Travel and hospitality companies are entering one of the busiest times of the year, with peak seasons like vacations and holidays bringing a surge in traveler activity. Unfortunately, this increase in traffic also attracts cybercriminals, who exploit the high volume of online activity to launch attacks. For travelers, this means being extra cautious with personal information, while travel and hospitality companies must enhance their security measures to protect customer data and maintain trust. Here’s a detailed look at our recent travel and hospitality cybersecurity research into the top 10 hospitality and travel companies and what can be done to stay secure.
Growing Hospitality and Travel Cybersecurity Threats
As travel peaks, cyber threats tend to escalate. Our research confirms that malicious actors often use the increased online traffic during these busy seasons as a cover for their attacks. The data shows a clear correlation between higher traffic volumes and a rise in DDoS attacks.
Key Findings from Our Analysis
We examined the public-facing API security posture of the top 10 travel and hospitality companies using Cequence API Spyder. Our findings reveal several critical issues:
Prevalent Vulnerabilities
- Every company analyzed had serious, public-facing vulnerabilities.
- Four of these companies were responsible for 91% of the serious vulnerabilities, many of which could enable Man-in-the-Middle (MitM) attacks.
- Cloud Management Challenges
Companies showed liberal use of multiple hosting providers, ranging from 5 to 21 different providers. This “cloud sprawl” can complicate the management and security of cloud infrastructure.
Unintentionally Public Servers
8 out of 10 companies had public-facing non-production or internal application servers, with one company having over 300 such servers. These servers are sometimes the result of development or QA activity, are often unmonitored, and can be an easy entry point for attackers.
Top Performers and Areas for Improvement
Fewest Vulnerabilities:
- Gold: Skyscanner
- Silver: Kayak
- Bronze: Orbitz
Fewest Public Servers:
- Gold: Tie – Orbitz & Travelocity
- Silver: Kayak
- Bronze: Skyscanner
The Impact of DDoS Attacks
Our data shows that during the winter travel holiday season, starting in October, we typically see a sharp increase in DDoS attacks. November 2023 saw the highest number of DDoS attacks in the travel industry for the entire year, with attacks reaching up to 1.03 Gbps and lasting as long as 7.43 hours.
Cequence API Spyder is SaaS-based discovery tool that provides an attacker’s view into an organization’s public-facing resources to identify external API hosts, unauthorized hosting providers, and API-specific security issues.
Governance and Compliance: Preparing for PCI DSS v4.0
With PCI DSS v4.0 coming into full effect on April 1, 2025, travel and hospitality companies must ensure they are compliant. This standard is critical for the protection of credit card information, and non-compliance can result in significant penalties and reputational damage.
Steps to Enhance Security
To address these vulnerabilities and protect against cyber threats, travel and hospitality companies should:
- Continuously monitor public-facing applications and APIs
- Strengthen API security by addressing public-facing vulnerabilities.
- Manage cloud infrastructure more effectively to prevent cloud sprawl.
- Regularly review and secure public-facing non-production servers to avoid unauthorized access.
- For travelers, maintaining awareness of potential cyber threats and employing strong travel cybersecurity practices is essential to protect personal and financial information.
Coverage and Recognition
Our research into the cybersecurity landscape of the top travel and hospitality companies has garnered significant attention. We are proud to have been featured in several prominent media outlets, including:
- Travel Pulse and MSN: Cybercriminals Capitalizing on Travel Industry’s Peak Season
- Dark Reading: Top Travel Sites Have Some First-Class Security Issues to Clean Up
- Security Magazine: Malicious actors are leveraging peak travel and vacation times
- SecurityWeek: Travel websites exposed to attacks
- Help Net Security: Cybercriminals capitalize on travel industry’s peak season
- Tech Day: Cybercriminals target top travel sites during peak season
We extend a special thank you to our friends at Vercara (part of DigiCert) for their invaluable contribution. Their DNS and DDoS data was crucial in supporting our research and providing deeper insights into the hospitality and travel cybersecurity challenges facing their industry.
For more information on securing your travel business, download our infographic and explore our Unified API Protection platform.
Sign up for the latest Cequence Security news
By clicking Subscribe, I agree to the use of my personal data in accordance with Cequence Security Privacy Policy. Cequence Security will not sell, trade, lease, or rent your personal data to third parties.
