A recent study conducted When Cequence, a cybersecurity vendor, studied the severe security gaps plaguing the top 10 travel and hospitality companies. The list includes household names such as Orbitz, Kayak, Skyscanner, and Travelocity, sites millions rely on daily for booking flights, hotels, and vacation packages.
Cequence’s research exposes that these platforms have security flaws, creating a fertile ground for cyberattacks that affect both consumers and businesses.
From financial loss to identity theft, vulnerabilities leave customers susceptible to severe consequences.
For businesses, the impact is equally concerning, with risks ranging from reputational damage to costly legal repercussions. Issues arise due to a combination of outdated technology, poorly managed cloud environments, and lack of comprehensive security measures.
As digital transactions become increasingly integrated into travel planning, addressing these weaknesses is key in order to avoid large-scale disruptions.
From MiTM attacks to cloud chaos
Attacks occur when an unauthorized entity intercepts communications between a user and a website, often without either party knowing. In the context of travel bookings, this means sensitive information, such as credit card details, passport information, and travel itineraries, can be compromised.
One of the most alarming revelations from Cequence’s research is that 91% of the most serious vulnerabilities detected allow for Man-in-the-Middle (MiTM) attacks.
When intercepting the connection between the user and the travel platform, attackers can alter or steal data, leading to devastating financial and personal consequences. In an industry handling a massive volume of sensitive transactions daily, this level of exposure puts millions of consumers at risk, particularly during peak travel seasons.
Flawed cloud systems are leaving travel sites exposed to cyberattacks
A large portion of the vulnerabilities comes from cloud infrastructure misconfigurations, with 8 out of 10 companies having public-facing non-production or internal servers. Servers are often unmonitored, leaving a blind spot for IT security teams.
In one case, a company was found to have up to 300 unmonitored servers, exposing the organization to potential cyberattacks without even realizing it.
The reliance on cloud infrastructure is widespread among travel companies, and when combined with poor management, it creates a breeding ground for cyber threats. Without adequate monitoring or protective measures, these servers act as open gateways for attackers to infiltrate systems, potentially stealing data or manipulating backend processes.
The chaos of cloud sprawl
A key challenge facing these companies is cloud sprawl, where travel sites use multiple cloud providers—ranging from 5 to 21 different providers—to manage their infrastructure. Amazon Web Services (AWS) is the most frequently used, followed by Google and Microsoft, but the variety of services and providers complicates security management.
Companies may not even be aware of all the assets within their network, leaving vast sections of their infrastructure vulnerable.
Cloud sprawl heightens the risk of security breaches and increases exposure to supply-chain attacks.
Many vulnerabilities may not even originate from a company’s infrastructure but instead from a third-party cloud provider. This scenario creates an unpredictable risk environment where securing the entire chain becomes nearly impossible.
The real costs of security failures for travelers and businesses alike
For consumers, the consequences of these security lapses are severe and far-reaching. Hackers exploiting vulnerabilities in travel platforms can lead to:
- Financial loss: Attackers may compromise transactions, draining bank accounts or making fraudulent purchases.
- Identity theft: Stolen personal information during travel bookings, such as passport numbers and payment details, can lead to identity theft.
- Disrupted travel: If attackers manipulate booking details or access travel itineraries, entire travel plans can be thrown into chaos, resulting in missed flights, canceled reservations, and a frustrating experience.
The financial and emotional impact on travelers is profound, especially as most customers use these platforms expecting a seamless and secure experience.
Security gaps can sink the reputation and bottom line of travel companies
For travel companies, the stakes are just as high. Reputational damage from a security breach can erode consumer trust, a key asset in a competitive market. News of a data breach or security vulnerability can quickly spread, resulting in customer churn and a hit to brand loyalty.
Legal and regulatory challenges also loom large. Non-compliance with data security laws, especially in highly regulated industries like travel and hospitality, opens the door to lawsuits, fines, and government scrutiny.
Companies that fail to secure customer data may face penalties or be banned from processing financial transactions, hitting their revenue stream and long-term viability.
Mismanaged servers and cloud chaos are a goldmine for hackers
In the Cequence study, 8 out of 10 companies had unprotected internal servers exposed to the public. Servers, meant for internal use, are often left unmonitored, creating easy targets for attackers. One company even had 300 such servers, a staggering number that highlights the scale of the problem.
Servers, often in testing or development stages, don’t receive the same level of security scrutiny as production systems. Without proper monitoring, they can be exploited to gain unauthorized access to more sensitive parts of a company’s infrastructure, leading to catastrophic breaches.
Cloud sprawl opens the door to supply-chain attacks
With multiple cloud providers in use, managing security across the entire network becomes exceedingly complex. Travel companies face difficulty tracking and securing every asset, leaving gaps for attackers to exploit.
Complexity increases the risk of supply-chain attacks, where vulnerabilities from a third-party cloud provider infect a company’s systems downstream.
Attacks can cause widespread disruption, as companies struggle to identify the source of the breach and secure their systems, all while relying on external providers for key infrastructure.
The safest and riskiest travel sites for your next trip
Amid the widespread security concerns, some companies have taken a proactive approach to securing their platforms. Cequence identified Skyscanner as the top performer in terms of security, followed by Kayak, Orbitz, and Travelocity. These companies have fewer vulnerabilities in their public-facing applications, demonstrating that better security practices can mitigate risks.
Their efforts to lock down internal servers and reduce public-facing vulnerabilities offer a blueprint for other companies in the industry.
Major security deadlines travel sites can’t miss
A key deadline on the horizon is the implementation of PCI DSS v4.0, set to take effect in April 2025. New standards, governing the handling of credit card data, require changes to guarantee secure transactions.
Companies failing to comply will face fines, penalties, and even disruptions to card transactions. Non-compliance also increases the risk of data breaches, further compounding reputational damage.
The upcoming winter travel season, which starts in October, presents a higher risk of DDoS attacks, with cybercriminals taking advantage of increased online traffic.
In November 2023, travel companies experienced almost double the number of DDoS attacks compared to any other month. With more people booking holiday trips and processing payments online, the industry needs to prepare for another surge in attacks this winter.