This seems like a fairly standard practice used in a lot of systems.<p>Quite a few times I have bought something somewhere as a guest with my email, and then later signed up with that email and all of my history was suddenly in my account. With no confirmation of my email. This doesn't seem that much different in practice.<p>Admittedly there are a couple of odd things here. Them refusing to do anything about it and not contact the original purchaser, giving the last 4 digits of the purchasers credit card, and some other things probably should not be the case.<p>I would assume they have a process for "Put in the wrong email address at purchase", but maybe that falls apart when that email address is associated with another already registered user?<p>That seems the real problem here and not anything about privacy (and I am generally lean on the side of privacy here) when it all boils down to a mistake on the person there made the reservation and accidentally giving someone else their information.
My email address has been used by someone in America to sign up for an online fashion brand. I get emails of their receipts every time they buy new clothes.<p>More recently, they signed up to some tanning salon and I got a receipt for a Brazilian wax!
I got emails from one of these food delivery services a few times for someone elses delivery. Probably from a typoed email as well. I mean yeah there's an information leak, but it's the users own fault, and there really isn't any way to turn it into an attack, and even if you somehow could it would be quite tricky to make money off of it. So in short this is fear mongering by ars imo