UK Markets open in 7 hrs 12 mins

Security risks exposed at Marriott, British Airways, easyJet, American Airlines

Mhari Aurora
·3-min read
File photo dated 06/08/13 of a person using a laptop. Less than half of teachers believe their school has done enough to prevent cyber security problems, according to a survey.
File photo dated 06/08/13 of a person using a laptop. Less than half of teachers believe their school has done enough to prevent cyber security problems, according to a survey.

An investigation by Which? has revealed that hundreds of cyber security risks were found on numerous travel firms’ websites, potentially putting customers’ data at risk.

Security vulnerabilities were found on Marriott (MAR), easyJet (EZJ.L), British Airways (IAG.L), Lastminute.com (LMN.SW), and American Airlines (AAL) websites.

Out of the hundreds of vulnerabilities found on these companies’ websites, 18 were classed as ‘critical vulnerabilities’ on Marriott’s internet properties, and 12 were in the same category for the British Airways websites.

The number of critical vulnerabilities for American Airlines, Lastminute.com, and Easyjet was 7, 4 and 2, respectively.

Tablenotes: Tested in June 2020. Vulnerabilities identified by industry-standard methods. Total vulnerabilities include ‘low’ impact. Vulnerabilities may include ‘false positives’: domains not actually owned by the company, or risks fixed during engagement with the brands. Which? revised anything specifically refuted by the brands.
Tablenotes: Tested in June 2020. Vulnerabilities identified by industry-standard methods. Total vulnerabilities include ‘low’ impact. Vulnerabilities may include ‘false positives’: domains not actually owned by the company, or risks fixed during engagement with the brands. Which? revised anything specifically refuted by the brands.

These findings come after Marriott suffered two serious data breaches, one in 2018 when 339 million of its customers were affected, and another this year which affected 5.2 million customers. In May this year, EasyJet admitted that a "highly sophisticated cyber-attack" hit around nine million customers. Over 2,000 customers had their credit and debit card details "accessed" while a majority had their email addresses and travel details stolen.

The firm has informed the UK's Information Commissioner's Office while it investigates the breach.

Editor of Which? Travel, Rory Boland, said: “Our research suggests that Marriott, British Airways and easyJet have failed to learn lessons from previous data breaches and are leaving their customers exposed to opportunistic cybercriminals.

“Travel companies must up their game and better protect their customers from cyber threats, otherwise the ICO [Information Commissioner’s Office] must be prepared to step in with punitive action, including heavy fines that are actually enforced.”

Boland is calling for an opt-out scheme that deals with large-scale data breaches to make companies more accountable for the loss of their customers’ data.

READ MORE: Belarus tops European cyber-attacks chart registering 2 million in last month

Travel companies hold all manner of customer information, including passport details that can be used for identity fraud, email addresses that can be used for phishing scams, and payment card details.

The Which? investigation assessed the security of websites run by 98 travel companies, examining the main website as well as related domains and subdomains.

A spokesperson for Marriott said: “Marriott has conducted a preliminary review of Which?’s findings after Which? provided them to Marriott.

“At this stage, there is no reason to believe that the findings impact Marriott’s customer systems or data.”

easyJet said: “As soon as potential vulnerabilities on nine subdomains were brought to our attention, we investigated this in addition to our regular security reviewing processes and of those, three have been removed as were expired sites, potential vulnerabilities on one active site have been resolved and we will be resolving the potential vulnerabilities for the remaining five subdomains in the coming days.

“These subdomains are in no way linked to our core website and we have seen no evidence of any malicious activity on these sites and none store any customer passwords, credit card details or passport information.”

British Airways and easyJet have already announced thousands of job cuts since the COVID-19 crisis began, and the ever-changing quarantine list has caused confusion and frustration for holidaymakers, making consumer trust vital now more than ever.