A recent investigation by Which? , conducted in collaboration with security experts 6point6, revealed that even some of the world’s largest travel and hospitality operators have failed to address vulnerabilities in their online platforms’ security, despite the fact that some have already suffered high-profile data leaks.

Experts assessed the cybersecurity of 98 different travel companies and exposed hundreds of vulnerabilities that exist on the websites of major airlines, hotel chains, cruise lines, tour operators and booking sites. The investigation's findings were collected in June 2020.

Marriott, British Airways and EasyJet were among the five worst companies when it came to gaps in data security, having potentially the most serious and highest number of risks. All three firms have already suffered cybersecurity breaches that collectively exposed around 350 million customers’ private information details on the dark web and resulted in Information Commissioner’s Office (ICO) regulators proposing hefty fines for the companies.

Which? Examined not only each company’s main website but also all related domains and subdomains, including promotional sites and employee login portals, where any vulnerabilities offer hackers opportunities to target user information.

Investigators noted that they didn’t engage in any complex hacking to reveal these weaknesses, and only utilized lawful, publicly available online tools to conduct their search. Cybercriminals, however, are always scanning for such susceptibilities and, using illegal methods, would doubtless be able to find even further security gaps and weaknesses to exploit.

Marriott:

Experts found 497 vulnerabilities on Marriott-owned websites alone, 96 of which were labeled ‘high impact’ issues and another 18 deemed ‘critical’ (ranked according to an industry-standard scoring system).

One of the world’s largest hotel chains, Marriott has already been the source of two of the travel industry’s worst data breaches in recent memory. In 2018, the company conceded that 339 million of its guests’ records had been maliciously accessed by cybercriminals. Then, another cyberattack in March 2020 compromised a further 5.2 million customers’ personal information.

“Three critical vulnerabilities were found on a single website of one of Marriott’s hotel chains, involving errors in the software used to run the website potentially allowing an attacker to target the site’s users and their data,” Which? investigators wrote.

“We reported our findings directly to Marriott (as we did with all the five providers in our snapshot test) and it said that it had ‘no reason to believe’ that its customer systems or data had been compromised,” Which? reported.

EasyJet:

The low-cost carrier suffered its own data breach back in May 2020, which affected around nine million customers, 2,200 of whom had their credit card details accessed.

Which? investigators discovered 222 total vulnerabilities scattered across nine of EasyJet’s domains. Two of these flaws were judged to be critical, “with one so serious that, if exploited, an attacker could hijack someone’s browsing session,” presenting opportunities to steal their private data.

“In response to our research, easyJet took three domains offline and resolved the disclosed vulnerabilities on the other six sites,” Which? wrote.

An EasyJet spokesperson also told Which? that none of these subdomains were linked to EasyJet.com, and it has seen, “no evidence of any malicious activity on these sites and none store any customer passwords, credit card details or passport information.”

British Airways:

A 2018 breach of British Airways’ systems saw cybercriminals make off with roughly 500,000 customers’ names, email addresses and credit card information. The ICO proposed a fine of $230 million—the largest fine ever levied under the European Union’s General Data Protection Regulation (GDPR) act—and publicly criticized the carrier’s poor security protocols.

Experts identified 115 potential vulnerabilities on British Airways’ websites, 12 of which were deemed critical. Most of these chinks in the company’s online armor were reportedly applications and software that seemed not to have been updated, rendering them vulnerable to attacks by hackers.

In its response to the investigation, BA didn’t mention whether it would take steps to address the issues identified. A BA spokesperson told Which?: “We take the protection of our customers’ data very seriously and are continuing to invest heavily in cybersecurity. We have multiple layers of protection in place and are satisfied that we have the right controls to mitigate vulnerabilities identified.”

American Airlines:

American Airlines is singular in that it has not yet experienced a high-profile data breach, but researchers did find 291 potential vulnerabilities across its websites, 30 of which were high-impact and seven critical.

Which?’s exercise found that most of AA’s susceptible sites seemed to be those used internally by its employees, although there was a high-impact flaw on an American Airlines credit card business website. If an attacker were to obtain a login password for the site, he/she could potentially mess with the content or systems used to support the website.

When contacted, American Airlines didn’t respond to any of Which?’s findings specifically, but said: “[We] use a combination of internal and external cyber professionals to regularly identify and test the security of our systems and continue improving our capabilities.”

Conclusions:

“Our research suggests that Marriott, British Airways and EasyJet have failed to learn lessons from previous data breaches and are leaving their customers exposed to opportunistic cybercriminals,” said Rory Boland, editor of Which? Travel.

“Travel companies must up their game and better protect their customers from cyber threats,” he said, “otherwise, the ICO must be prepared to step in with punitive action, including heavy fines that are actually enforced.”