A recent study conducted by security vendor Cequence revealed that the top 10 travel and hospitality companies are facing serious security vulnerabilities in their public-facing cloud infrastructures. These vulnerabilities not only put customers at risk but also pose a threat to the businesses’ reputations.
The investigation focused on popular online booking sites such as Orbitz, Kayak, Skyscanner, and Travelocity, among others. The researchers uncovered that all of these websites exhibited significant security flaws that could potentially compromise user data and lead to man-in-the-middle attacks. These vulnerabilities are particularly concerning during peak travel times when cyber attackers are more likely to target busy travel sites.
According to William Glazier, the director of threat research at Cequence, the risks associated with these security flaws include financial loss, identity theft, disrupted travel for consumers, as well as reputational damage and legal issues for businesses. Glazier emphasized the need for both providers and consumers to take proactive measures to safeguard against potential security threats.
One of the key findings of the study was the presence of security holes in the back-end infrastructure of travel organizations. Cequence identified misconfigurations and other issues in the cloud infrastructure supporting these websites. In particular, eight out of the 10 companies had public-facing application servers that were vulnerable to unauthorized access, potentially exposing sensitive data to threat actors.
Additionally, the study highlighted the prevalence of cloud sprawl among travel and hospitality websites. This phenomenon, characterized by the rapid deployment of cloud instances without effective management, results in a complex and unsecure network environment. The use of multiple hosting providers further complicates the situation, making it challenging for organizations to secure their technology assets effectively.
Despite not disclosing the names of the worst security offenders, Cequence pointed out the companies that demonstrated better security practices. Orbitz, Travelocity, Kayak, and Skyscanner were among the safest sites analyzed, with fewer vulnerabilities in their public-facing applications. These companies had implemented measures to secure their internal servers and minimize the risk of cyber threats.
Looking ahead, travel and hospitality companies are facing two critical milestones that require immediate attention to enhance their online security measures. The upcoming PCI DSS v4.0 security standard, set to take effect in April 2025, will introduce new requirements for handling credit card information. Non-compliance could result in fines, penalties, and disruptions to card transactions, emphasizing the importance of maintaining robust security practices.
Furthermore, the approaching winter-travel season presents an opportunity for cyber attackers to launch distributed denial-of-service (DDoS) attacks. With November 2023 recording a significant increase in DDoS attacks on travel sites, companies must prioritize cybersecurity measures to mitigate the risk of disruptions and safeguard customer data.
In conclusion, the findings of the Cequence study underscore the critical need for travel and hospitality companies to address the security vulnerabilities in their online booking platforms. By implementing robust security measures and compliance with industry standards, these organizations can protect their customers and uphold their reputation in an increasingly digital landscape.