A Which? investigation has exposed hundreds of security vulnerabilities on the websites of major airlines, tour operators and hotel chains.
When cyber security experts checked the security of 98 travel firms they found Marriott, British Airways and easyJet were in the worst five companies with the most risks identified. All three firms have already had breaches affecting nearly 350 million customers combined, which has resulted in hundreds of millions in proposed fines from regulators.
Our experts found 497 vulnerabilities on Marriot owned websites alone. More than 100 of these were assessed to be ‘critical’ or ‘high’.
Coronavirus advice – get the latest updates on how the virus could affect your travel plans
How Which? put travel website cyber security to the test
Which?, working in collaboration with security experts 6point6, assessed the security of websites operated by 98 travel industry companies, including airlines, tour operators, hotel chains, cruise lines and booking sites, in June 2020.
We didn’t just look at the main website of each firm, but related domains and subdomains too – including promotional sites and employee login portals. Any vulnerability in these websites could be an opportunity for a malicious hacker to target users and their data.
We didn’t engage in complex hacking to find this information, but rather used publicly available, lawful online tools that anyone can access.
Cybercriminals are constantly scanning for such vulnerabilities, and while we always stayed within the law, they would almost certainly be able to identify further gaps and vulnerabilities to exploit.
Marriott risks further breaches
Marriott is not only one of the biggest hotel chains in the world, but it also suffered one of the worst data breaches. In 2018, it confirmed that records of 339 million guests had been maliciously accessed by cybercriminals.
Despite the Information Commissioner’s Office (ICO) announcing its intention to fine the firm £100m over the incident, Marriott reportedly suffered a further breach in May 2020 involving 5.2 million guests.
Just a month later our researchers found a staggering 497 total vulnerabilities with Marriott-run websites, including 96 issues deemed as high impact based on an industry standard scoring system, and 18 deemed as critical.
Three critical vulnerabilities were found on a single website of one of Marriott’s hotel chains, involving errors in the software used to run the website potentially allowing an attacker to target the site’s users and their data.
We can’t discuss the issues we found in detail without tipping off the cybercriminals.
We reported our findings directly to Marriott (as we did with all the five providers In our snapshot test) and it said that it had ‘no reason to believe’ that its customer systems or data had been compromised.
It also claimed that some findings were ‘not attributable to Marriott’, while others ‘could not be validated’. It didn’t supply any specific examples of mitigations, but said that it would be ‘taking a closer look at and addressing Which?’s findings’.
Making it easy for hackers
EasyJet – which earlier this year had a data breach affecting around nine million customers – was found to have 222 vulnerabilities across nine of its domains.
The vulnerabilities included two critical flaws, with one so serious that, if exploited, an attacker could hijack someone’s browsing session. This could open up opportunities to steal private data.
In response to our research, easyJet took three domains offline and resolved the disclosed vulnerabilities on the other six sites.
A spokesperson said that none of these subdomains were linked to easyJet.com, and it has seen ‘no evidence of any malicious activity on these sites and none store any customer passwords, credit card details or passport information’.
To fly. To serve. To get hacked?
Cybercriminals walked off with the names, email addresses and credit card details of around 500,000 customers when British Airways got hacked in 2019. Alongside a proposed fine of £183m, the ICO criticised BA’s poor security measures at the time.
We found 115 potential vulnerabilities on British Airways’ websites, including 12 that were judged to be critical. Most of the flaws were software and applications that appeared to have not been updated, making them potentially vulnerable to being targeted by hackers.
When we contacted BA, it did not indicate if it was taking any action to resolve the issues we had identified.
A spokesperson told us: ‘We take the protection of our customers’ data very seriously and are continuing to invest heavily in cybersecurity. We have multiple layers of protection in place and are satisfied that we have the right controls to mitigate vulnerabilities identified.’
American Airlines says ‘nothing to see here’
Another airline, American Airlines, hasn’t yet had a high-profile data breach, but we found 291 potential vulnerabilities across its websites, with seven critical and 30 high-impact.
Most of the more problematic sites appeared to be used internally by American Airlines staff, but Which? did find a high-impact vulnerability on a website for American Airlines’ credit card business.
An attacker would need to steal a login password for this site, but if they did they could potentially tamper with the content or computer systems used to run the website.
American Airlines did not respond to any specific aspects of our research, but said: ‘[We] use a combination of internal and external cyber professionals to regularly identify and test the security of our systems and continue improving our capabilities.’
Lastminute launches investigation
When we assessed Lastminute.com’s 153 subdomains in June 2020, we found vulnerabilities with a spa break site and a ‘customised’ holiday site.
Our experts also found a critical vulnerability with one site that could enable an attacker to manipulate pages, access sensitive information such as session cookies – showing what you’ve clicked on – and to create fake login accounts.
Lastminute.com responded positively to our research and launched an investigation. Although it has taken some action, it also claimed that some of our results were false positives, while others were ‘mainly test sites containing no personal or sensitive data’.
Poor cybersecurity can have real consequences
Regardless of how small, any cybersecurity vulnerabilities must be taken seriously. Breached emails can be used for phishing attacks, stolen credit cards for fraudulent purchases and passport details for ID theft. Even your travel plans could be used to target you with a more sophisticated fraud.
And some stolen travel data is already available to buy on the dark web. In 2019, travel booking site Ixigo reported a breach that involved 18 million users. We found what was claimed to be 7.2GB of data on Ixigo customers available for $262 on a dark-web site, including full names, usernames, emails, passwords and some passport numbers.
Our research suggests that corners are being cut on cybersecurity, and that’s even by companies that have had a recent high profile data breach.
Rory Boland, editor of Which? Travel, said: ‘Our research suggests that Marriott, British Airways and easyJet have failed to learn lessons from previous data breaches and are leaving their customers exposed to opportunistic cybercriminals.
‘Travel companies must up their game and better protect their customers from cyber threats, otherwise the ICO must be prepared to step in with punitive action, including heavy fines that are actually enforced.
‘The government must also allow for opt-out collective redress when data breaches occur – so that companies that play fast and loose with people’s data can be held to account.’
Stay safe when booking holidays online
- Passwords – One of the services we tested enabled us to set the trivially easy-to-guess account password, ‘password’. Don’t do this even if you can, and instead always set strong passwords for your accounts.
- Password manager – As the best password managers can be used for free, there’s no reason not to use one. Many services now alert you if your passwords have been compromised, so you can change them.
- Credit card details – Don’t save your credit card details on a site if you aren’t going to use the service regularly. Although it’s a faff to resubmit them, that’s better than having your financial information unnecessarily stored in a database that could be compromised.
- Guest checkout – Similarly to the above, just check out as a guest if you aren’t going to use the service that often. Only create an account if you really need to.
- Two factor authentication (2FA) – If available, 2FA (also known as multi-factor authentication) is worth activating to increase security, particularly if your account holds your financial information. Try searching the site for 2FA or MFA.