Hundreds of serious data security vulnerabilities have been uncovered on the websites of travel firms including Marriott, British Airways and easyJet, new research has revealed.

The study says it suggested firms have failed to learn lessons from previous high-profile hacks that saw millions of customer details compromised.

It comes from a new assessment over the security of websites operated by 98 travel companies, including airlines, tour operators, hotel chains, cruise lines and booking sites.

Last year British Airways and Marriott International were told to expect multi-million-pound fines proposed as a result of major UK privacy-breach probes with the final decisions not expected until later this year.

Last July, the Information Commissioner's Office proposed fining the UK's flag-carrier airline 183 million pounds ($227 million) and the hotel group £99m ($127 million) for breaches of the EU's General Data Protection Regulation. The ICO said that poor security practices led to the exposure of customers' data.

READ MORE: No air arrival in Scotland has had quarantine check due to 'security clearance' issues

The companies have had over a year to argue the fines down, after the watchdog set a deadline of to issue its final decisions and fines.

The GDPR fines have yet to be finalised.

But now a new investigation by consumer organisation Which? carried out throughout June serious data security vulnerabilities suggesting the travel giants have "failed to learn lessons" from previous high-profile hacks that saw millions of customer details compromised.

And it has highlighted the five travel companies it found were doing the worst job in protecting their users.

The investigation found that hotel chain Marriott not only had the most vulnerabilities on its websites but also the most critical issues. Researchers found almost 500 in total and more than 100 of these were judged as ‘high’ or ‘critical’.

Of the 18 critical issues exposed, three were found on a single website of one of its hotel chains – where errors in the software used to run the website could allow an attacker to target the site’s users and their data.

Which? said the findings suggest that Marriott has not made sufficient progress since a data breach in 2018, when it reported that the records of 339 million of its guests had been maliciously accessed.

The Herald:

The hotel chain suffered a further data breach in May 2020 involving a reported 5.2 million guests.

American Airlines hasn’t yet had a high-profile data breach, but Which? found it 291 potential vulnerabilities across its websites - the second highest in the probe - with seven critical and 30 high-impact.

Which? said most of the more problematic sites appeared to be used internally by American Airlines staff. Butthe consumer organisation did find a high-impact vulnerability on a website for American Airlines’ credit card business.

It said an attacker would need to steal a login password for this site, but if they did they could potentially tamper with the content or computer systems used to run the website.

Rory Boland, editor of Which? Travel, said: “Our research suggests that Marriott, British Airways and easyJet have failed to learn lessons from previous data breaches and are leaving their customers exposed to opportunistic cybercriminals.

“Travel companies must up their game and better protect their customers from cyber threats, otherwise the ICO must be prepared to step in with punitive action, including heavy fines that are actually enforced.

“The government must also allow for an opt-out collective redress regime that deals with mass data breaches – so that companies that play fast and loose with people’s data can be held to account.”

Some 115 potential vulnerabilities on British Airways’ websites, including 12 that were judged to be critical. Most of the flaws were software and applications that appeared to have not been updated, making them potentially vulnerable to being targeted by hackers.

Previously cybercriminals walked off with the names, email addresses and credit card details of around 500,000 customers when British Airways got hacked in 2019.

EasyJet – which earlier this year had a data breach affecting around nine million customers – had 222 vulnerabilities across nine of its domains uncovered by Which’s security experts. This included two critical vulnerabilities, with one so serious that an attacker could use it to hijack someone’s browsing session, potentially revealing private data.

In response to Which?’s research, easyJet took three domains offline and resolved the disclosed vulnerabilities on the other six sites.

It said: “We had already started a full review of all domains using a risk-based approach. This would have identified and resolved these potential issues however are pleased we have been able to bring this forward. All companies have to be vigilant to defend against criminal cyber activity and we will continue to constantly review and strengthen our systems.”

Marriott said: “Marriott welcomes the input provided by Which? as part of its assessment of hospitality companies in the travel industry and looks forward to working with Which? to find ways Marriott can continue to improve its security position. In this regard, Marriott has conducted a preliminary review of Which?’s findings after Which? provided them to Marriott. At this stage, there is no reason to believe that the findings impact Marriott’s customer systems or data."

British Airways said: "We take the protection of our customers' data very seriously and are continuing to invest heavily in cyber security. We have multiple layers of protection in place and are satisfied that we have the right controls to mitigate vulnerabilities identified. These controls are often not detected in crude external scans."

Lastminute.com added tests it had seen were "in reality low risk or not a risk at all".