According to an investigation done by Which?, travel agencies Marriott, British Airways, and EasyJet all failed to secure their websites after major data breaches have occurred. They tested 98 travel firms, and out of those 98 firms found that these companies were within the worst five companies that had security risks. Even though these companies have each had a travel data breach that affected millions of customers, they have still failed to fix these security issues on their websites.
What Did Which? Find
Which? looked into the 98 travel firms in June 2020, which included tour companies, airlines, hotel chains, cruise lines, and booking sites. They even looked into related domains and subdomains for each site, which included promotional sites and employee portals. They wanted to address each vulnerability for each site since any weak point in the website was an opportunity for hackers to access these sites.
There was no hacking onto these websites to test the security vulnerabilities for the sites, but instead, they used lawful methods to check these websites. These tools are made available to the public, where anyone can use them. If Which? was able to find vulnerabilities within these websites using lawful tools, this means that hackers can find even more vulnerabilities with these sites that we can’t even see.
What Happened During the Marriott, British Airways, and EasyJet Data Breaches?
In 2018, there was a Marriott data breach that affected 339 million customers as their information was stolen by hackers. Despite suffering this data breach, they suffered yet another one in May of 2020 that affected the information of 5.2 million guests.
A month after the May 2020 data breach, that’s when researchers at Which? found out about the hundreds of security vulnerabilities on Marriott’s sites. Even with two data breaches, the security on their websites still has not improved. They even found errors in the software that is used to run the website!
When they reported their findings to Marriott, they commented that “they had no reason to believe that their customer systems or data had been compromised.”
EasyJet had 222 vulnerabilities from all of its 9 domains. There were two major flaws in their security system, where if a hacker knew about one they could hack a customer’s browsing session. After finding this information out, EasyJet was able to take down three of their domains and fix these issues.
In 2016, British Airways suffered a data breach where 500,000 customers’ credit card information was stolen. As of June 2020, there were 115 vulnerabilities, with 12 deemed critical. The software and applications were not updated which caused the majority of the underlying security issues within British Airways.
American Airlines At Risk for a Travel Data Breach
There were 291 vulnerabilities at American Airlines that could lead to a possible data breach, 7 of which were critical and 30 high-impact. Although there haven’t been any data breaches as of yet, there still may be a high possibility of one in the future. The employee portal and the credit card portions of the site were showed to have a high rating of security vulnerabilities.
How to Protect Yourself From Travel Agency Data Breaches
- Don’t use the same passwords for everything. The hacker will be able to guess your email and password as your log-in information for other websites.
- Don’t store your card information on a travel website. If you store your card information on a travel site, the hackers will have easier access to it and will be able to steal it for their own needs.
- Check out as a guest if you don’t use the website often. This way, your information isn’t stored via an account on their website.
- Don’t use the same email you use for personal emails. The hackers can guess your email log-in based off of the email you used to make your purchase and can steal personal emails from your inbox.
Social Catfish is Here to Help You!
If you feel like you’ve been affected by a travel data breach, Social Catfish is here to help you! We can help you reverse search any name, email address, phone number, social media username, or image to see who it could be that compromised your information.