Travel firms have failed to secure their websites from hackers despite previous cyberattacks, consumer group Which? has claimed.
Websites linked to Marriott, British Airways and easyJet were found to be vulnerable by its investigation. Each of the sites has previously been the subject of high-profile data breaches.
This research found hundreds of flaws linked to the three companies, Which? says, as well as on some domains linked to American Airlines and Lastminute.com.
The consumer group said it had looked at the security of websites operated by 98 travel companies – including airlines, tour operators, hotel chains and booking sites – examining cybersecurity on their main websites, and related sites, including promotional sites, spin-off business and employee log-in portals.
Almost 500 issues were found on sites linked to Marriott, with more than 100 judged to be high-risk or critical by Which? Marriott was hit by a major data breach in 2018, when it admitted the guest records of 339 million customers had been accessed, an incident for which it was fined £99 million by the Information Commissioner’s Office (ICO).
In May this year, the company said the details of as many as 5.2 million customers may also have been accessed in a second breach.
Elsewhere, 115 vulnerabilities were found on websites linked to British Airways, including 12 which were identified as critical. BA was issued with a record £183 million fine last year by the ICO after hackers gained access to the personal data of about half a million customers.
The investigation said it also found issues on sites linked to easyJet, which confirmed its own data breach earlier this year, affecting nine million customers, more than 2,000 of whom had credit card details exposed.
Which? said it identified 222 vulnerabilities on easyJet sites, including two critical flaws.
Rory Boland, editor of Which? Travel, said Marriott, British Airways and easyJet had “failed to learn lessons from previous data breaches” and were leaving customers exposed to cybercriminals.
“Travel companies must up their game and better protect their customers from cyber threats, otherwise the ICO must be prepared to step in with punitive action, including heavy fines that are actually enforced,” he said.
Responding to the investigation, easyJet said it had taken action on nine web domains flagged to it.
“EasyJet always takes the security of our systems and the protection of our customer and employees’ data very seriously, complying with relevant legislation,” the company said.
In its own response, British Airways said it was “satisfied” it had systems in place to mitigate the issues raised by the Which? investigation.
“We take the protection of our customers’ data very seriously and are continuing to invest heavily in cybersecurity,” the airline said. “We have multiple layers of protection in place and are satisfied that we have the right controls to mitigate vulnerabilities identified. These controls are often not detected in crude external scans.”
Marriott said it had “embedded oversight and governance of its security and privacy programme at the highest level of its business” and continued to enhance its security and conduct regular tests of its systems.
In their response, Lastminute.com said it took a “robust risk-based approach” to its security structures and was “grateful” for the investigation’s research.
However, the company argued the examples highlighted by Which? were “mainly test sites containing no personal or sensitive data”.
American Airlines said it “recognises the importance of cybersecurity” and uses a range of tools to keep customers’ data safe. It added it uses a “combination of internal and external cyber professionals to regularly identify and test the security of our systems and continue improving our capabilities”.