Safe as houses?

Airbnb have been forced to confront their poor response to a serious technical error that could cost them and their clients considerably.

Throughout covid-19 the 'big providers' have served neither hosts nor

visitors well. For much of the time their services were not available to key workers. When these vital workers needed (and continue to need) COVID-safe accommodation, they were only able to book directly with us. This can of course be seen to be a good thing because whilst their charges may be hidden, these agencies cost our visitors more for every night they stay with us.

Last week’s report of a data breach at Airbnb headquarters shows there is more at stake here. 

The data breach

One evening last week, Airbnb hosts started noticing that they were seeing inside other hosts’ inboxes when accessing messaging from their visitors. People reported being able to access the private inboxes of hundreds of other hosts along with their personal data and security information. Apparently, messages with access codes for combination locks and safes could be viewed.

The reported ‘glitch’ was swiftly communicated in Airbnb group discussions online and confirmed to be worldwide. Screenshots were shared online on social networks such as Reddit, Twitter and private group chats.

One Airbnb host in the Reddit community wrote: “It’s very disconcerting. Airbnb is saying they aren’t seeing anything unusual on their end. Interestingly, every time I log in I am seeing a different person’s account.”

Hosts reported being recommended by the customer care team to clear their browser cookies or simply use a different Internet browser. One Airbnb host wrote: “This seems like a major security issue to me, but we feel like Airbnb is not very alarmed.”

Airbnb issued a statement to ProPrivacy which read “On Thursday, a technical issue resulted in a small subset of users inadvertently viewing limited amounts of information from other users accounts. We fixed the issue quickly and are implementing additional controls to ensure it does not happen again. We don’t believe any personal information with misused and at no point was payment information accessible. The technical issue occurred at 9:30 am US Pacific time on Thursday, was identified within an hour, and an investigation launched by our engineering and security teams, and the issue was fixed at 12:30 pm US Pacific time.”

They claim to be confident it was not caused by an illegal infiltration of their infrastructure and they claim that users could not modify other user’s data.

Mark Simpson, founder of direct bookings resource Boostly and hospitality Business expert, commented on the findings: “It is shocking to see accommodation hosts’ data revealed. Not only that but I could see other hosts’ sensitive information including passwords, phone numbers and key access codes for their units. A global company should take better care of their paying hosts and guests.”

The ICO has said that it has not been informed of any data breach but a closer look reveals how serious this is.

GDPR

Such a data leak would seemingly infringe data privacy rights of Airbnb hosts because they did not know where their data was being stored or how it was being used. GDPR [General Data Protection Regulation] Articles six and seven deal with the lawful basis for processing personal data. GDPR is a regulation in EU law on data protection and privacy in the European Union and the European Economic Area, which addresses the transfer of personal data outside the EU and EEA areas.

Sharing information across different countries also triggers extra responsibilities in chapter five of the GDPR. Penalties for a GDPR data breach can reportedly reach up to ￡17 million. Properties, homes and personal details of hosts and guests were exposed, although whether bank details have had not been confirmed.

Can Airbnb be trusted with data?

This is not the first time Airbnb has been at the centre of a data breach debate. In 2019, the global platform was accused of ignoring requests to access and erase accommodation host data within 30 days under Article 15.17 of GDPR.

These most recent revelations come after Airbnb recently submitted its response to the European Commission’s proposed Digital Services Act, which will regulate digital competition and codify the legal responsibilities of services. In its statement, Airbnb emphasised three key values that it was intent on upholding – safety and trust, greater consistency and data transparency.

Patrick Robinson, Airbnb director of public policy, said at the time: “We are committed to continuing our direct engagement with hundreds of local, regional and national governments to make sure that our platform works for the benefit of everyone.”

In March, Airbnb signed a landmark data-sharing partnership with Eurostat, the statistical office of the European Commission, on the basis that the platform would share some of its host and guest data, including the number of guests using short-term rental platforms and the number of nights booked. It was agreed that data would be shared on a quarterly basis and would allow public authorities to better understand the development of short-term rental platforms, while supporting evidence-based policy decisions across Europe.

Meanwhile earlier this week, in its continuing attempts to work with local governments, Airbnb launched its City Portal, a dedicated solutions platform for municipalities. The portal offers a dashboard, featuring Airbnb data, compliance solutions, direct access to team members, and a central location for enforcement resources.

Protecting our data

While France’s CNIL data privacy authority has confirmed a new investigation into TikTok’s data protection practices, the question remains as to whether Airbnb will face consequences for this recent error.

Ray Walsh, data privacy expert at ProPrivacy said “having access to people’s sensitive personal information, including their names and addresses, as well as property security codes, is putting hosts and consumers at huge amounts of risk. It seems clear that the leak is going to cause a lot of upheaval for Airbnb hosts, who will need to update the codes to their homes in order to secure them and ensure they are not potentially at risk of burglary.”

Walsh pointed out that should reports that hosts were advised to clear their cookies be accurate, this was not an appropriate response by Airbnb’s support teams, as the onus should not be on the user to fix an internal issue. He noted that Airbnb could find itself under investigation under the European Union’s General Data Protection Regulation (GDPR), as well as equivalent governance in the US and other jurisdictions. The GDPR sets a maximum fine for infringements of €20m or 4% of annual global turnover, whichever is greater.

What should you do?

Having taken some legal advice ourselves on what has occurred, we have

1. Changed our passwords on Airbnb. This ensures our clients data are safe, despite the Airbnb lapses
2. Signed up to a credit watching service that tells us what has been happening on our account. In view of this breach, for peace of mind you may also wish to ensure no one has hacked into any of your financial accounts
3. We are told that should Airbnb may be subject to class action. If this results in a payout the sums involved are likely to be nominal. The nuisance factor of such an action to the operation of Airbnb may be more significant than any monetary ‘reward’ to hosts

Protecting our client data

• It might be worth checking out whether or not there is potential for your client data to be compromised. Check for visitors who booked via the OTA platform at the time of the breach
• We worked out that we did not have any bookings via Airbnb during the time of the breach. Having changed our passwords, we are as confident as we can be that clients’ data is safe with us. We have been advised that any difficulties are responsibility of Airbnb. In view of booking patterns, our clients can be reassured
• We strongly stress to clients the benefits of booking direct www.honestapartments.co.uk. This saves you not only money; it also allows us to ensure your data is as safe as possible

We look forward to welcoming you again soon!

References: itpro.co.uk computerweekly.com