American Airlines, British Airways, easyJet, lastminute.com and Marriott feature
Research uncovers serious data security vulnerabilities on travel websites
Serious data security vulnerabilities have been uncovered on the websites of firms including American Airlines, British Airways, easyJet, lastminute.com and Marriott, new research reveals.
The study says it suggested travel companies have failed to learn lessons from previous high-profile hacks that saw millions of customer details compromised.
It comes from a new assessment carried out by consumer group Which? in June over the security of websites operated by 98 travel businesses, including airlines, operators, hotel chains, cruise lines and booking sites.
Marriott and BA have already been issued with proposed, but not yet enforced, fines collectively reaching hundreds of millions of pounds.
But Which? found that some travel companies were still failing to protect their users.
Experts did not just look at the main website of each firm, but related domains and subdomains – including promotional sites, spin-off businesses or employee log-in portals.
Which? said it found 115 potential vulnerabilities on BA’s websites, including 12 that were judged to be critical.
Most of the flaws were software and applications that appeared to have not been updated, making them potentially vulnerable to being targeted by hackers.
EasyJet – which suffered a data breach affecting around nine million customers earlier in the year – had 222 vulnerabilities across nine of its domains uncovered by Which?’s security experts.
This included two critical vulnerabilities, with one so serious that an attacker could use it to hijack someone’s browsing session, potentially revealing private data.
EasyJet responded by taking three domains offline and resolved the disclosed vulnerabilities on the other six sites.
An assessment Lastminute.com’s 153 subdomains by Which? found vulnerabilities with a spa break site and a ‘customised’ holiday site.
A “critical vulnerability” was also found that could enable an attacker to manipulate pages, access sensitive information such as session cookies – showing what a person has clicked on – and to create fake login accounts, the consumer group claimed.
American Airlines has not yet had a high-profile data breach, but Which? found 291 potential vulnerabilities across its websites, with seven critical and 30 high-impact. Most of the more problematic sites appeared to be used internally by the airline’s staff, but “high-impact vulnerability” was found on a website for American Airlines’ credit card business.
Which? Travel editor Rory Boland said: “Our research suggests that Marriott, British Airways and easyJet have failed to learn lessons from previous data breaches and are leaving their customers exposed to opportunistic cybercriminals.
“Travel companies must up their game and better protect their customers from cyber threats, otherwise the ICO [Information Commissioner’s Office] must be prepared to step in with punitive action, including heavy fines that are actually enforced.
“The government must also allow for an opt-out collective redress regime that deals with mass data breaches – so that companies that play fast and loose with people’s data can be held to account.”
EasyJet said in response: “As soon as potential vulnerabilities on nine subdomains were brought to our attention, we investigated this in addition to our regular security reviewing processes and of those, three have been removed as were expired sites, potential vulnerabilities on one active site have been resolved and we will be resolving the potential vulnerabilities for the remaining five subdomains in the coming days.
“These subdomains are in no way linked to our core website and we have seen no evidence of any malicious activity on these sites and none store any customer passwords, credit card details or passport information.”
BA said: “We take the protection of our customers’ data very seriously and are continuing to invest heavily in cyber security.
“We have multiple layers of protection in place and are satisfied that we have the right controls to mitigate vulnerabilities identified. These controls are often not detected in crude external scans.”
An American Airlines spokesperson said: “American Airlines recognises the importance of cyber security and uses a variety of techniques and tools to keep our customers’ information and our corporate data safe.
“We have security monitoring systems in place and continue to deploy new technology to improve visibility and prevent attacks.
“American uses a combination of internal and external cyber professionals to regularly identify and test the security of our systems and continue improving our capabilities.”
Lastminute.com said: “We take a robust risk-based approach in our security posture – it’s something we take incredibly seriously – we regularly conduct risk assessments to categorise priorities with careful consideration. Which means people, process and technology that process, transmit or store personal or sensitive data is our highest priority.
“This is an area that we work on constantly as environments change and situations arise, such as the Covid-19 which has meant workforces like ours have adapted to remote working, processes and security is always at the forefront of everything we do.”
Marriott told Which? that it has “embedded oversight and governance of its security and privacy programs at the highest levels of its business, and continues to enhance its security posture to adapt to a dynamic risk landscape”.
A spokesperson said: “At this stage, there is no reason to believe that the findings impact Marriott’s customer systems or data.
“Marriott also notes that some of the findings are not attributable to Marriott, other findings could not be validated, others have already been addressed through compensating controls, and many of the findings relate to Marriott’s development environment – which contains limited applications and is not connected to Marriott’s customer systems or data.
“As it does with other security researchers, Marriott is taking a closer look at and addressing Which?’s findings, and would welcome a further dialogue with Which?’s technical experts at their earliest convenience.”