Site navigation

Security Researchers Expose Vulnerabilities on Marriott, BA and EasyJet Websites

Ross Kelly


security vulnerabilities

All three firms have previously fallen victim to high-profile data breaches.

An investigation by Which? has revealed serious data security vulnerabilities on websites belonging to a host of travel firms, including those previously impacted by costly data breaches.

Websites for Marriott, British Airways and EasyJet were all found to be vulnerable to hackers, according to researchers at the consumer watchdog.

The raft of vulnerabilities suggests the firms may not have learned lessons from previous security blunders which saw millions of customer details compromised.

Commenting on the research, Rory Boland, editor of Which? Travel, said: “Travel companies must up their game and better protect their customers from cyber threats, otherwise the ICO must be prepared to step in with punitive action, including heavy fines that are actually enforced.

“The government must also allow for an opt-out collective redress regime that deals with mass data breaches – so that companies that play fast and loose with people’s data can be held to account.”

As part of its investigation, researchers at Which? examined the security of websites operated by 98 travel companies, spanning airlines, tour operators, booking sites and cruise lines.

Each company’s main website was examined while related domains and subdomains were also looked at, researchers said. This applied to promotional sites, spin-off organisations and even employee login portals.

In particular, Marriott was found to have the most vulnerabilities on its websites as well as the most critical issues. Nearly 500 issues were identified in total, with 100 of these deemed ‘critical’ or ‘high’ risk.

Researchers said that three critical issues were found on one specific site of its various hotel chains. These software errors would potentially allow an attacker to target website users and put customer data at risk.

“These findings suggest that Marriott has not made sufficient progress since a data breach in 2018 when it reported that the records of 339 million of its guests had been maliciously accessed,” the consumer watchdog said in a statement.

Marriott’s 2018 data breach prompted the Information Commissioner’s Office (ICO) to propose a fine of £99 million. In May this year, the company also reported another data breach which is believed to have exposed the data of 5.2 million guests.

A spokesperson for Marriott said the hotel chain “welcomes the input provided” by the Which? investigation. However, the firm said at this stage there is “no reason to believe that the findings impact Marriott’s customer systems or data”.


British Airways websites were also found to be laden with potential vulnerabilities, with 115 in total identified. Of these, 12 were judged to be ‘critical’ vulnerabilities that could place customers and website users at risk.

Many of these, researchers said, were found to be software and applications that had not been updated.

In 2019, British Airways also fell prey to cybercriminals when a data breach exposed the names, email addresses and credit card details of half-a-million customers. Following an investigation into the BA data breach, the ICO recommended a fine of £183 million and heavily criticised the airline’s poor security practices.

In a statement responding to the investigation, a spokesperson for British Airways said: “We take the protection of our customers’ data very seriously and are continuing to invest heavily in cybersecurity.

“We have multiple layers of protection in place and are satisfied that we have the right controls to mitigate vulnerabilities identified. These controls are often not detected in crude external scans.”

The Which? investigation into easyJet security practices uncovered 222 vulnerabilities across nine of its domains. One of these was found to be so critical that a hacker could hijack a user’s browsing session to access personal data.

In response to the discovery, easyJet confirmed it took three domains offline and addressed the disclosed vulnerabilities on the other six sites.

Ross Kelly

Staff Writer

Latest News

Cybersecurity Data Protection
Editor's Picks Events Trending Articles
%d bloggers like this: