Centaur Website Reveals Guests' Personal Info

Centaur Website Reveals Guests’ Personal Info is a news report published by The Times of India on 20 June 2011, written by Shilpa Phadnis. The article documents a major data security breach at Centaur Hotels that exposed sensitive identity documents of guests to public viewing on their website. It features commentary from Sunil Abraham on the privacy implications and potential legal liabilities under Section 43 of the IT Act 2000. This Times of India article was also published in The Economic Times on the same date.

Article Details
Full Text
Context and Background
External Link

Article Details

📰 Published in:: The Times of India
✍️ Author:: Shilpa Phadnis
📅 Date:: 20 June 2011
📄 Type:: News Report
📰 Newspaper Link:: Read Online

Full Text

BANGALORE: The Centaur Hotels' website, centaurhotels.com, appears to have compromised personal information of its hotel guests, in what seems to be a case of poor internet security protocols implemented by the site. This allowed website visitors on Saturday to obtain and view details of passports, driving licences, pan numbers, credit cards, and other forms of personal identification provided by its guests.

Centaur Hotels, a unit of the Hotel Corporation of India (HCI), is a wholly-owned subsidiary of the National Aviation Company of India that runs national carrier Air India. It runs a hotel near the Delhi international airport and another in Srinagar.

Around 52 scanned copies of passports of people of different nationalities, pan card details of Indian guests and driving licences were visible on the site. The page was taken down when the issue was brought to their notice. Various online facilities such as reservation are not available now. But TOI has screen shots of some of the documents. When contacted, Centaur marketing head Pradeep Garg said, "We will look into the matter. Please lodge a formal complaint. We don't have an online payment system, hence we don't collect any identification proof."

Centaurhotels.com shows the site manager as Capt Samarth Singh, who is the chief executive of a consultancy firm called Hybrid Content. But Singh said that for the past one year, the site was under the jurisdiction of a website developer in Mumbai, S Naidu. "We will, however, clarify to both the parties - Naidu and Centaur Hotels," Singh said.

He said he had sent requests to Centaur Hotels to remove his name from the hotel portal as his contract had ended. Hybrid held the contract from December 2008-April 2010. It has won the mandate to manage the site from June 1. "But the domain is not within my reach. It is still with the old registrar," Singh said.

Sunil Abraham, executive director of Centre for Internet and Society, said personal information leaked online is a breach of privacy. "Anybody collecting passport and credit card details has to follow security policies. According to Sec 43 of the IT Act 2000, the hotel shall be liable to pay damages not exceeding Rs 1 crore to every individual so affected."

Context and Background

This article documents one of the early high-profile data breaches in India’s hospitality sector, occurring before comprehensive data protection frameworks were established. The incident exposed approximately 52 scanned identity documents including passports from multiple nationalities, PAN cards and driving licences, making them accessible to any internet user visiting the Centaur Hotels website.

The breach resulted from poor website security implementation, possibly including inadequate access controls on file directories containing uploaded guest documents. The episode highlighted confusion over responsibility for digital security when multiple parties managed different aspects of a website. Capt Samarth Singh claimed his company Hybrid Content had ended its contract in April 2010, with website control transferred to Mumbai-based developer S Naidu, yet Singh’s name remained listed as site manager more than a year later.

Centaur Hotels’ marketing head claimed the hotel did not collect identification documents despite evidence to the contrary, reflecting either poor internal communication or an attempt to deflect responsibility. This disconnect between data collection practices and official acknowledgement was symptomatic of the pre-data protection era, when many organisations lacked formal data handling policies or incident response protocols.

Sunil Abraham’s invocation of Section 43 of the IT Act 2000 was significant as it established potential statutory liability for the breach. Section 43 provided for compensation of up to Rs 1 crore per affected individual for negligent data security practices. However, enforcement of this provision was exceptionally rare, as it required affected parties to initiate civil proceedings, and most data breach victims either remained unaware of the exposure or lacked resources to pursue litigation.

The incident occurred during a period when Indian hospitality chains routinely collected photocopies or scans of guests’ identity documents for compliance with local police regulations, but lacked standardised security protocols for storing such sensitive information. This breach predated the Supreme Court’s 2017 recognition of privacy as a fundamental right and the subsequent push for comprehensive data protection legislation.