Centre for Internet & Society

The Centaur Hotels' website, centaurhotels.com, appears to have compromised personal information of its hotel guests, in what seems to be a case of poor internet security protocols implemented by the site. This allowed website visitors on Saturday to obtain and view details of passports, driving licences, pan numbers, credit cards, and other forms of personal identification provided by its guests.

Centaur Hotels, a unit of the Hotel Corporation of India (HCI), is a wholly-owned subsidiary of the National Aviation Company of India that runs national carrier Air India. It runs a hotel near the Delhi international airport and another in Srinagar.

Around 52 scanned copies of passports of people of different nationalities, pan card details of Indian guests and driving licences were visible on the site. The page was taken down when the issue was brought to their notice. Various online facilities such as reservation are not available now. But TOI has screen shots of some of the documents. When contacted, Centaur marketing head Pradeep Garg said, "We will look into the matter. Please lodge a formal complaint. We don't have an online payment system, hence we don't collect any identification proof." 
 
Centaurhotels.com shows the site manager as Capt Samarth Singh, who is the chief executive of a consultancy firm called Hybrid Content. But Singh said that for the past one year, the site was under the jurisdiction of a website developer in Mumbai, S Naidu. "We will, however, clarify to both the parties - Naidu and Centaur Hotels," Singh said. 
 
He said he had sent requests to Centaur Hotels to remove his name from the hotel portal as his contract had ended. Hybrid held the contract from December 2008-April 2010. It has won the mandate to manage the site from June 1. "But the domain is not within my reach. It is still with the old registrar," Singh said. 
Sunil Abraham, executive director of Centre for Internet and Society, said personal information leaked online is a breach of privacy. "Anybody collecting passport and credit card details has to follow security policies. According to Sec 43 of the IT Act 2000, the hotel shall be liable to pay damages not exceeding Rs 1 crore to every individual so affected." 
This article by Shilpa Phadnis was published in the Times of India on June 20, 2011. Read the original here