It’s closer than you think. Yes, it may only be the end of September, but as summer gives way to fall, millions of people across the U.S. are beginning to make their travel plans for the holiday season.

Whether that means visiting family or friends or simply trying to get away from it all, holiday travel is stressful and hectic.

But with so much to think about, the last thing on most people’s minds as they prepare for a trip – no matter when or where they’re heading – is how likely they are to be a victim of a data breach.

Yet think about how many aspects of modern travel leave us exposed to cyberthreats. Whether we realize it or not, from the moment we go online to book a trip until we return safely home, we touch a lot of things that carry potential security perils. The primary culprits, of course, are criminal hackers. But what has enabled them is a travel industry that has been slow to fully embrace application security. The result has been a rash of data breaches that have affected millions of travelers.

Travel Booking Sites

In March 2018, travel booking site Orbitz disclosed a security breach that occurred in late 2017 exposing data for thousands of customers, including information on 880,000 payment cards. 

A few years earlier, in September 2014, another travel website was hit by hackers. Viator, a travel website owned by TripAdvisor, was forced to notify approximately 1.4 million of its customers that their personal information had been exposed.


This past April, Cleveland Hopkins International Airport, the largest and busiest airport in Ohio, was hit with a ransomware attack that impacted airport systems, disabling email and knocking out some displays.


More than nine million passengers had their data stolen due to a cyberattack on Cathay Pacific in March 2018. According to the airline, a wide range of data was leaked, including passenger names, card numbers, and dates of birth, as well as details about where each passenger had travelled.

A month later, Delta Airlines disclosed that a massive data breach involving chat software on its website allowed unauthorized access to credit card and other information. According to Delta, malware allowed access to names, addresses and credit card information entered to pay on

In September 2018, British Airways revealed that hackers had stolen personal and financial details from some 380,000 passengers in a sophisticated data breach, which recently resulted in a £183 million GDPR fine.

Ridesharing Apps

Last fall, popular rideshare app Uber was forced to pay a total of $148 million equally to all 50 U.S. states after it was found to have intentionally concealed a massive breach in 2016 that resulted in stolen data from 57 million accounts. The payout was the largest ever multi-state breach settlement to date.

In a prior incident in May 2015, the personal information of as many as 50,000 Uber drivers was leaked. This June, Uber claimed that Lyft, its main competitor, was responsible for the breach.


Marriott announced in November 2018 that anyone who made a reservation at one of its Starwood properties since 2014 -- approximately 500 million guests – might have had their information at risk.

What Can Be Done

Without a doubt, the travel industry has been a top target for hackers for years and has suffered more than most industries when it comes to cybercrime. On the one hand, the reason seems obvious. Travel companies routinely handle personal information for millions of customers around the world, so hackers are naturally drawn to all that data.

But travel companies have also made themselves vulnerable. While they have been quick to take advantage of technology to enhance user experience and improve internal processes, they have been slow to embrace the level of security needed to protect those systems. Mobile apps are a great example. There’s no question they have made life easier for millions of travelers. However, they also introduced new cyber risks that travel companies were ill-prepared to handle.

In fact, according to the yearly “State of Application Security” research conducted by WhiteHat Security, more than one-third of all applications in the transportation industry are always vulnerable.

If the situation is going to improve, then every travel company that touches sensitive customer data needs to take a more proactive approach to application security. All software assets – mobile, web-based or APIs – need to be thoroughly tested throughout their development lifecycle. Development and security teams need to collaborate and be well-aligned in order to understand risks and how to mitigate them. 

While the primary responsibility for cybersecurity lies with travel companies, there are also things travelers can do to protect themselves and their personal information. Using a variety of passwords is always a good idea, as is taking advantage of two-factor authentication for any app or website that supports it. And if you think you have been exposed due to a data breach, immediately change your password on the affected site or app and make sure you are not using the same password on other sites and apps.

It’s unlikely that our travel activity will ever be completely immune to cyberthreats. But if travel companies take the needed steps to improve application security and travelers remain aware of threats and use common sense to protect their information, then we can all rest a little easier and enjoy the holidays, or that dream vacation, a little more.