Research conducted by Which? shows that travel industry giants have failed to secure online platforms despite previous high-profile data breaches. Which? found hundreds of data security vulnerabilities in popular travel companies’ online systems including Marriot, British Airways and EasyJet. All three companies have previously suffered severe data breaches and two of them have faced large fines from privacy regulators.
In June 2020, the consumer advisory firm Which? analyzed 98 travel industry companies including major airlines, hotel chains, cruise and tour operators, and booking sites. Which? tested these companies’ main websites, as well as related domains and subdomains. This included promotional sites and employee login portals. With regards to their testing, Which? explains: “We didn’t engage in complex hacking to find this information, but rather used publicly available, lawful online tools that anyone can access.”
The results from their investigation were detailed in a Which? press release and a news article both published a couple of days ago. Their investigation has revealed the troubling fact that the travel industry has not learned its lessons from past breaches. Which? found that many breached companies are still cutting corners when it comes to cybersecurity and securing their customer’s data.
Which? revealed that Marriot, British Airways (BA) and EasyJet rank amongst the worst five companies in the travel industry when it comes to data security. Although these three companies have suffered large-scale breaches in the recent past, their online platforms are still the most vulnerable. These results are unexpected considering that BA and Marriott have also faced large fines from privacy regulators. Furthermore, all three companies suffered major reputational damage for loosing thousands of travelers’ personal data to hackers.
Which? researchers ranked the Marriot hotel chain as the company most vulnerable to security breaches in the travel industry. Marriot was found to have the most vulnerabilities on its websites as well as the most critical issues. The researchers discovered nearly 500 issues, with 96 issues flagged as high severity and 18 deemed critical. Furthermore, three critical vulnerabilities were found on a single website, which could allow attackers to target the sites’ users and their data.
These statistics indicate that Marriot has not learned its lesson from past data breaches. Marriot was fined £99.2 million in July last year for a data breach that exposed 339 million guest records. The breach was discovered back in 2018 and involved hackers gaining access to the Starwood guest reservation database in 2014. Then in May this year, Marriot suffered yet another major data breach. In this instance hackers accessed personal information of some 5.2 million guests after stealing two employees’ login credentials.
When Which? reported its findings to the hotel chain, Marriot apparently responded that it had “no reason to believe” that its customer systems or data had been compromised. Furthermore, Marriot maintained that some findings were “not attributable to Marriot”, and others “could not be validated”. Nonetheless, Marriot told Which? that it would be “taking a closer look at addressing Which?’s findings”.
BA also did not fare well in Which?’s investigation. BA, UK’s largest airline, is currently facing a £183.39 million fine from the Information Commissioner’s Office (ICO). It is being fined for failing to prevent a cyberattack back in 2018. In this attack the personal and financial information of close to half-a-million customers was compromised.
Despite already facing this hefty fine, Which? still found 115 potential vulnerabilities on BA’s websites, including 12 deemed critical. Most vulnerabilities were due to software and applications not having been updated thus placing customers and website users at risk.
In a statement responding to Which?’s findings, a spokesperson for BA said “We take the protection of our customers’ data very seriously and are continuing to invest heavily in cybersecurity. We have multiple layers of protection in place and are satisfied that we have the right controls to mitigate vulnerabilities identified. These controls are not often detected in crude external scans.”
The popular low-cost airline, EasyJet, also fared badly in Which?’s investigation. An investigation of EasyJet’s security practices found 222 vulnerabilities across nine domains run by the airline, including two critical flaws. These two flaws could allow hackers to hijack browsing sessions and steal personal data.
It appears that EasyJet has also not learnt its lesson from the major data breach it suffered earlier this year. In May, the airline suffered a breach in which the personal information of over 9 million customers was stolen. The customer data stolen in this attack included credit card details of more than 2,000 passengers.
When Which? informed EasyJet of the vulnerabilities, the airline responded by taking three affected domains offline. In addition, the airline resolved the flaws on the other six sites. Nevertheless, EasyJet stated that none of the subdomains were linked to easyJet.com and that it had seen “no evidence of any malicious activity on these sites”. Furthermore, EasyJet explained that none of the affected sites stored “any customer passwords, credit card details or passport information.”
Not Yet Hacked but Just as Vulnerable
The other two companies named in the worst five are American Airlines and Lastminute.com. These two companies have not suffered a high-profile data breach yet, but their online platforms are just as vulnerable.
Researchers discovered 291 vulnerabilities on American Airlines’ websites, with 30 being flagged as high severity and seven critical. Most of the problematic sites appeared to be used internally by American Airlines staff. However, researchers found a high-impact vulnerability on a website belonging to American Airlines’ credit card business. American Airlines did not respond to any of Which?’s specific findings, but stated “[We] use a combination of internal and external cyber professionals to regularly identify and test the security of our systems and continue improving our capabilities.”
With regards to Lastminute.com, researchers found vulnerabilities with a spa break site and a holiday site. Which? researchers also found a critical vulnerability with a Lastminute.com related site. The latter could allow hackers to create fake login accounts, as well as manipulate pages and access session cookies. Which? stated that Lastminute.com responded positively to their findings and were launching an investigation.
Which?’s Recommendations to Travelers
Which? provides the following recommendations to travelers:
- Do not use passwords that are easy to guess, such as the word “password”. Users are advised to use strong passwords instead.
- Use a password manager. As some of the best password managers are free, Which? states that there is no reason not to use one.
- Do not save credit card details on websites, especially if not using the service regularly
- Use guest checkout if not using the service often
- Use 2-Factor Authentication (2FA), if available.