Holidaymakers who have booked accommodation using are at risk of being bombarded with spam after an IT glitch allowed open access to email addresses.

The fault meant anyone could find email addresses used by customers of the hotel booking site.

Key Points

  • Email addresses exposed to anyone
  • Customers face increased spam risk
  • Maximum fine £500,000 has admitted the problem but refuses to state how many addresses were exposed or how long the problem lasted for. spotted the glitch earlier this week, and alerted the company. It was fixed last night, and we waited until the problem had been resolved before publishing this story, so we didn't show fraudsters how to get hold of this data.

A member of our technical team who used the site as a customer found on Tuesday night that when he tried to send himself a confirmation email for his booking, from his account page, it didn't work. Instead, he was taken to page which was blank, except for his email address in the top left hand corner.

The web address of that page included a random series of numbers. He inadvertently discovered that by changing the number on the link it would reveal a different email address each time, in the same format his was displayed. At no point did he note down or copy any of those addresses.

Spam risk

The danger with the exposure of email addresses is nowhere near as severe as other personal data such as names, addresses, date of births or bank/credit card numbers.

However, it can expose victims to spam emails, whether for sales or fraud purposes, or emails can be used by hackers to plant viruses.

This incident reinforces the much-touted advice that if you receive any suspicious emails, you should not open them nor click any attachments. Just press 'delete' instead.

Also ensure your computer is adequately protected with anti-virus software (see the Free Anti-Virus Software guide).

Dan Plant, money analyst, says: "This is a timely reminder that we should all guard our personal details closely. Using multiple email addresses, and not duplicating your email as a username for sensitive online log-ins, are sensible steps to take.

"Plus if you used LateRooms and start to get spam, never open attachments or reply to emails if you don't know the person who sent them."

Data revealed

Data breaches are nothing new. In April last year, millions of PlayStation users were warned their personal information, including credit card details, may have been stolen.

And in December 2010, Santander admitted sending 22,000 customers' bank statements to the wrong addresses.

The data watchdog, the Information Commissioner's Office, can levy fines of up to £500,000 for breaches. But such fines are reserved for the most serious breaches, such as the release of bank or health details.

A spokesman says: "We were alerted to this issue on the evening of 30 October – it was immediately raised as the highest priority within the business, with the relevant teams working to resolve it as quickly as possible.

"The issue was resolved by 1 November. Customer security is of the utmost importance to us as a company, and we take problems of this nature extremely seriously."