Overview
- The vulnerability was uncovered by Chaos Computer Club spokesman Matthias Marx during a Berlin self-check-in when he manipulated invoice links to access other guests’ documents.
- As many as 500,000 stays between January 2024 and June 2025 may have been affected, exposing names, addresses, booking information and ID details.
- Numa swiftly patched the security gap and reviewed log files, finding no indication that the flaw had been exploited beyond the CCC’s discovery.
- The hotel operator informed the Berlin data protection authority and reached out to customers whose data could have been accessed.
- Critics say Numa’s insistence on digital ID uploads for self-check-in is unjustified under German law, which dropped ID requirements for hotel stays in January 2024.