In an unsettling development for travelers who are accustomed to digital tech helping them through the sometimes stressful aspects of being on the road for work or fun, news site TechCrunch reports that a spyware app has been quietly running on the check-in systems of "at least three Wyndham hotels across the United States."

The app is "consumer grade," according to TechCrunch, which should allay some people's fears: this seems not to be a sophisticated state-level attack aiming at capturing sensitive data on Americans' lives. But any spyware is worrisome. From a company called pcTattletale, the malware is said to have "stealthily and continually captured screenshots of the hotel booking systems."

In snaffling up information from hotel check-in systems, those screenshots likely contain guest names and other booking details--potentially for thousands of hotel guests, depending on how long the spyware had been in operation.

There's no indication how much more sensitive or damaging data was capable of being captured by the apps, like images of government-issued ID cards, but security researcher Eric Daigle, who discovered the malware and alerted TechCrunch, said that partial numbers from customers' payment cards were visible in some of the captured screenshots.

The very fact that certain people were checking into specific hotels on particular dates, however, may be sensitive information under some circumstances. Worryingly, the spyware itself has a loophole that means that it's not just the person who planted it that can access the information in the screenshots it captured. In fact, anyone online who knew where to look could gain access.

As yet it's not clear who planted the app, or if any of the information it captured had been used for criminal purposes. It's possible that a hotel staff member was tricked into installing it, in yet another demonstration that the humans in the loop are always the weak point in any digital security system.

TechCrunch also notes that pcTattletale's website says the software can be used for monitoring employees, and while Wyndham hotels explained in a statement that all its hotels in the U.S. "are independently owned and operated" in an effort to offset blame, it also declined to say if use of the spyware was approved under its own policies.

Hotels and related holiday-booking systems have often been the target of hackers, presumably because they represent a rich source of personal and financial information that can be exploited at a later date, or because the hotel can be ransomed after access to its systems are blocked. The BBC recently reported that cybercriminals have been repeatedly targeting customers of vacation booking service Booking.com, often by sneaking into the site's services via hacks of the official systems of partner hotels. This sounds eerily similar to the malware found in the Wyndham hack.

In October 2023, one of Europe's largest hotel chains, Motel One Group, said ransomware attackers had targeted it and gained access to the system--presumably with the intent of locking out the computers and causing disruption and financial harm until a ransom was paid, similar to the recent high-profile United Health and Ascension health care systems attacks. While Motel One was able to thwart the attack, earlier this year hackers did manage to successfully breach security at Texas-based hotel chain Omni, and personal info on about 3.5 million guests was stolen.

Meanwhile, tech watchers will note unsettling similarities between the way that pcTattletale's spyware works and the way that Microsoft's snazzy new AI system, Recall, works. Recall, designed to help you find information you may have lost track of on your home or work PC, also snaps regular shots of what's going on onscreen.

Recall's data, unlike pcTattletale's, is kept secure and should only be accessible to the user of a particular PC, and Microsoft has asserted it's all safe and private, despite the worries of security experts. But the pcTattletale revelation highlights that a bad actor may be keen to gain access to such a system's archive of screenshots, for whatever purpose. And what goes on on a typical home or business PC user's screen may be a lot more compromising or damaging than simple hotel check-in data.

BY KIT EATON