14 DAY TRIAL // While trying to find trip reservation details on Kayak.com, Kevin Hunt, an elementary school teacher, found that he was able to access the bookings made by other people that shared his last name.
According to The Star, he posted the issue on the FlyerTalk forum where everyone seemed to be outraged by the incident.
“Just tried some common Names (Smith, Miller) and a 4-digit-number...so many results! I do not want to know where Amanda Smith oder Mike Smith stayed and I do not want that anybody sees what I booked. Unbelievable!” wrote one user.
A few hours after Hunt had made the incident public, Kayak.com’s Chief Technology Officer and Co-Founder Paul English joined the conversation, but by that time many users had already posted sensitive information on the forum.
“We have made a fix to our production servers. I will give more info soon. I would appreciate it if you would not post any personal information on this forum or elsewhere,” English wrote.
“Protocol for security breaches is to contact them company and give them time to respond before you go public, as doing so will contribute to risk of someone's info being taken. We've made a fix to production, and we're doing more testing and locking down,” he added.
Shortly after, English posted an update on Kayak.com to detail the incident and reassure customers that their financial details were not exposed. Here’s the complete statement: We were recently alerted to a flaw on KAYAK, which could have allowed a third party to see some hotel transaction information by matching a last name with the last four digits of a stored credit card.
This flaw left the potential for someone to view other people’s customer contact info and dates of travel. We were able to fix this problem within a few hours of it first being reported. No confidential credit card or payment data was exposed, and there was no systematic access.
We apologize for this error, and I am personally reviewing our technology and processes to minimize the chance of anything like this happening again.