Industry Observations

Lack of App Security Can Lead to Holiday Travel Woes

It’s that time of year again: the holidays are among us. Soon, millions of us will be on the road and in the air, on our way to visit friends and relatives to celebrate the season (or perhaps to get away from it all). Whatever the reason, holiday travel can be stressful and hectic. The last thing any holiday traveler needs to worry about is a data breach.

Few of us think about it, but so many aspects of modern travel leave us exposed to cyberthreats – and that’s especially true during the holidays. From the moment we go online to book a trip until we return safely home, we touch a lot of things that carry potential security perils. While the primary culprits are criminal hackers, what has enabled them is a travel industry that has been slow to fully embrace application security. The result has been a rash of data breaches that have affected millions of travelers.

Travel booking sites

  • In March 2018, travel booking site Orbitz disclosed a security breach exposing data for thousands of customers, including information on 880,000 payment cards.
  • In September 2014, travel website Viator was forced to notify approximately 1.4 million of its customers that their personal information had been exposed.


  • In April 2019, Cleveland Hopkins International Airport was hit with a ransomware attack that impacted airport systems, disabling email and knocking out some displays.


  • More than 9 million passengers had their data stolen due to a cyberattack on Cathay Pacific in March 2018.
  • A month later, Delta Airlines disclosed that a massive data breach on its website allowed unauthorized access to credit card and other information.
  • In September 2018, British Airways revealed that hackers had stolen personal and financial details from some 380,000 passengers in a sophisticated data breach.

Ridesharing apps

  • Last fall, Uber was forced to pay a total of $148 million equally to all 50 U.S. states after it was found to have intentionally concealed a massive breach in 2016 that resulted in stolen data from 57 million accounts.
  • In May 2015, the personal information of as many as 50,000 Uber drivers was leaked.


  • Marriott announced in November 2018 that anyone who made a reservation at one of its Starwood properties since 2014 — approximately 500 million guests – might have had their information at risk.

What Can Be Done

It’s no wonder that the travel industry has become a top target for hackers over the years, as travel companies routinely handle personal information for millions of customers around the world. Naturally, hackers are drawn to all that data.

But travel companies share in the blame because they have made themselves vulnerable. They’ve been quick to take advantage of technology to enhance user experience and improve internal processes, but slow to embrace the level of security needed to protect those systems. Mobile apps have made life easier for millions of travelers, yet they’ve also introduced new cyber risks that travel companies have been ill-prepared to handle.

In fact, according to WhiteHat Security’s 2019 State of Application Security report, more than one-third of all applications in the transportation industry are always vulnerable.

Every travel company that touches sensitive customer data needs to take a more proactive approach to application security. All software assets – mobile, web-based or APIs – need to be thoroughly tested throughout their development lifecycle. Development and security teams need to collaborate and be well-aligned in order to understand risks and how to mitigate them.

It’s unlikely that our travel activity will ever be completely immune to cyberthreats. But if travel companies take the needed steps to improve application security and travelers remain aware of threats and use common sense to protect their information, then we can all rest a little easier and enjoy the holidays a little more.