A security breach has been discovered in the web booking system for one of Europe’s leading UNESCO World Heritage sites, exposing personal information from bank details to the mobile phone numbers and emails of travel agents and individual tourists.
While the company that runs the website for the Alhambra – the Moorish palace and gardens at Granada in southern Spain – says the fault has been fixed, travel agents are worried they could face legal action from customers who they arranged entry tickets for.
It is estimated that data on up to 4.5 million visitors and nearly 1,000 agents could have been accessed after it was used to log into the portal.
Web management company Hiberus said it was not aware that any data theft had taken place before the fault was pointed out and rectified.
Notably, investigative website El Confidencial said a similar booking system to the Alhambra’s is being used by other Spanish tourism sites and event organisers. It did not reveal names.
The Alhambra, home to the last Moorish ruler to surrender to Christian forces in 1492 after almost eight centuries of Islamic presence in Spain, is the second most visited monument in the country.
The fault in the system was uncovered by a group called La9 which said the breach had left the webpage open to malicious hackers since 2017.
Juan Peláez, president of the Granada travel agents association said they were worried about possible actions being taken and are taking legal advice.
“It is a very delicate subject because there is much data on clients that could go against us. The agency for data protection could also intervene.”
He said the association had expressed concern last year about the amount of information requested to log into the system.
El Confidencial said the people most likely to be affected by the breach were travel agents from around the world who were posting banking details in making bookings for clients.
“The information exposed was accessible to anyone with the minimum of computer knowledge,” it said.
The breach also opened up the possibility of phishing, using emails and phone numbers known by the victims to lure them into passing on information.