The websites of major travel brands including Marriott, British Airways and easyJet still have “serious data security vulnerabilities”, a new probe has found.
An investigation by consumer body Which? revealed that many travel companies had “failed to learn lessons from previous high-profile hacks that saw millions of customer details compromised”.
Which? said many major travel companies were not properly protecting sensitive customer information including payment card details and passport information.
Hotel giant Marriott’s online platforms were found to have the highest number of “vulnerabilities” to cyber criminals in the Which? study of 98 travel firms, including airlines, tour operators, hotel companies, cruise lines and online travel agencies.
Marriott was discovered to have 491 vulnerabilities across its websites, while easyJet and BA had 222 and 115 vulnerabilities on its online platforms.
Many of these problems concerned the failure to update software or errors that could allow hackers a “backdoor” into systems and access to customer data.
Rory Boland, editor of Which? Travel, said: “Our research suggests that Marriott, British Airways and easyJet have failed to learn lessons from previous data breaches and are leaving their customers exposed to opportunistic cybercriminals.
“Travel companies must up their game and better protect their customers from cyber threats, otherwise the ICO (Information Commissioner’s Office) must be prepared to step in with punitive action, including heavy fines that are actually enforced.
“The government must also allow for an opt-out collective redress regime that deals with mass data breaches – so that companies that play fast and loose with people’s data can be held to account.”