Study: Top travel websites fail to protect user security

Approximately 89 percent of travel sites leave their users’ accounts exposed to hackers due to unsafe password practices, according to the Travel Website Password Power Rankings, a study done by digital security company Dashlane.

Dashlane researchers tested each website on five critical password and account security criteria. A site received a point for each criterion it met, for a maximum score of 5/5. Any score below 4/5 was considered failing and not meeting the minimum threshold for good password security.

Of the 55 top travel booking websites Dashlane tested, only Airbnb received top marks for its data-security policies regarding password protection. Hilton and Marriott International were the two hotel companies that passed Dashlane’s tests, each receiving 4/5. Hawaiian Airlines, Royal Caribbean and United Airlines also passed with 4/5. Only 11 percent (6/55) passed with a score of 4/5 or better. Norwegian Cruise Lines scored a 0/5. Many of the websites even allowed Dashlane researchers to set up accounts with alphanumeric passwords “12345” and “password.”

“Big names in the travel industry often come under fire for their physical treatment of customers, receiving public blowback on social media for flight delays, egregious treatment of passengers or even food-borne illnesses,” Dashlane CEO Emmanuel Schalit said in a statement. “In many cases, the result is a close examination of business practices and positive shift. The travel industry should treat their cybersecurity failings in much the same fashion, and make the necessary changes.”

Dashlane checked to see if websites required passwords to be eight characters or more; if they prevented passwords from being created with either all numbers or all letters; if they offered a password-strength assessment tool; if they sent a user-activation email after an account was created; and if they required two-factor authentication, such as a password complemented by a specific USB stick.

Best Western Hotels & Resorts and Hyatt Hotels Corporation each received a 3/5; Sheraton received a 2/5; and Choice Hotels International and InterContinental Hotels Group each received a 1/5 score.

When compared to results of Dashlane’s 2017 rankings of leading consumer websites, and the more recent 2018 rankings comparing the cryptocurrency exchanges, travel sites performed especially poorly. In the consumer rankings, which examined sites such as Apple, Facebook and PayPal, only 36 percent received a failing score. That is in stark contrast to the 89 percent of sites that failed Dashlane’s 2018 travel examination.

Photo credit: Dashlane

The travel website category with the worst average score belongs to the cruise industry (1.67/5), closely followed by booking websites (2/5). On the other end of the spectrum, rental car websites as a group scored the best on average (2.86/5), but across all categories the scores were poor.

“The modern traveler has to reckon with the many digital hazards associated with a journey—from booking flights, to reserving hotel rooms, to renting a car or looking online for recommendations—which creates many chances for personal data to become compromised,” Schalit said. “Our intention in ranking travel sites is not to scare people away from one of life’s greatest pleasures, but to make the modern traveler more aware. The days of worrying about just pickpockets are over; digital thieves are the real threat.”

After the survey was released, TripAdvisor defended its performance.

“TripAdvisor’s password policies are consistent with other similar businesses in our industry and we deploy appropriate security measures to protect our customers. In the instances that we detect fraudulent activity, TripAdvisor’s 24/7 security team and systems take immediate action to safeguard travelers using our site and mobile apps," according to the company. "The study that named TripAdvisor was sponsored by a company that sells password-management services and only focuses on a small aspect of the comprehensive security programs that most companies like ours have in place.

"We take safeguarding our customers’ information seriously. The security landscape is ever-changing, and we are continuously evolving and adopting industry best practices to ensure we are keeping our customers’ personal information safe.”

Best Security Practices

There are a few easy actions that Dashlane suggests for consumers to improve their online security:

  • Use a unique password for every online account.
  • Generate passwords that exceed the minimum of 8 characters.
  • Create passwords with a mix of case-sensitive letters, numbers and special symbols.
  • Avoid using passwords that contain common phrases, slang, places or names.
  • Use a password manager to help generate, store and manage your passwords.
  • Under no circumstances should you use an unsecured Wi-Fi connection (e.g. public Wi-Fi) while traveling.