Marriott, British Airways and easyJet fail to learn data breach lessons as hundreds of serious security risks exposed by Which?

A Which? investigation has exposed hundreds of serious data security vulnerabilities on the websites of travel firms including Marriott, British Airways and easyJet – suggesting the travel giants have failed to learn lessons from previous high-profile hacks that saw millions of customer details compromised.

Travel companies hold a significant amount of sensitive customer information that can be exploited by criminals, including payment card details, passport information that can be used for ID theft, emails that can be used for phishing attacks and itineraries that can be used for more sophisticated fraud.

Marriott and British Airways have already been issued with proposed, but not yet enforced, fines collectively reaching hundreds of millions of pounds – however the consumer champion found that some travel companies were still failing to protect their users.

In June 2020, Which? assessed the security of websites operated by 98 travel companies, including airlines, tour operators, hotel chains, cruise lines and booking sites. Experts did not just look at the main website of each firm, but related domains and subdomains too – including promotional sites, spin-off businesses or employee login portals.

The investigation found that hotel chain Marriott not only had the most vulnerabilities on its websites but also the most critical issues. Researchers found almost 500 in total and more than 100 of these were judged as ‘high’ or ‘critical’.

Of the 18 critical issues exposed, three were found on a single website of one of its hotel chains – where errors in the software used to run the website could allow an attacker to target the site’s users and their data.

These types of vulnerabilities can give hackers a backdoor into the system in order to mount a range of attacks and that’s why even seemingly small vulnerabilities can end up becoming big problems.

These findings suggest that Marriott has not made sufficient progress since a data breach in 2018, when it reported that the records of 339 million of its guests had been maliciously accessed. It led to a proposed fine for the firm of around £100million by the Information Commissioner’s Office (ICO). The hotel chain suffered a further data breach in May 2020 involving a reported 5.2 million guests.

Which? found 115 potential vulnerabilities on British Airways’ websites, including 12 that were judged to be critical. Most of the flaws were software and applications that appeared to have not been updated, making them potentially vulnerable to being targeted by hackers.

Previously cybercriminals walked off with the names, email addresses and credit card details of around 500,000 customers when British Airways got hacked in 2019. Alongside a proposed fine of £183million, the ICO criticised BA’s poor security measures at the time.

EasyJet – which earlier this year had a data breach affecting around nine million customers –  had 222 vulnerabilities across nine of its domains uncovered by Which?’s security experts. This included two critical vulnerabilities, with one so serious that an attacker could use it to hijack someone’s browsing session, potentially revealing private data.

In response to Which?’s research, easyJet took three domains offline and resolved the disclosed vulnerabilities on the other six sites.

American Airlines hasn’t yet had a high-profile data breach, but Which? found 291 potential vulnerabilities across its websites, with seven critical and 30 high-impact. Most of the more problematic sites appeared to be used internally by American Airlines staff, but Which? did find a high-impact vulnerability on a website for American Airlines’ credit card business. An attacker would need to steal a login password for this site, but if they did they could potentially tamper with the content or computer systems used to run the website.

When Which? assessed’s 153 subdomains, it found vulnerabilities with a spa break site and a ‘customised’ holiday site. Which? also found a critical vulnerability that could enable an attacker to manipulate pages, access sensitive information such as session cookies – showing what a person has clicked on – and to create fake login accounts.

It is vital that these poor-performing travel websites vastly improve when it comes to protecting their customers from data breaches, as Which?’s investigation suggests that some are currently failing miserably.

Businesses must ensure that they have good practices in place – including improved customer security protections, keeping systems updated, responding to reports of weaknesses in their data security and effective communication when a breach has occurred.

The fines to Marriott and British Airways proposed by the ICO have not happened yet and Which? believes it must continue to take action, including by issuing and actually enforcing fines, against sites that fail to protect consumers’ data.

Which? also wants the government to implement provisions in the GDPR to allow not-for-profit organisations to bring collective redress action on behalf of consumers for breaches of data protection rules without their specific authorisation. This would help to support and enforce the rights of consumers and create further incentives for businesses to improve their processes.

Rory Boland, Editor of Which? Travel, said:

“Our research suggests that Marriott, British Airways and easyJet have failed to learn lessons from previous data breaches and are leaving their customers exposed to opportunistic cybercriminals.

“Travel companies must up their game and better protect their customers from cyber threats, otherwise the ICO must be prepared to step in with punitive action, including heavy fines that are actually enforced.

“The government must also allow for an opt-out collective redress regime that deals with mass data breaches – so that companies that play fast and loose with people’s data can be held to account.”

Which? advice to consumers on protecting their data

  • Passwords – One of the services Which? tested enabled it to set the trivially easy-to-guess account password, ‘password’. Always set strong passwords for your accounts:

  • Password manager – Many services now alert you if your passwords have been compromised. As services such as Lastpass and Dashlane can be used for free, there’s no reason not to use a password manager.

  • Credit card details – Don’t save your credit card details if you aren’t going to use the service regularly. Although it’s a faff to resubmit them, that’s better than having your financial information unnecessarily stored in a database that could be compromised.

  • Guest checkout – Similarly to the above, just checkout as a guest if you aren’t going to use the service that often. Only create an account if you really need to.

  • Two factor/multi-factor authentication (2FA/MFA) – None of the highlighted services Which? tested offered this, but 2FA/MFA is worth activating to increase security if it is available, particularly if your account holds your financial information.

Notes to editors

  • In June 2020, Which?, working in collaboration with security experts 6point6, assessed the security of websites operated by 98 travel industry companies, including airlines, tour operators, hotel chains, cruise lines and booking sites. Which? didn’t just look at the main website of each firm, but related domains and subdomains too.

Medium vulnerabilities

High vulnerabilities

Critical vulnerabilities

Total vulnerabilities







American Airlines














British Airways





Tablenotes: Tested in June 2020. Vulnerabilities identified by industry-standard methods. Total vulnerabilities include ‘low’ impact. Vulnerabilities may include ‘false positives’: domains not actually owned by the company, or risks fixed during engagement with the brands. Which? revised anything specifically refuted by the brands.

  • Which? wants the government to bring forward provisions under Article 80(2) of the GDPR to allow not-for-profit organisations to bring opt-out collective redress action on behalf of consumers for breaches of data protection law.

Rights of reply


Marriott told us that it has “embedded oversight and governance of its security and privacy programs at the highest levels of its business, and continues to enhance its security posture to adapt to a dynamic risk landscape”. It said that it conducts regular penetration testing and scans its externally facing corporate assets daily. It also operates a vulnerability disclosure and bug bounty program.

In a statement, a spokesperson said: “Marriott welcomes the input provided by Which? as part of its assessment of hospitality companies in the travel industry and looks forward to working with Which? to find ways Marriott can continue to improve its security position.  In this regard, Marriott has conducted a preliminary review of Which?’s findings after Which? provided them to Marriott.

At this stage, there is no reason to believe that the findings impact Marriott’s customer systems or data.  Marriott also notes that some of the findings are not attributable to Marriott, other findings could not be validated, others have already been addressed through compensating controls, and many of the findings relate to Marriott’s development environment—which contains limited applications and is not connected to Marriott’s customer systems or data.

As it does with other security researchers, Marriott is taking a closer look at and addressing Which?’s findings, and would welcome a further dialogue with Which?’s technical experts at their earliest convenience. In this regard, Marriott notes that the use of Two-Factor authentication for Marriott Bonvoy (web-based access) is initiated for certain account changes prior to their acceptance, such as changes to email addresses and password changes. Implementation of Two-Factor authentication for all Bonvoy logins and adding further password complexity is also under review.”


“easyJet always takes the security of our systems and the protection of our customer and employees’ data very seriously complying with relevant legislation.

“Like many companies, easyJet has a number of subdomains which provide a range of functions including test sites not in use by customers, resources for staff, and sites to provide additional services and information for customers such as our digital inflight magazine or our bistro menu.

“As soon as potential vulnerabilities on nine subdomains were brought to our attention, we investigated this in addition to our regular security reviewing processes and of those, three have been removed as were expired sites, potential vulnerabilities on one active site have been resolved and we will be resolving the potential vulnerabilities for the remaining five subdomains in the coming days.

“These subdomains are in no way linked to our core website and we have seen no evidence of any malicious activity on these sites and none store any customer passwords, credit card details or passport information.

“We had already started a full review of all domains using a risk-based approach. This would have identified and resolved these potential issues however are pleased we have been able to bring this forward. All companies have to be vigilant to defend against criminal cyber activity and we will continue to constantly review and strengthen our systems.”

On passwords, easyJet said:

“We already encourage customers to select a secure password through a password strength check when setting up an easyJet account and as part of our continuous review of our systems, further improvements will go live in the coming weeks.”

British Airways 

“We take the protection of our customers’ data very seriously and are continuing to invest heavily in cyber security.  We have multiple layers of protection in place and are satisfied that we have the right controls to mitigate vulnerabilities identified. These controls are often not detected in crude external scans.”

American Airlines

An American Airlines spokesperson said: “American Airlines recognizes the importance of cybersecurity and uses a variety of techniques and tools to keep our customers’ information and our corporate data safe. We have security monitoring systems in place and continue to deploy new technology to improve visibility and prevent attacks. American uses a combination of internal and external cyber professionals to regularly identify and test the security of our systems and continue improving our capabilities.” 

“Our customers entrust us with their personal and sometimes sensitive data so it is important that we have a robust and clear Information security strategy that ensures that we do all we can to secure it in line with GDPR and local government guidance.

“We’re always grateful and support feedback from 3rd parties about our websites. It would appear that (as in a lot of Penetration tests that we do internally) the test Which did flag up what we call, False+ results (which may show as critical but in reality are low risk or not a risk at all – this happens for various reasons but we always give high priority to investigate).

“This was the case in the examples Which? kindly shared, which were mainly test sites containing no personal or sensitive data.

“We take a robust risk-based approach in our security posture – it’s something we take incredibly seriously – we regularly conduct risk assessments to categorise priorities with careful consideration. Which means people, process and technology that; process, transmit or store personal or sensitive data is our highest priority. This is an area that we work on constantly as environments change and situations arise, such as the COVID-19 which has meant workforces like ours have adapted to remote working, processes and security is always at the forefront of everything we do.”

Press Release