A Which? investigation has exposed hundreds of security vulnerabilities on the websites of major airlines, tour operators and hotel chains with most risk identified for Marriott, British Airways and easyJet.
More information here: https://www.which.co.uk/news/2020/09/marriott-british-airways-and-easyjet-fail-on-data-security-with-hundreds-of-security-risks-exposed-by-which/
Even with the travel industry up in the air, the sector must remain committed to keeping an eye on their data. When companies are facing problems elsewhere, it can be easy to focus less on certain areas of the business. However, customer data must remain a priority and better protected.
Once data is compromised, although we don’t want to see companies going out of business, they must be penalised if they have a data breach. If companies do not face up to the consequences, other firms have the potential to treat their data in the same way and the cycle of data breaches will continue.
It is worrying to see that businesses which have already suffered large data breaches are still failing to take cybersecurity seriously, and seek to mitigate any exploited vulnerabilities . Cyberattacks continue to rise, with the recent Mimecast State of Email Security report finding that half of UK firms (51%) have suffered a ransomware attack in the last twelve months, and even more (58%) having seen an increase in phishing over the past year. This has only been accelerated by COVID-19, with Mimecast research showing a 33% overall increase in cyber threats ranging from malware to impersonation attacks as a result of the pandemic. It is time for businesses to consider the implications of failing to maintain a multi layered and disciplined approach to cybersecurity, with the ramifications for not doing so impacting not only profit, but reputation. Firstly, there is the financial impact as a result of fines. But secondly, and probably more importantly, is the reputational impact that breaches will cause. Consumers trust the organisations they do business with to protect and safeguard their data. Any organisation that fails to do so will break this trust and is likely to lose business as a result. It is also arguable that any organisation compromised once will almost certainly be victim to the efforts of the same or other threat actors who know they were compromised before.
To properly protect data, security teams within an organisation must assess their database security and always follow best practise. Database misconfiguration is often overlooked and so it’s crucial that IT teams understand their environment and know where the data is being stored so that they are able identify any vulnerabilities quickly and easily and issue a patch update where required. It is also advisable that organisation carry out pen testing so that they are able to identify any flags quickly. Ideally it is also seen as advisable for those with admin accounts and with a responsibility for databases to have internet browsing access on their accounts disallowed. Organisations should ensure they are carrying out regular employee training, so that their staff are aware of the current wide range of threats and can avoid falling for them. With half of UK firms having reportedly suffered a ransomware attack, both they, and the remaining half of organisations, should acknowledge the high propensity of this threat, and undertake a full security review to treat or terminate any identified network vulnerabilities.
It is sad to see that Marriott and other companies haven\’t learned their lesson from previous data breaches, and are still leaving their customers\’ data open to theft by the bad actors of the world. This is particularly disturbing, considering Marriott, easyJet, American Airlines, and the others are in the travel industry, where firms will have enough data on file about their customers that it enables the bad guys to have enough information to open new lines of credit and easily cause other types of havoc in customers\’ lives.
Companies must step up their security game, closing security holes, keeping their systems patched to the latest versions, and training their employees and executives about ongoing security issues.
Over the past decade, we\’ve seen the travel and hospitality industry change significantly. The customer experience has changed from brochures and face to face bookings, to being able to search thousands of flights and hotels with a simple search on their phone. This experience has brought about many benefits to the customer, but it has introduced several layers of digital complexity for hotels and airlines.
Complexity is among the biggest of hurdles to an effective security strategy. It is why all organisations should not cut back cyber security investments, and should seek to instil a culture of security which permeates throughout the organisation across all departments and functions. This will encourage all aspects from development, deployment, production, and assurance to ensure all aspects, particularly external-facing systems have appropriate controls which enhance security without compromising the user experience or 3rd party exchanges.
Cyber criminals will always follow the money to easy targets. So as long as bookings are made online, both directly and through third party partners, criminals will continue to target them – which makes it even more important that these organisations put the needed resources in place for security.