The list of the biggest data breaches of the past five years is populated with no shortage of representatives from the travel and hospitality industries: Marriott, British Airways, Cathay Pacific, Hyatt, MGM Resorts, Carnival Cruise and easyJet just to name a few of the bigger incidents. In spite of this, a recent Which? study found that the travel industry is still rife with security holes.
The magazine’s cyber security specialists investigated 98 of the travel industry’s biggest names and found that most had substantial vulnerabilities, and some of the worst offenders are those that have already been stung by major data breaches.
Serious cybersecurity problems in the travel industry
The highlight of the Which? investigation is that three travel industry members that have already experienced huge data breaches — British Airways, easyJet and Marriott — are among the five companies that have the largest number of vulnerabilities. Together these three organizations have already leaked hundreds of millions of customer records and are facing the prospect of hundreds of millions of dollars in fines.
The assessment took place in June of this year. Among these previously breached companies, Marriott was the worst offender with 497 total vulnerabilities identified. Which? ranked 100 of these vulnerabilities as “critical” or “high.” Already coming off a 2018 data breach in which the records of 339 million guests were obtained by intruders, Marriott suffered a follow-up data breach in May of 2020 that added 5.2 million guest records to the total.
easyJet was found to have 222 total vulnerabilities across nine of its domains. Which? reports that there was one particularly serious flaw that could allow an attacker to hijack customer browsing sessions, enabling them to intercept payment and personal information. easyJet previously confirmed in May that it had been breached and that 9 million guest records were exposed.
British Airways was found to have 115 potential vulnerabilities across its domains, 12 of which were rated as “critical.” Which? said that the majority of these vulnerabilities were linked to software and applications that had not been updated. British Airways was breached in 2019, losing the records of about half a million customers and receiving a proposed fine of £183m as a result.
Some other big names in the travel industry that have not yet suffered a major data breach appear to be heading for one. Which? found that American Airlines had 291 vulnerabilities across its domain, seven identified as “critical.” The UK booking site Lastminute had a number of vulnerabilities including a critical one that could allow an attacker to hijack user session cookies.
Which? reported a mixed level of engagement from these companies. Some, such as easyJet, responded to the news by taking several domains offline and directly addressing the reported vulnerabilities. Others, such as Marriott and American Airlines, downplayed the findings and did not commit to any specific response other than a general review.
Which?’s methodology reportedly did not involve any advanced hacking or anything that might cross the line into a violation of the law; the vulnerabilities were found with everyday scanning tools that are available to the general public. The magazine did not disclose exactly what tools it used or too many specifics about the vulnerabilities so as to protect the affected websites from data breach attempts. But it is a safe bet that cybercriminals have equal access to these types of tools and regularly use them to find critical vulnerabilities, but do not limit themselves to methods that will not violate the law.
What can the travel industry do to improve?
Javvad Malik, security awareness advocate at KnowBe4, reflects on how the travel industry may simply not be keeping pace with changing times and the measures needed to prevent data breaches: “Over the past decade, we’ve seen the travel and hospitality industry change significantly. The customer experience has changed from brochures and face to face bookings, to being able to search thousands of flights and hotels with a simple search on their phone. This experience has brought about many benefits to the customer, but it has introduced several layers of digital complexity for hotels and airlines. Complexity is among the biggest of hurdles to an effective security strategy.”
The concept is hardly unheard of. While casinos are renowned for their physical brick-and-mortar security, the industry has struggled to keep up on the cybersecurity front; some observers attribute that to “old school” ownership and senior executives that are simply not accustomed to thinking about online forms of malicious activity like data breaches.
Which? is encouraging customers of the travel industry to be extra cautious when dealing with hotels, resorts, airlines and other forms of transport. The magazine’s cyber security specialists advise unique and strong passwords for each travel account, the use of two-factor authentication (2FA) whenever it is available, not creating website accounts (checking out as a “guest” instead) when it is not necessary, and not allowing these sites to save credit card details. For those who need to travel frequently, a good password manager may be helpful in securely juggling a number of different travel industry accounts.
It is also wise to keep an eye on “loyalty account” point balances, as hackers have recently begun to focus on these as they provide an easy means to anonymously purchase gift cards that can quickly be sold or used while remaining difficult to track.