Budget hotel chain OYO is under fire again, this time after a security researcher managed to hack into the company’s database and access the data of people staying at a particular hotel. He found this when he tried to access the WiFi at the OYO he was staying at, which asked for his booking ID and phone number.
Jay Sharma, who wrote a post on LinkedIn about the same, said that a hacker could access booking IDs, phone numbers of people living in a particular room, date of booking and the location.
When asked for the booking ID and phone number for accessing the WiFi, he wrote, “Why should anybody in the room be forced to share personal information via OTP verification to use a WiFi? Well, I get why OYO would want that but why would a user?”
After this is when Jay found the vulnerability, he says that historical data dating back a few months was accessible, along with their booking IDs, phone numbers related to these IDs and timestamps — all of which were unencrypted and could be downloaded.
As per the post, he flagged this to OYO’s cybersecurity team, who offered him Rs 25,000 for the same, as they do not have a separate program that rewards independent security researchers who look for loopholes.
“Users who don’t want to be vulnerable to this information leak should not login for the time being. Wait till OYO announces officially that they have fixed this issue. All the properties which use this login are vulnerable. Collection O, Townhouse etc,” Jay wrote, adding that people must question companies over the personal information they collect.
“We employ and invest heavily in the best in industry cybersecurity mechanisms including in-house security operation centers, internal and external vulnerability scans and network penetration tests, training developers on secure development practices among others,” an Oyo spokesperson told Economic Times.
The company also reportedly said that any vulnerability, “no matter how limited-time or small is taken very seriously and looked into”.
Last month, OYO said that there were present in over 500 cities, had 18000+ hotels and had 270,000+ rooms in the country.