AAA predicts thatĀ aĀ record numberĀ of Americans will be taking to the skies and roads this holiday seasonā103 million between Dec. 23-Jan. 2,Ā a 1.5% increase over 2015. 57% of these travel reservationsāthat’sĀ 148 million travellersābookedĀ online.Ā Airfare/hotel/car rental comparison websites are an increasingly popular way to book travel these days, but how good are they at protecting their users’ data? Let’s take a look at the top 8 online travel aggregators’ CSTAR ratings to find out.
Also known as travel metasearch websites, online travel aggregators use multiple search engines and third party query tools to generate their own search results. For example, Orbitz searches across a myriad of airlines and third-party websites to find matching flights and car/hotels rates. Aggregators source their data using a variety of methods: API access to the airline booking system, manual data upload, web scraping, and more. Some aggregators book reservations on users’ behalf and are responsible for credit card processingĀ and underlying dataĀ security.
The travel industry has been fraught with security incidents as of lateāfromĀ major reservation systemsĀ toĀ global hotel and casino chains, travel-based enterprises have been actively targeted byĀ cyber attackers. Some websites in this roundup have already fallen victim; for example, Expedia suffered a data breach last year that left names, phone numbers, emails, and other customer booking information exposed.
Travel Aggregator Website Roundup
Many of theĀ following companies have been around since the dawn of the consumer Internetāfor example, Priceline.com was founded in 1997 and remains a leading online travel aggregator. Competing websites Hotwire and Orbitz are also longstanding favorites for finding/booking travel deals online.
Initially a collaborative effort of severalĀ major airlines, Orbitz is now a subsidiary of online travel congomerate Expedia. The company’s executives led a discussion last year urging the government to adopt post-data breach notification standards for companies to follow; how does its own website perimeter security hold up? Its average 669 CSTAR score is the result of several shortcomings: server information leakage and lack of DMARC, among others. Additionally, itsĀ low CEO approval ratingĀ makes the company more prone to insider threats.
2. Hotwire – 670Ā out of 950Ā Ā
Like Orbitz, Hotwire was initially a joint initiative of 6 major airlines: American, Northwest (Delta),Ā ContinentalĀ (United), America West (American), and United. Late last year, the company was amongĀ 16 worldwide companiesĀ that failed toĀ properlyĀ encrypt customer credit card following the CardCrypt vulnerability, potentially puttingĀ hundreds of thousands of customers at risk. The company scores an average rating when it comes to resilience: server information leakage, lack of secure cookies, and disabled DMARC make its website prone to security compromises.
KAYAK was founded in 2004 by Orbitz co-foundersāthe company has since been acquired by Priceline.com’s parent company The Priceline Group. Back in 2012, the company experienced aĀ security incidentĀ in which customers’ personal information was exposed. To make matters worse, the flaw was first discovered by a curious customer.
The company’s website an average CSTAR rating of 668. Several security gaps make its resilience posture less-than-ideal:Ā lack of secure cookies, server information leakage, and disabled DNSSEC, and more. Additionally, at the time of this writing, its SSL certificate expires in less than 30 days.
4. Priceline.com – 721 out of 950
You may remember William Shatner’s run as the “Negotiator” in Priceline.com’s long-running commercial series. Priceline has been quietly gobbling upĀ competitors in recent years, including online hotel reservation websites Booking.com/Agoda.com and fellow CSTAR roundup member KAYAK. In terms of cyberĀ resilience, itsĀ CSTAR score of 721 is good, but not optimal: lack of DMARC/DNSSEC and missing HTTP transport security are a few of its shortcomings. Additionally, a 59% CEO approval rating means that the firm is more likely to suffer fromĀ insider attacks.
5. Travelocity – 680Ā out of 950
Another Expedia-owned web property, Travelocity was founded in 1996 by Sabre Corporation. The company has experienced its own share of security incidents over the years, including a data breach that exposedĀ the personal data of 51,000 customers on a company server. Its average CSTAR score of 680 is a result of multiple website perimeter security flaws: server information leakage, lack of HttpOnly/secure cookies, missing DMARC/DNSSEC, and more.
6. Skyscanner – 732 out of 950
UK-based Skyscanner was founded in 2001 as a search engine for finding European budget airline flights; the service has since expanded to cover global travel with international carriers. The company’s CSTAR score of 732 is good, but nonetheless falls short due to several flaws:Ā lack of HttpOnly Cookies/secure cookies and missing DMARC/DNSSEC, among others.
Appropriately-named Cheapoair is a popular, no-frills website for finding cheap flights online. The company was founded in 2005 as a subsidiary of leading travel technology company Fareportal. Its average CSTAR score of 586 is a result ofĀ numerous flaws detected in its website’s perimeter security: lack of HttpOnly/secure cookies, missing DMARC/DNSSEC, to name a few.
Expedia may need no introduction,Ā but on top of being the most recognizable name in this roundup, the company also takes the cake for experiencing the most security incidents in the past few years. The company fell victim to multiple data breaches in 2015 alone; in January 2016, it suffered anĀ insider attackĀ resulting in the theft of confidential corporate information. Its CSTAR score of 731 is the best in this roundup, but security shortcomings like server information leakage, lack of secure cookies, and missing DNSSEC weaken its resilience posture.
Conclusion
In general, these 8 leading travel aggregators maintain a competent basic level of security, with none of their CSTAR scores falling into the “warning” range. That said, similar security issuesĀ plague all of their websites, and two companiesāOrbitz and Priceline.comāsuffer from dismal CEO approval ratings, a common red flag for potential insider threats. Want to find out how resilient your preferred online travel aggregator is? Try outĀ UpGuard’sĀ CSTAR risk graderĀ web applicationĀ andĀ chrome extensionĀ for instantly validating its website’sĀ security posture.
