Airbnb accommodation privacy ‘breached’ through online ‘glitch’

Worldwide: Airbnb hosts have reported seeing other hosts’ private inboxes, rather than their own, on their accounts as discussions between hosts and guests, including addresses and codes to enter the properties, were revealed. 

The reported ‘glitch’ was swiftly communicated in Airbnb group discussions online and confirmed to be worldwide. Screenshots were shared online on social networks such as Reddit, Twitter and private group chats.

One Airbnb host in the Reddit community wrote: “It’s very disconcerting. Airbnb is saying they aren’t seeing anything unusual on their end. Interestingly, every time I log in I am seeing a DIFFERENT person’s account.”

Customer service at the 24-7 support line recommended to clear browser cookies or to use a different internet browser if and when hosts could see others reporting the same issue.

Another Airbnb host wrote: “This seems like a MAJOR security issue to me, but we feel like Airbnb is not very alarmed.”

Mark Simpson, founder of direct bookings resource Boostly and hospitality business expert, commented on the findings: “It is shocking to see accommodation hosts’ data revealed. Not only that but I could see other hosts’ sensitive information including passwords, phone numbers and key access codes for their units.

“A global company should take better care of their paying hosts and guests,” he added.

Such a data leak would seemingly infringe data privacy rights of Airbnb hosts because they did not know where their data was being stored or how it was being used. GDPR [General Data Protection Regulation] Articles six and seven deal with the lawful bases for processing personal data.

GDPR is a regulation in EU law on data protection and privacy in the European Union and the European Economic Area, which addresses the transfer of personal data outside the EU and EEA areas.

Sharing information across different countries also triggers extra responsibilities in chapter five of the GDPR. Penalties for a GDPR data breach can reportedly reach up to £17 million.

Properties, homes and personal details of hosts and guests were exposed, although bank details have not been confirmed.

This is not the first time Airbnb has been at the centre of a data breach debate. In 2019, the global platform was accused of ignoring requests to access and erase accommodation host data within 30 days under Article 15.17 of GDPR.

The revelations come just a week after Airbnb submitted its response to the European Commission’s proposed Digital Services Act, which will regulate digital competition and codify the legal responsibilities of services. In its statement, Airbnb emphasised three key values that it was intent on upholding – safety and trust, greater consistency and data transparency.

Patrick Robinson, Airbnb director of public policy EMEA, said at the time: “We are committed to continuing our direct engagement with hundreds of local, regional and national governments to make sure that our platform works for the benefit of everyone.”

In March, Airbnb signed a landmark data-sharing partnership with Eurostat, the statistical office of the European Commission, back in March, on the basis that the platform would share some of its host and guest data, including the number of guests using short-term rental platforms and the number of nights booked. It was agreed that data would be shared on a quarterly basis and would allow public authorities to better understand the development of short-term rental platforms, while supporting evidence-based policy decisions across Europe.

Earlier this week, in its continuing attempts to work with local governments, Airbnb launched its City Portal, a dedicated solutions platform for municipalities. The portal offers a dashboard, featuring Airbnb data, compliance solutions, direct access to team members, and a central location for enforcement resources.

In a statement, Airbnb said: “On Thursday, a technical issue resulted in a small subset of users inadvertently viewing limited amounts of information from other users’ accounts. We fixed the issue quickly and are implementing additional controls to ensure it does not happen again.

“We don’t believe any personal information was misused and at no point was payment information accessible.

“The technical issue occurred at 9:30 am US Pacific time on Thursday, was identified within an hour, an investigation was launched by our engineering and security teams, and the issue was fixed at 12:30 pm US Pacific time.

“This was not the result of a malicious attack on Airbnb infrastructure. It only existed on the desktop and the mobile web platforms — not on the mobile app.

“The users with inadvertent access could not modify the other users’ data [i.e. send messages, book/alter listings, or perform any actions impacting the payments of the actual user’s account],” it added.