDPR fine, but it’s not BA or Marriott
Law firm pounces on EasyJet breach with £18bn claim
EasyJet rocked as data breach hits 9 million customers
Fresh delay to Marriott and BA fines fuels ICO criticism
BA allots £20m for GDPR fine but may not pay a penny
BA and Marriott block £282m GDPR fines – yet again
BA and Marriott to escape GDPR mega fines…for now