Huge Firm’s Failure to Learn


Travel firms have fallen victim from not learning lessons from previous high-profile attacks which saw millions of customer service details compromised.

This past week Marriott, easyJet and British Airways websites made data breach news when they were discovered to have hundreds of serious data security vulnerabilities from a new assessment over website security operated by close to a hundred travel companies incorporating airlines, hotel chains and booking sites among others.

In 2019, both British Airways and Marriott International were informed of impending fines into the multi-million pound range as a direct result of major UK privacy breach probes. A £183 million fine was proposed by the Information Commissioner’s office upon the airline for breaches of the EU General Data protection Regulation, with the hotel group proposed to pay a fine of £99m as a direct result of poor security practices leading to the customer’s data being exposed. GDPR fines have yet to be finalised.

Following an investigation by Which? that was implemented in June 2020, it was suggested that the serious data security vulnerabilities was a direct result of the travel companies’ failure to learn from previous hacks that saw millions of customer details compromised, as well as highlighting 5 travel companies that were the worst at protecting their users.

Marriott was discovered to be the worst with the most critical issues as well as the most vulnerabilities on their website. 100 issues out of the 500 discovered in total were classed as critical. Among those critical, 3 were found on a single website of the hotel chain where operating software errors allowed attackers to target users and their data.

Consumer organization Which? Suggest that findings indicate that Marriott had not made sufficient progress from 2018’s data breach where 339m guests were the victim of malicious accessing of their records. In May 2020 the hotel chain were yet again victim of a breach affecting a further 5.2m guests details.

Although other travel companies such as American Airlines has not had a high-profile breach, it was found that the airline had close to 300 potential vulnerabilities across multiple websites which equated to the 2nd highest in the ongoing probe. Although the vulnerable areas were among the internal sites used by staff, high impact vulnerability was located on their credit card business site.

Travel companies have since been warned to up their standing to better protect their customers from serious breaches in data less ICO step in with actions involving heavy fines that will be enforced. Companies that are loose with people’s data are to be made accountable following a drive for the government to allow for an opt-out redress regime to deal with mass data breaches.

British Airways were found to have 115 vulnerabilities on their websites which were mainly software and application updates based, leaving them vulnerable to hackers. When British Airways were hacked in 2019, cybercriminals walked away with an estimated 500,000 customer contact and credit card details.

EasyJet had an early 2020 breach which resulted in 9m customers affected and were found to have a further 222 vulnerabilities over 9 domains, including a critical issue that could result in hackers accessing customer browsing sessions. In response, easyJet removed three domains and resolved the remaining website issues.

For more information on how to protect data online, contact Whitehall Media and learn about upcoming seminars on how to better protect yourself online.