Major airlines and hotel chains have failed to secure their online platforms even after previous data breaches and cyberattacks exposed information of millions of customers’ and drew fines from privacy regulators.
That’s the conclusion of an investigation by Which?, which found hundreds of data security vulnerabilities on popular travel companies including Marriott, British Airways, and EasyJet, all of who have previously suffered a severe data breach.
In June 2020, the consumer group analyzed 98 travel industry companies, ranging from airlines to cruise operators, revealing a troubling trend.
Marriott is playing a dangerous game. Researchers analyzing Marriott-run websites discovered nearly 500 vulnerabilities, with 96 issues flagged as high severity, and 18 deemed critical.
“Three critical vulnerabilities were found on a single website of one of Marriott’s hotel chains, involving errors in the software used to run the website potentially allowing an attacker to target the site’s users and their data,” investigators said. “We reported our findings directly to Marriott (as we did with all the five providers In our snapshot test) and it said that it had ‘no reason to believe’ that its customer systems or data had been compromised.”
The hotel chain might have dodged a bullet, if not for the £99.2 million fine over the 2018 data breach that exposed records of 339 million guests, and the May 2020 breach that compromised information of an additional 5.2 million customers.
EasyJet’s not in the clear either. Researchers found 222 vulnerabilities across nine domains run by the airline company, including two critical flaws, “with one so serious that, if exploited, an attacker could hijack someone’s browsing session.”
The announcement comes after the low-cost airline disclosed a major data breach that exposed personal details of 9 million customers, including credit card details of more than 2,000 passengers.
“In response to our research, EasyJet took three domains offline and resolved the disclosed vulnerabilities on the other six sites,” Which? added.
British Airways, the UK’s largest airline, suffered a cyberattack in 2018 that exposed the personal and financial information of around 500,000 customers. The company faces a record fine from the Information Commissioner’s Office (ICO) of £183.39 million.
Researchers found 115 potential vulnerabilities on airline-run websites, including 12 deemed critical. After revealing the findings to the company, no signs of mitigation steps were noted.
“We take the protection of our customers’ data very seriously and are continuing to invest heavily in cybersecurity,” a British Airways spokesperson told Which? investigators. “We have multiple layers of protection in place and are satisfied that we have the right controls to mitigate vulnerabilities identified.”
Although American Airlines has not been subject to a high-profile data breach yet, researchers discovered 291 vulnerabilities on its websites, with 30 flagged as high severity and seven deemed critical.
“Most of the more problematic sites appeared to be used internally by American Airlines staff, but Which? did find a high-impact vulnerability on a website for American Airlines’ credit card business,” investigators said.
It seems that the travel industry has not learned its lesson, with many breached companies cutting corners when it comes to cybersecurity and the safety of customer data.
“Travel companies must up their game and better protect their customers from cyber threats, otherwise the ICO must be prepared to step in with punitive action, including heavy fines that are actually enforced,” Rory Boland, editor of Which? Travel said.