Marriott, British Airways, and EasyJet, that recently suffered humiliating data breaches due to poor security controls, have still not been able to plug hundreds of security vulnerabilities in their websites, a study by Which? has revealed.
Consumer advisory firm Which? revealed this week that they tested the websites, domains, and sub-domains of 98 travel firms and found that Marriott, British Airways, and EasyJet, who suffered large-scale data breaches in the recent past, still rank among the worst five companies with the most vulnerabilities identified in their websites and domains.
The findings of Which? are quite surprising considering that British Airways and Marriott have already faced regulatory fines and all three companies suffered major reputational damage due to the loss of the personal data of thousands of travellers and guests to hackers.
In July last year, the ICO decided to fine Marriott International almost £100 million for failing to prevent a massive data breach in 2018 that compromised approximately 383 million data records, of which around 30 million related to residents of 31 countries in the European Economic Area.
The massive breach suffered by Marriott involved hackers gaining access to the Starwood guest reservation database in 2014 and copying all information stored in the database until the intrusion was discovered.
The data breach impacted personal and financial information of millions of people who made bookings at Marriott International's Starwood properties such as Sheraton Hotels & Resorts, Westin Hotels & Resorts, Le Méridien Hotels & Resorts, Four Points by Sheraton, St Regis, W Hotels, Element Hotels, Aloft Hotels, The Luxury Collection, Tribute Portfolio, and Design Hotels.
In March this year, Marriott suffered another major breach that involved hackers accessing the personal information of approximately 5.2 million guests after stealing the login credentials of two employees at a franchise property.
Marriott confirmed that the data breach compromised sensitive information like names, dates of birth, addresses, telephone numbers, email addresses along with and loyalty account numbers, the names of guests’ employers, and the room stay preference of approximately 5.2 million guests.
According to Which?, even after the second mega breach took place, it found as many as 497 security vulnerabilities in Marriott-run websites, including 18 critical and 96 high-impact vulnerabilities. One particular website featured three critical vulnerabilities that allowed hackers to target the site's users and data.
British Airways, which is facing a £183.39 million fine from the ICO for failing to prevent a cyber incident in 2018 that compromised the personal and financial information of approximately 500,000 customers, also did not fare well as far as securing its websites and domains is concerned.
Which? found 115 potential vulnerabilities, including 12 critical ones, on British Airways's websites, and most of these related to software and applications that had not been updated. "We take the protection of our customers’ data very seriously and are continuing to invest heavily in cybersecurity. We have multiple layers of protection in place and are satisfied that we have the right controls to mitigate vulnerabilities identified," the airline said in response to the findings of Which?.
In July last year, security researchers also warned that the mode of communication employed by British Airways to share check-in information with passengers could expose the latter's personal information to hackers in case they manage to intercept such link requests.
"In an effort to streamline the user experience, passenger details are included in the URL parameters that direct the passenger from the email to the British Airways website where they are logged in automatically so they can view their itinerary and check-in for their flight. The passenger details included in the URL parameters are the booking reference and surname, both of which are exposed because the link is unencrypted.
"Therefore, someone snooping on the same public Wi-Fi network can easily intercept the link request, which includes the booking reference and surname and use these details to gain access to the passenger’s online itinerary in order to steal even more information or manipulate the booking information," security firm Wandera warned.
The firm said it had observed that other major airlines, including Southwest, KLM, Air France, Jetstar, Thomas Cook, Vueling, Air Europa, and Transavia, used the same method to send check-in links to passengers via email without encrypting such links to prevent hackers from intercepting them via public Wi-Fi.
EasyJet, the popular low-cost airline that suffered the breach of personal information of over 9 million customers earlier this year, was also found to have 222 vulnerabilities across nine of its domains, including two critical flaws that allowed hackers to hijack browsing sessions and steal private data.
When told about the vulnerabilities, EasyJet took three domains offline and resolved flaws in six other sites but said none of the sub-domains were linked to easyjet.com and that it had seen no evidence of any malicious activity on the affected sites.
Commenting on vulnerabilities found in the websites of Marriott, British Airways, and EasyJet, Chris Hauk, Consumer Privacy Champion at Pixel Privacy, said it is sad to see that Marriott and other companies haven't learned their lesson from previous data breaches, and are still leaving their customers' data open to theft by the bad actors of the world.
"This is particularly disturbing, considering Marriott, easyJet, American Airlines, and the others are in the travel industry, where firms will have enough data on file about their customers that it enables the bad guys to have enough information to open new lines of credit and easily cause other types of havoc in customers' lives," Hauk added.