Hi,
During peak travel season, when booking sites process millions of transactions daily, Business Digital Index (BDI) examined the cybersecurity posture of 20 major travel and tourism platforms—uncovering critical vulnerabilities that affect millions of users.
The analysis examined an extensive repository of dark web databases and found employee credentials from 18 out of 20 of the most visited tourism and travel websites circulating on the dark web.
Importantly, these are not new data breaches, but information leaked in the past that is still available to purchase on dark web marketplaces.
While these credentials stem from older breaches, the critical question is: have employees actually changed their passwords, or do these exposed credentials still pose a threat?
BDI findings suggest that, in some instances, employees keep using the same password even after a data breach.
In half of the companies analyzed (10 out of 20), there were instances where employees’ credentials were leaked in one breach and then again in a later breach, with employees using the exact same password each time. Not every employee was reusing passwords, but a noticeable percentage in half of the analysed companies continued this risky practice.
Based on these findings and multiple other criteria—including software patching, web application security, email protection, system reputation, hosting infrastructure, and SSL/TLS configuration—our analysis scored and graded the 20 most visited travel and tourism websites globally (including two weather websites).
After analyzing each website, we found that only 2 of the 20 analyzed sites were secure enough to receive an “A” for their cybersecurity efforts:
- Trip.com topped the rankings with a score of 98/100, demonstrating robust security across all measured categories with minimal SSL configuration errors.
- Flightradar24 earned second place with 96/100, showing excellent patch management and having only six employee credentials found in breach databases.
In contrast, four major companies received failing grades:
- Skyscanner ranked lowest at 55/100, with researchers discovering 989 leaked credentials that are still accessible and 24 critical or high-risk vulnerabilities.
- Marriott International and Hilton both scored 66/100, with tens of thousands of employee credentials from previous breaches still circulating in underground markets.
- Wetter.com, a German weather website and one of the most visited weather websites globally, also received an “F” grade. 15% of Wetter.com employees reuse breached passwords.
Scores and grades of the 20 analyzed company websites:
|
#
|
Company
|
Grade
|
Score
|
|
1
|
Trip.com
|
A
|
98
|
|
2
|
Flightradar24
|
A
|
96
|
|
3
|
Deutsche Bahn
|
D
|
74
|
|
4
|
FlightAware
|
D
|
72
|
|
5
|
Booking.com
|
D
|
72
|
|
6
|
Airbnb
|
D
|
72
|
|
7
|
Ryanair
|
D
|
72
|
|
8
|
Agoda
|
D
|
71
|
|
9
|
Expedia
|
D
|
71
|
|
10
|
United Airlines
|
D
|
71
|
|
11
|
American Airlines
|
D
|
71
|
|
12
|
Hotels.com
|
D
|
71
|
|
13
|
American Express
|
D
|
71
|
|
14
|
WetterOnline
|
D
|
70
|
|
15
|
IRCTC
|
D
|
70
|
|
16
|
Tripadvisor
|
D
|
70
|
|
17
|
Marriott International
|
F
|
66
|
|
18
|
Hilton
|
F
|
66
|
|
19
|
Wetter.com
|
F
|
69
|
|
20
|
Skyscanner
|
F
|
55
|
______________________________________________________________________________
The complete analysis is available here: https://businessdigitalindex.com/research/cybersecurity-analysis-reveals-critical-vulnerabilities-across-20-major-travel-tourism-websites/
The in-depth methodology can be found here. It provides detailed information on how researchers conducted this analysis.
Please let me know if you have any questions for Business Digital Index researchers. My contacts are provided below.
______________________________________________________________________________
Best Regards,
Edvardas Garbenis
PR Manager
edvardas.garbenis@cybernews.com
