Probe exposes ‘serious’ security issues at major travel firms

Major travel firms have failed to learn the lessons of serious data breaches and are exposing their customers to more danger, an investigation by Which? has revealed.

The consumer body found firms including Marriott, British Airways and easyJet had ‘serious data security vulnerabilities’ on their websites.

The investigation saw Which? scrutinise the security of websites operated by 98 travel companies, including airlines, tour operators, hotel chains, cruise lines and booking sites.

The investigation found that hotel chain Marriott not only had the most vulnerabilities on its websites but the most critical issues.

Researchers found almost 500 in total and more than 100 of these were judged as ‘high’ or ‘critical’.

Of the 18 critical issues exposed, three were found on a single website of one of its hotel chains.

Which? said it could allow attackers to target the site’s users and their data. 

On BA sites, the probe unearthed 115 potential vulnerabilities with 12 judged critical.

Most flaws were software and applications that appeared to have not been updated, Which? said, making them ‘potentially vulnerable to being targeted by hackers’.

EasyJet – which earlier this year had a data breach affecting around nine million customers –  had 222 vulnerabilities across nine of its domains uncovered by security experts.

This included two critical vulnerabilities. One was deemed so serious that an attacker could use it to hijack someone’s browsing session, potentially revealing private data.

Which? said all the issues gave hackers a ‘backdoor into the system in order to mount a range of attacks’.

Which? Travel Editor of Rory Boland, said: "Our research suggests that Marriott, British Airways and easyJet have failed to learn lessons from previous data breaches and are leaving their customers exposed to opportunistic cybercriminals. 

"Travel companies must up their game and better protect their customers from cyber threats, otherwise the ICO must be prepared to step in with punitive action, including heavy fines that are actually enforced.

"The government must also allow for an opt-out collective redress regime that deals with mass data breaches – so that companies that play fast and loose with people’s data can be held to account."

In a statement, a Marriott spokesperson told Which? said: "Marriott has conducted a preliminary review of Which?’s findings after Which? provided them to Marriott.  

"At this stage, there is no reason to believe that the findings impact Marriott’s customer systems or data.

"Marriott also notes that some of the findings are not attributable to Marriott, other findings could not be validated, others have already been addressed through compensating controls, and many of the findings relate to Marriott’s development environment—which contains limited applications and is not connected to Marriott’s customer systems or data.  

EasyJet said: "As soon as potential vulnerabilities on nine subdomains were brought to our attention, we investigated this in addition to our regular security reviewing processes and of those, three have been removed as were expired sites, potential vulnerabilities on one active site have been resolved and we will be resolving the potential vulnerabilities for the remaining five subdomains in the coming days.

"These subdomains are in no way linked to our core website and we have seen no evidence of any malicious activity on these sites and none store any customer passwords, credit card details or passport information.

"We had already started a full review of all domains using a risk-based approach. This would have identified and resolved these potential issues however are pleased we have been able to bring this forward."

BA said: "We take the protection of our customers’ data very seriously and are continuing to invest heavily in cyber security.

"We have multiple layers of protection in place and are satisfied that we have the right controls to mitigate vulnerabilities identified.

"These controls are often not detected in crude external scans."