Travel firms ‘failed to learn lessons’ from cyberattacks, Which? report claims

Travel firms have failed to secure their websites from hackers despite previous cyberattacks, consumer group Which? has claimed in a new report.

It says its own investigation found vulnerabilities in websites linked to Marriott, British Airways and easyJet, each of which has previously been the subject of high-profile data breaches.

This research found hundreds of flaws on sites linked to the three companies, Which? says, as well as on some domains linked to American Airlines and Lastminute.com.

The consumer group said it had looked at the security of websites operated by 98 travel companies – including airlines, tour operators, hotel chains and booking sites – examining cybersecurity on not just their main websites, but also related sites, including promotional sites, spin-off business and employee log-in portals.

According to the research, almost 500 issues were found on sites linked to Marriott, with more than 100 judged to be high-risk or critical by Which?

Marriott was hit by a major data breach in 2018, when it admitted the guest records of 339 million customers had been accessed, an incident for which it was fined £99 million by the Information Commissioner’s Office (ICO).

In May this year, the company said the details of as many as 5.2 million customers may also have been accessed in a second breach.

Elsewhere, 115 vulnerabilities were found on websites linked to British Airways, including 12 which were identified as critical.

BA was issued with a record £183 million fine last year by the ICO after hackers gained access to the personal data, including payment information, of about half a million customers.

The investigation said it also found issues on sites linked to easyJet, which confirmed its own data breach earlier this year, affecting nine million customers, more than 2,000 of whom had credit card details exposed.

Which? said it identified 222 vulnerabilities on easyJet sites, including two critical flaws.

Rory Boland, editor of Which? Travel, said Marriott, British Airways and easyJet had “failed to learn lessons from previous data breaches” and were leaving customers exposed to cybercriminals.

“Travel companies must up their game and better protect their customers from cyber threats, otherwise the ICO must be prepared to step in with punitive action, including heavy fines that are actually enforced,” he said.

“The Government must also allow for an opt-out collective redress regime that deals with mass data breaches – so that companies that play fast and loose with people’s data can be held to account.”

Responding to the investigation, easyJet said it had taken action on nine web domains flagged to it.

“EasyJet always takes the security of our systems and the protection of our customer and employees’ data very seriously, complying with relevant legislation,” the company said.

“Like many companies, easyJet has a number of subdomains which provide a range of functions, including test sites not in use by customers, resources for staff, and sites to provide additional services and information for customers such as our digital inflight magazine or our bistro menu.

“As soon as potential vulnerabilities on nine subdomains were brought to our attention, we investigated this in addition to our regular security reviewing processes, and of those, three have been removed as were expired sites, potential vulnerabilities on one active site have been resolved, and we will be resolving the potential vulnerabilities for the remaining five subdomains in the coming days.

“These subdomains are in no way linked to our core website and we have seen no evidence of any malicious activity on these sites, and none store any customer passwords, credit card details or passport information.

“We had already started a full review of all domains using a risk-based approach.

“This would have identified and resolved these potential issues, however are pleased we have been able to bring this forward.

“All companies have to be vigilant to defend against criminal cyber activity and we will continue to constantly review and strengthen our systems.”

In its own response, British Airways said it was “satisfied” it had systems in place to mitigate the issues raised by the Which? investigation.

“We take the protection of our customers’ data very seriously and are continuing to invest heavily in cybersecurity,” the airline said.

“We have multiple layers of protection in place and are satisfied that we have the right controls to mitigate vulnerabilities identified. These controls are often not detected in crude external scans.”

Marriott said it had “embedded oversight and governance of its security and privacy programme at the highest level of its business” and continued to enhance its security and conduct regular tests of its systems.

“Marriott has conducted a preliminary review of Which?’s findings after Which? provided them to Marriott. At this stage, there is no reason to believe that the findings impact Marriott’s customer systems or data,” a company statement said.

“Marriott also notes that some of the findings are not attributable to Marriott, other findings could not be validated, others have already been addressed through compensating controls, and many of the findings relate to Marriott’s development environment – which contains limited applications and is not connected to Marriott’s customer systems or data.

“As it does with other security researchers, Marriott is taking a closer look at and addressing Which?’s findings, and would welcome a further dialogue with Which?’s technical experts at their earliest convenience.”

In their own response, Lastminute.com said it took a “robust risk-based approach” to its security structures and was “grateful” for the investigation’s research.

However, the company argued the examples highlighted by Which? were “mainly test sites containing no personal or sensitive data”.

American Airlines said it “recognises the importance of cybersecurity” and uses a range of tools to keep customers’ data safe.

It added it uses a “combination of internal and external cyber professionals to regularly identify and test the security of our systems and continue improving our capabilities”.