Despite falling victim to serious data breaches and being issued multimillion pound fines, British Airways and Marriott International have apparently failed to learn any cyber security lessons, and their websites are littered with hundreds of easily exploitable vulnerabilities, according to an extensive investigation into the security of the travel industry conducted by consumer advocacy group Which?.
Which? probed the systems of 98 travel firms, including the likes of easyJet and Lastminute.com, and claims to have found thousands of data security vulnerabilities that could make it laughably easy for cyber criminals to access traveller data such as payment card details, passport information, email addresses and itineraries.
Marriott International was found to have the most vulnerabilities, 500 in total and 100 judged as high or critical, while British Airways’s websites had 115 potential vulnerabilities, 12 critical, most of them related to unpatched software and applications.
EasyJet, which earlier in 2020 lost the data of nine million customers, was found to have 222 vulnerabilities across nine domains, including one vulnerability that could allow a hacker to hijack customer browsing sessions. Lastminute.com’s website contained a critical vulnerability that could have allowed attackers to manipulate pages, access user session cookies, and create fake accounts.
Rory Boland, editor of Which? Travel, said: “Our research suggests that Marriott, British Airways and easyJet have failed to learn lessons from previous data breaches and are leaving their customers exposed to opportunistic cyber criminals.
“Travel companies must up their game and better protect their customers from cyber threats, otherwise the ICO [Information Commissioner’s Office] must be prepared to step in with punitive action, including heavy fines that are actually enforced.
“The government must also allow for an opt-out collective redress regime that deals with mass data breaches – so that companies that play fast and loose with people’s data can be held to account.”
Responses to Which? findings
A Marriott spokesperson said the firm welcomed the input and had already conducted an extensive preliminary review of Which?’s findings.
“At this stage, there is no reason to believe that the findings impact Marriott’s customer systems or data,” they said.
“Marriott also notes that some of the findings are not attributable to Marriott, other findings could not be validated, others have already been addressed through compensating controls, and many of the findings relate to Marriott’s development environment – which contains limited applications and is not connected to Marriott’s customer systems or data.”
A British Airways spokesperson branded the Which? investigation a series of “crude external scans” that had apparently failed to detect its internal controls.
“We take the protection of our customers’ data very seriously and are continuing to invest heavily in cyber security. We have multiple layers of protection in place and are satisfied that we have the right controls to mitigate vulnerabilities identified,” said the airline.
An easyJet spokesperson said: “EasyJet always takes the security of our systems and the protection of our customer and employees’ data very seriously, complying with relevant legislation.”
The airline said a number of the subdomains probed by Which? related to internal, non public-facing functions that were not linked to its core website and insisted there was no evidence of any malicious activity on them.
Nevertheless, easyJet said it was now “pleased” to bring forward a full review of all its domains, although it did not say why it had not done this sooner.
Lastminute.com’s spokesperson claimed that Which?’s investigation had actually flagged a lot of false positives which it believed were either low risk or no risk at all.
The firm said: “Our customers entrust us with their personal and sometimes sensitive data, so it is important that we have a robust and clear information security strategy that ensures that we do all we can to secure it in line with GDPR [General Data Protection Regulation] and local government guidance.
“We take a robust risk-based approach in our security posture – it’s something we take incredibly seriously – and we regularly conduct risk assessments to categorise priorities with careful consideration, which means people, process and technology that process, transmit or store personal or sensitive data is our highest priority.”
Rob Masson, CEO of the DPO Centre – a supplier of data protection services – said it was likely that Which?’s tests might not have accounted for some behind-the-scenes tools in use at the organisations tested, which would have blocked attempts to exploit many of the vulnerabilities uncovered.
Nevertheless, he said, those organisations named must balance the risks associated with lower impact vulnerabilities with the negative effects on the customer experience that implementing the tightest possible security measures would entail.
“While all of these companies mention in their statements that ‘we take the security of our systems seriously’, it perhaps is more a case of ‘…but we also balance this with customer experience and commercial imperatives’,” he said.
“That is not to say that these findings should be in any way ignored, as more can and should always be done, and given the track record of these particular organisations in respect of their protection of our personal data, they must now set a higher standards to win back customer trust, loyalty and engagement,” said Masson.
Which? said it was vital that “poor-performing” websites took steps to improve their security postures and accused them of “failing miserably” to protect their customers from data breaches.
It called on the ICO to press ahead with the issuing and enforcement of its fines on BA and Marriott, and urged the government to implement provisions under Article 80(2) of the GDPR to allow non-profits to bring collective redress action on behalf of victims.