What Happened:
Budget travelers staying at Ibis Budget hotels were exposed to a potential security risk in late 2023. A vulnerability in the self-check-in kiosks allowed anyone to see the room access code for the previous guest. This means someone using the kiosk after a guest checked in could have potentially gained access to their room.
The Flaw:
The issue stemmed from how the kiosks displayed information after check-in. Once a guest completed the process and received their room code, it remained visible on the screen. This oversight created a window of opportunity for anyone using the kiosk afterward to view the code and potentially misuse it.
Global Reach, Uncertain Impact:
While the exact number of affected locations remains unclear, Ibis Budget boasts over 600 hotels across 20 countries. The budget hotel chain, owned by hospitality giant Accor, has not confirmed which specific locations were impacted.
Pentagrid’s Discovery and Responsible Disclosure:
The vulnerability was identified by Pentagrid, a Swiss IT security assessment firm. They responsibly disclosed the flaw to Accor, allowing them to take corrective action.
Accor’s Patch and Moving Forward:
Accor is credited with swiftly addressing the issue. After being notified by Pentagrid, they promptly rolled out a patch to the affected kiosks. This update ensures room access codes are no longer displayed on the screen after check-in is complete.
Travel Security Tips:
While Ibis Budget has addressed this specific vulnerability, here are some general security best practices for travelers using self-check in kiosks:
- Consider Traditional Check-In: If you’re unsure about the kiosk’s security or feel uncomfortable, opt for traditional check-in with a staff member.
- Shield Your Code: When collecting your room access code, be mindful of your surroundings and shield the screen from prying eyes.
- Report Suspicious Activity: If you notice anything unusual or have concerns about the kiosk’s security, inform hotel staff immediately.
Learning from the Lapse:
This incident serves as a reminder of the evolving cybersecurity landscape within the hospitality industry. It highlights the importance of prioritizing guest security and implementing robust security measures, particularly for self-service technologies.
The Takeaway:
While the vulnerability has been patched, travelers should remain vigilant and adopt recommended security practices. Ibis Budget’s prompt action in addressing the flaw demonstrates their commitment to guest safety. Travelers can be cautiously optimistic that future stays will be both budget-friendly and secure.
