Marriot Hotels, British Airways, easyJet: travel firms failing to protect customers' data

Site vulnerabilities are exposing customers to the risk of identity fraud, according to a new study.

A new investigation has suggested that all sorts of different travel firms are failing to meet their obligations when it comes to protecting user data.

Which? partnered with security experts 6point6 to run the rule over the security of the websites operated by 98 different travel firms, from airlines to hotel chains, looking not only at the main websites of each but also related domains and subdomains too.

These could include things like promotional sites, spin-off businesses and employee portal logins.

And it graded any potential issues it found, from low to medium to high to critical.

The travel firm with the most alarming results was Marriots Hotels, with a whopping 497 total vulnerabilities identified, significantly more than any other business assessed.

It’s not just the total number of vulnerabilities, but the threat posed by them that’s a concern ‒ Marriot had the most critical vulnerabilities of any of the firms included in the investigation at 18, with a further 96 classed as high vulnerabilities.

Marriott’s issues with protecting customer data led to the firm being fined almost £100m last year by the Information Commissioner’s Office (ICO), after hackers were able to get their grubby mitts on the records of a whopping 339 millin guests.

It has been subject to another attack this year too.

According to Which, of the 18 critical issues exposed, three were found on the website of a single one of its hotel chains.

Flaws within the software used to run the site would expose the site’s users ‒ and their data ‒ in the event of an attack.

Here’s how the top five in this particular hall of shame look, according to Which?

Travel firm	Medium vulnerabilities	High vulnerabilities	Critical vulnerabilities	Total vulnerabilities
Marriott Hotels	347	96	18	497
American Airlines	232	30	7	291
lastminute.com	168	44	4	227
easyJet	158	39	2	222
British Airways	71	19	12	115

As you can see, despite only just making this bottom five, British Airways has a significant number of critical vulnerabilities.

Indeed almost a tenth of its issues are classed as critical, compared to those businesses above it which have more overall issues but far fewer which are categorised as being so serious.

According to the report, a significant number of the flaws with British Airways’ sites were down to software and applications not being updated.

As a result they are potentially vulnerable to being hit by hackers.

British Airways has had public issues with protecting customer data in the past, and was hit with a £183.39 million fine by the ICO in 2019 after it was found to have breached aspects of the General Data Protection Regulation (GDPR), having been the subject of a cyber attack the year before.

easyJet had the fewest critical vulnerabilities of these five firms, but it too has a chequered history when it comes to data breaches.

Just this year in fact it was on the receiving end of a cyber attack which saw the information of around nine million customers end up in criminal hands.

Which? said that one of the critical vulnerabilities it identified was so serious that a hacker could use it to hijack someone’s browsing session, potentially giving them access to that person’s private data.

Data theft risk (Image: Shutterstock)

A mixed response

It’s fair to say that the travel firms have reacted in rather a mixed way to the study from Which? and 6point6.

easyJet deserves some credit for example, as it responded to the study by taking three domains offline, and putting right the disclosed vulnerabilities on a further six sites.

As customers, I don’t think we can ask for much more than that.

Marriott also said that it was conducting its own review of the findings, and wanted to discuss the tests conducted with the reviewers to get further insights.

Others were rather more dismissive.

British Airways for example claimed that the protections it has in place are “often not detected in crude external scans”.

Raising the bar

It’s worth noting that while Marriott and British Airways have been the subject of proposed fines by the ICO, they haven’t actually happened yet.

And that lack of a real consequence for failing to protect the customers is not sending a great message about data protection really being taken seriously.

ICO clearly needs to continue to take action against firms of all shapes and sizes when they fail to protect our data adequately, and follow through on that action.

A slap on the wrist simply isn’t good enough.

What can we do?

But we have some power here too. For too many businesses data protection is a bit of a side concern, a box they have to tick.

They want to get it right of course, but more so that they don’t end up in the newspapers or in front of the ICO when it all goes wrong, rather than out of some deep seated desire to do right by their customers.

It’s only once we as customers actually demonstrate how seriously we take data protection that businesses will sit up and take notice.

And that means focusing our spending on firms that do go the extra mile in safeguarding our information, supporting the businesses that understand the importance of doing the right thing for its own sake, and not just to keep the regulators off their backs.

There are extra steps we can follow to protect our data when using all sorts of businesses, whether they are involved in travel or some other industry.

Setting proper passwords is perhaps the easiest ‒ one of the services Which? tested allowed it to set ‘password’ as its password, which is ridiculous.

Making use of a password manager, which alerts you if passwords have been compromised, is also a good idea.

It’s also not a good idea saving your credit card details with a service unless you are going to use it regularly, and relying on guest checkouts rather than setting up accounts with firms unless it is absolutely necessary.