Accommodation booking service Hotel Hippo was closed by its parent and “it will not reopen” according to its founder.
In a statement posted on pastebin by founder and managing director Chris Orrell, he said that the site was “little used” but security, safety and privacy was “of the utmost importance to us”. Following the revelations of security failings by Scott Helme, Orrell said he was “very alarmed to hear that our valued customers should have to face this worry” and it was “taking urgent steps to find out exactly what information might have been vulnerable”.
He admitted that its initial investigations show that just 24 customers might be affected, “but for even one customer, it is obviously completely unacceptable and we are very sorry”. He said that this was not something it has ever had to deal with before, and it was “doing everything we can to deal with the situation and ensure that lessons are learned, both by Hotel Hippo and others in the industry.
However the website is now displaying a message that says that the website is “permanently closed”, and a statement issued by its parent company HotelStayUK confirmed the number of affected user.
It said: “Despite there being no issues with our other sites, as the login process is quite different, as a precaution, we advised affected customers and took down all sites in the group one by one to put them through rigorous testing by independent experts to ensure their safety and security. These independent experts will be employed on an on-going basis to regularly test our sites.”
In an email to IT Security Guru, Helme said that the statement does mention that only 24 people were affected, but he was not sure how this could be the case.
“No matter how little the site was used, I can’t believe they only had 24 customers. The vouchers you can purchase to book a hotel (hotelvouchershop.com) are available from many retailers and it seems all of the order went through hotelhippo.com which is also where you receive your booking confirmation links,” he said.
“This leads me to believe that they think they have somehow identified only those customers who have had their details accessed without authorisation. Given that there is no login required to view the data, I’m not sure how they would determine who has accessed specific data and whether or not they should be accessing it. This leaves me wondering where the number ’24’ came from.”
Asked if the issues he found could have been resolved, and the site could have remained live, he said that was more than possible, and his personal view was that the closure was probably related to creating some distance from the brand that has now featured so prevalently in news articles. “I’d guess that they will kill off the brand to prevent any association with other sites and revive it under a new name.”