Will they never learn? Top travel websites 'full of holes'

Many of the world’s biggest travel brands – who have already been pummelled to within an inch of their existence by Covid-19 – are facing another battering, amid accusations they are leaving millions of customers open to data theft through serious security vulnerabilities on their websites.

According to an investigation carried out in June by Which? into 98 travel firms, including major airlines, tour operators and hotel chains, Marriott International, British Airways and easyJet were in the worst five companies with the most risks identified.

Those with short memories might not recall, but these companies have been responsible for three of the highest profile data breaches of recent years.

BA and Marriott are still contesting proposed record GDPR fines totalling £282m, which at the last count have been pushed backed a third time to this month, while easyJet is under investigation over a breach, revealed in May, that saw the personal data of 9 million customers compromised – and the credit card details of just over 2,200 stolen.

The Information Commissioner’s Office has yet to even comment on that case.

But working in collaboration with security experts 6point6, Which? found 497 vulnerabilities on Marriott-owned websites alone. More than 100 of these were assessed to be “critical” or “high”.

The probe did not cover just the main website of each firm, but related domains and subdomains too – including promotional sites and employee login portals. Any vulnerability in these websites could be an opportunity for a malicious hacker to target users and their data, Which? maintains.

The organisation insists it did not engage in complex hacking to find this information, but rather used publicly available, lawful online tools that anyone can access.

Marriott is not only one of the biggest hotel chains in the world, but it has also suffered not one but two major data breaches. The ICO’s action is only in relation to the 2018 breach; but in May this year the company reported a further incident, affecting 5.2 million guests.

Three critical vulnerabilities were found on a single website of one of Marriott’s hotel chains, involving errors in the software used to run the website potentially allowing an attacker to target the site’s users and their data.

Which? reported its findings directly to Marriott but the firm said it had “no reason to believe” that its customer systems or data had been compromised. It also claimed that some findings were “not attributable to Marriott”, while others “could not be validated”.

It did not supply any specific examples of mitigations but said that it would be “taking a closer look at and addressing Which?’s findings”.

Meanwhile, the investigation found 115 potential vulnerabilities on BA’s websites, including 12 that were judged to be critical. Most of the flaws were software and applications that appeared to have not been updated, making them potentially vulnerable to being targeted by hackers.

When contacted, BA did not indicate to Which? whether it was taking any action to resolve the issues that had been identified. A spokesperson told the organisation: “We take the protection of our customers’ data very seriously and are continuing to invest heavily in cybersecurity. We have multiple layers of protection in place and are satisfied that we have the right controls to mitigate vulnerabilities identified.”

EasyJet also stands accused of data security failings; Which? found 222 vulnerabilities across nine of its domains. The vulnerabilities included two critical flaws, with one so serious that, if exploited, an attacker could hijack someone’s browsing session, the investigators claimed, adding that this could open up opportunities to steal private data.

In response to the research, easyJet took three domains offline and resolved the disclosed vulnerabilities on the other six sites. A spokesperson said that none of these subdomains were linked to easyJet.com, and it has seen “no evidence of any malicious activity on these sites and none store any customer passwords, credit card details or passport information”.

American Airlines is also under the cosh. The investigation uncovered 291 potential vulnerabilities across its websites, with seven critical and 30 high-impact. Most of the more problematic sites appeared to be used internally by American Airlines staff, but Which? did find a high-impact vulnerability on a website for American Airlines’ credit card business.

An attacker would need to steal a login password for this site, but if they did they could potentially tamper with the content or computer systems used to run the website.

American Airlines did not respond to any specific aspects of the research but said: “[We] use a combination of internal and external cyber professionals to regularly identify and test the security of our systems and continue improving our capabilities.”

When Which? assessed Lastminute.com’s 153 subdomains, it found vulnerabilities with a spa break site and a customised holiday site. The security experts also found a critical vulnerability with one site that could enable an attacker to manipulate pages, access sensitive information such as session cookies – showing what has been clicked on – and to create fake login accounts.

Lastminute.com was one of the few businesses that responded positively to the research and launched an internal investigation. However, although it has taken some action, the firm also claimed some of the results were “false positives”, while others were “mainly test sites containing no personal or sensitive data”.

However, Which? has been quick to point out that, regardless of how small, any cybersecurity vulnerabilities must be taken seriously. Breached emails can be used for phishing attacks, stolen credit cards for fraudulent purchases and passport details for ID theft. Even travel plans could be used to target consumers with a more sophisticated fraud.

Which? Travel editor Rory Boland said: “Our research suggests that Marriott, British Airways and easyJet have failed to learn lessons from previous data breaches and are leaving their customers exposed to opportunistic cybercriminals.

“Travel companies must up their game and better protect their customers from cyber threats, otherwise the ICO must be prepared to step in with punitive action, including heavy fines that are actually enforced.

“The Government must also allow for opt-out collective redress when data breaches occur – so that companies that play fast and loose with people’s data can be held to account.”