When you book a trip online, think about all the personal data you share—your address, your passport information, and naturally, your credit card info. If you're booking through a large airline or hotel chain, you probably assume your info's safe and secure. However, a recent report by Which? shows that many big names inside the travel and hospitality sectors continue to struggle with keeping customer data safe.
The investigation, conducted in June 2020 in collaboration with security firm 6point6, points out that the websites of 98 different travel companies contain hundreds of vulnerabilities that could be exploited by a third party. The companies range from hotel chains and airlines to tour operators and cruise lines.
Among the worst offenders were British Airways, Marriott, and easyJet—three companies that have already been the target of data breaches, resulting in the personal info of close to 350 million customers being leaked.
"Unfortunately, these types of security breaches are incredibly common. This is troubling because these companies keep sensitive customer information like users' names, addresses, email addresses, and payment information, so if the data is exposed, they could be making their customers more susceptible to identity theft, which could result in financial losses," Gabe Turner, cybersecurity expert and chief editor of digital security website Security.org told TripSavvy. "Companies need to invest more heavily in digital security, especially if they handle customers' personally identifiable information."
Which? also found that much of the stolen travel data was available on the dark web, finding 7.2GB worth of data from travel booking site ixigo could be purchased for $262. This information included names, addresses, passwords, passport numbers, and other sensitive information.
The study by Which? examined all related domains and subdomains of the affected company's main website, including employee login portals, to find opportunities in which hackers could gain access to sensitive information. In conducting the study, the investigators didn't use complex hacking methods, instead legally available tools accessible by anyone.
Still, some of the companies named in the report insist their cybersecurity measures are adequate. "We take the protection of our customers' data very seriously and are continuing to invest heavily in cybersecurity," Catherine Wilson, a spokesperson for British Airways, told TripSavvy. "We have multiple layers of protection in place and are satisfied that we have the right controls to mitigate vulnerabilities identified. These controls are often not detected in crude external scans."
British Airways was the target of a 2018 cyberattack in which the names, email addresses, and credit card information of close to 500,000 customers were stolen. In response, the ICO proposed a fine of $230 million, the largest fine ever under the General Data Protection Regulation. Which? 's study uncovered 115 potential vulnerabilities, 12 of which were deemed "critical," on British Airways' website. It also found a staggering 497 vulnerabilities on Marriott's website and 222 vulnerabilities across easyJet's nine domains. Even companies that haven't yet experienced a high-profile data breach, like Fort Worth, Texas-based American Airlines, were found to have vulnerabilities.
The study concludes that the three companies, among others, "have failed to learn lessons from previous data breaches and are leaving their customers exposed to opportunistic cybercriminals," wrote Rory Boland, Which? Travel's editor. "Travel companies must up their game and better protect their customers from cyber threats."
Which? "Hundreds of Data Security Risks on Marriott, British Airways and easyJet Websites Exposed by Which?" Sept. 11, 2020