A new investigation from the consumer advocacy organization Which? has uncovered hundreds of critical security vulnerabilities on the websites of popular airlines, hospitality chains, and travel companies. Which? researchers and security experts from 6point6 evaluated the security of websites of 98 companies in the travel industry, including cruise lines and booking sites, in June 2020. The researchers found that Marriott, British Airways, and easyJet were in the top five companies with the most security vulnerabilities. These three firms already suffered data breaches earlier, which resulted in hundreds of millions in fines from data regulators.
A Century of Vulnerabilities
The researchers found 497 flaws on Marriot owned websites, in which 96 vulnerabilities deemed as high severity and 18 ranked as critical. “Three critical vulnerabilities were found on a single website of one of Marriott’s hotel chains, involving errors in the software used to run the website potentially allowing an attacker to target the site’s users and their data,” Which? said.
European airline easyJet, which recently suffered a data breach that compromised details of 9 million customers, was found to have 222 vulnerabilities across nine of its websites. If exploited, attackers could hijack users’ browsing sessions. EasyJet took down three domains and fixed the vulnerabilities on the other six websites. “None of these subdomains were linked to easyJet.com, and it has seen no evidence of any malicious activity on these sites and none store any customer passwords, credit card details or passport information,” EasyJet’s spokesperson said.
The researchers also discovered 115 vulnerabilities on British Airways’ websites, in which 12 flaws were found to be critical. “We take the protection of our customers’ data very seriously and are continuing to invest heavily in cybersecurity. We have multiple layers of protection in place and are satisfied that we have the right controls to mitigate vulnerabilities identified,” said a British Airways spokesperson.
American Airlines has over 291 potential vulnerabilities across its websites, with seven critical and 30 high-severity flaws. “We use a combination of internal and external cyber professionals to regularly identify and test the security of our systems and continue improving our capabilities,” American Airlines responded.
Critical vulnerabilities in Lastminute.com’s 153 subdomains were also found, which could allow an attacker to manipulate pages, access sensitive information like session cookies, browsing history, and create fake login accounts.
Irrespective of the severity, security vulnerabilities could cause severe damage to an organization’s security infrastructure. Attackers can exploit these flaws for their advantage. Organizations in the travel industry must gear up their cybersecurity measures to protect their customers from cyberattacks. If not, they should be ready to face the punitive actions or hefty fines from the data regulators.