Hats off to Which? magazine we say, who are doing some old school journalism and testing if company promises on GDPR and customer data security are actually being kept. There is a big issue here for companies as insurers may choose to decline to settle a cyber claim if it turns out the company’s online systems were too vulnerable to attack and rules agreed with the insurer were NOT being followed.
A Which? investigation has exposed hundreds of serious data security vulnerabilities on the websites of travel firms including Marriott, British Airways and easyJet – suggesting the travel giants have failed to learn lessons from previous high-profile hacks that saw millions of customer details compromised.
Travel companies hold a significant amount of sensitive customer information that can be exploited by criminals, including payment card details, passport information that can be used for ID theft, emails that can be used for phishing attacks and itineraries that can be used for more sophisticated fraud.
Marriott and British Airways have already been issued with proposed, but not yet enforced, fines collectively reaching hundreds of millions of pounds – however the consumer champion found that some travel companies were still failing to protect their users.
In June 2020, Which? assessed the security of websites operated by 98 travel companies, including airlines, tour operators, hotel chains, cruise lines and booking sites. Experts did not just look at the main website of each firm, but related domains and subdomains too – including promotional sites, spin-off businesses or employee login portals.
The investigation found that hotel chain Marriott not only had the most vulnerabilities on its websites but also the most critical issues. Researchers found almost 500 in total and more than 100 of these were judged as ‘high’ or ‘critical’.
Of the 18 critical issues exposed, three were found on a single website of one of its hotel chains – where errors in the software used to run the website could allow an attacker to target the site’s users and their data.
These types of vulnerabilities can give hackers a backdoor into the system in order to mount a range of attacks and that’s why even seemingly small vulnerabilities can end up becoming big problems.
These findings suggest that Marriott has not made sufficient progress since a data breach in 2018, when it reported that the records of 339 million of its guests had been maliciously accessed. It led to a proposed fine for the firm of around £100million by the Information Commissioner’s Office (ICO). The hotel chain suffered a further data breach in May 2020 involving a reported 5.2 million guests.
Which? found 115 potential vulnerabilities on British Airways’ websites, including 12 that were judged to be critical. Most of the flaws were software and applications that appeared to have not been updated, making them potentially vulnerable to being targeted by hackers.
Previously cybercriminals walked off with the names, email addresses and credit card details of around 500,000 customers when British Airways got hacked in 2019. Alongside a proposed fine of £183million, the ICO criticised BA’s poor security measures at the time.
EasyJet – which earlier this year had a data breach affecting around nine million customers – had 222 vulnerabilities across nine of its domains uncovered by Which?’s security experts. This included two critical vulnerabilities, with one so serious that an attacker could use it to hijack someone’s browsing session, potentially revealing private data.
In response to Which?’s research, easyJet took three domains offline and resolved the disclosed vulnerabilities on the other six sites.
American Airlines hasn’t yet had a high-profile data breach, but Which? found 291 potential vulnerabilities across its websites, with seven critical and 30 high-impact. Most of the more problematic sites appeared to be used internally by American Airlines staff, but Which? did find a high-impact vulnerability on a website for American Airlines’ credit card business. An attacker would need to steal a login password for this site, but if they did they could potentially tamper with the content or computer systems used to run the website.
When Which? assessed Lastminute.com’s 153 subdomains, it found vulnerabilities with a spa break site and a ‘customised’ holiday site. Which? also found a critical vulnerability that could enable an attacker to manipulate pages, access sensitive information such as session cookies – showing what a person has clicked on – and to create fake login accounts.
It is vital that these poor-performing travel websites vastly improve when it comes to protecting their customers from data breaches, as Which?’s investigation suggests that some are currently failing miserably.
Businesses must ensure that they have good practices in place – including improved customer security protections, keeping systems updated, responding to reports of weaknesses in their data security and effective communication when a breach has occurred.
The fines to Marriott and British Airways proposed by the ICO have not happened yet and Which? believes it must continue to take action, including by issuing and actually enforcing fines, against sites that fail to protect consumers’ data.
Which? also wants the government to implement provisions in the GDPR to allow not-for-profit organisations to bring collective redress action on behalf of consumers for breaches of data protection rules without their specific authorisation. This would help to support and enforce the rights of consumers and create further incentives for businesses to improve their processes.
Rory Boland, Editor of Which? Travel, said:
“Our research suggests that Marriott, British Airways and easyJet have failed to learn lessons from previous data breaches and are leaving their customers exposed to opportunistic cybercriminals.
“Travel companies must up their game and better protect their customers from cyber threats, otherwise the ICO must be prepared to step in with punitive action, including heavy fines that are actually enforced.
“The government must also allow for an opt-out collective redress regime that deals with mass data breaches – so that companies that play fast and loose with people’s data can be held to account.”
Which? advice to consumers on protecting their data
Passwords – One of the services Which? tested enabled it to set the trivially easy-to-guess account password, ‘password’. Always set strong passwords for your accounts: https://computing.which.co.uk/
hc/en-gb/articles/ 360000818025-How-to-create- secure-passwords
Password manager – Many services now alert you if your passwords have been compromised. As services such as Lastpass and Dashlane can be used for free, there’s no reason not to use a password manager.
Credit card details – Don’t save your credit card details if you aren’t going to use the service regularly. Although it’s a faff to resubmit them, that’s better than having your financial information unnecessarily stored in a database that could be compromised.
Guest checkout – Similarly to the above, just checkout as a guest if you aren’t going to use the service that often. Only create an account if you really need to.
Two factor/multi-factor authentication (2FA/MFA) – None of the highlighted services Which? tested offered this, but 2FA/MFA is worth activating to increase security if it is available, particularly if your account holds your financial information.