pcTattletale Exposes Wyndham’s Booking Systems, Guest Data

Spyware was discovered on guest registration computers at several Wyndham hotel locations in the United States, capturing and publishing screenshots containing personal customer information.

The program, named “pcTattletale,” continuously took screenshots of the hotel’s internal software, revealing all booking details and customer data. Moreover, due to a vulnerability in this spyware, these screenshots were accessible on the open internet.

Security researcher Eric Daigle identified the vulnerability in pcTattletale during his investigation of consumer spyware. This program allows remote viewing of Android or Windows devices and operates stealthily without notifying the device owner. However, the vulnerability enabled direct downloads of screenshots from pcTattletale’s servers.

A screenshot of pcTattletale’s member portal, which allows users to download its monitoring app that “users will not know pcTattletale is installed and running.” Image Credits: TechCrunch (screenshot)

Screenshots from two Wyndham hotels, provided to TechCrunch, displayed guest names, booking details, and partial payment card numbers. Another screenshot showed access to the booking management system of Booking.com.

It is currently unknown who installed the application within these companies’ networks—remote attackers, active employees, or the hotel owners themselves.

Rob Myers, a representative of Wyndham, confirmed that all hotels in the U.S. are independently owned and operated. Managers at one of the affected hotels stated they were unaware of the spyware on their computers, while representatives from two other hotels have not yet responded to inquiries.

Booking.com stated that their systems were not compromised, but the Wyndham incident highlights how hotel systems can become targets for cybercriminals.

Such applications are often referred to as “stalkerware” due to their ability to monitor individuals without their knowledge or consent. Although this is not the first instance of such software being found in large companies’ networks, the leak of all collected data into the public domain is unprecedentedly significant.

The security of hotel guests’ personal data has been jeopardized, necessitating heightened control and security measures from hotel chains and the companies providing their computer systems and technologies.

It is worth noting that this is not Wyndham’s first data breach incident. Between 2008 and 2010, the hotel chain fell victim to three cyberattacks, resulting in the theft of customers’ personal and payment information. Subsequently, the U.S. Federal Trade Commission charged Wyndham with negligence in protecting its customers.