Research reveals major vulnerabilities affecting all top 10 travel and hospitality websites, with four companies responsible for 91% of critical flaws

Cequence, a pioneer in API security and bot management, today released new data ahead of Labor Day that found cybercriminals are capitalizing on the travel and hospitality industry's peak season, using increased traffic as cover for their attacks.

The Cequence CQ Prime Threat Research Team investigated the top 10 travel and hospitality sites with Cequence API Spyder, a SaaS-based discovery tool that provides an attacker’s view into an organization’s public-facing resources to identify externally visible edge, cloud infrastructure, application stack, API hosts, and security vulnerabilities.

Cequence’s threat researchers observed a consistent pattern across industries: increased website traffic during peak seasons, like the travel and hospitality industry's vacation and holiday periods, coincides with a surge in cyberattacks. Domain name system (DNS) and distributed denial-of-service (DDoS) attack data provided by Vercara (now part of Digitcert) supports this finding, as both increased queries and attacks correlate with periods of heightened online activity.

Key findings include:

• Critical Vulnerabilities Remain Wide Open: All 10 top travel and hospitality companies had serious, public-facing vulnerabilities. Four companies had 91% of the serious vulnerabilities, most of which would allow a man-in-the-middle (MITM) attack, allowing attackers to intercept and manipulate communications between users and the companies.
• Unintentionally Public Servers Lurk in the Shadows: 8 of the 10 companies had public-facing non-production or internal application servers that are typically unmonitored and unmanaged and could provide attackers with a way in. One company had over 300 such servers.
• Cloud Sprawl Creates Perfect Storm for Attacks: Cloud sprawl is often driven by acquisitions, siloed departments, or a lack of a defined cloud strategy. This can lead to a proliferation of public-facing cloud instances, increasing the attack surface. The top travel and hospitality sites utilized between 5 and 21 different hosting providers, highlighting the complexity of managing cloud environments.
• Holiday Rush, Attacker's Paradise: October begins the winter travel holiday season, and that’s also when the most DNS queries and DDoS attacks were last year. November 2023 showed the highest number of DDoS attacks against the travel industry for the entire year, almost double the second-highest month.

“Travelers are at risk during peak vacation times, with cybercriminals seizing the opportunity to strike,” said William Glazier, Director of Threat Research at Cequence. “Our research highlights severe threats, including financial loss, identity theft, and disrupted travel for consumers, and reputational damage and legal issues for businesses. Frequent attacks can undermine consumer trust in digital platforms. To mitigate these risks, organizations need to prioritize API security, while travelers should stay vigilant and practice robust cybersecurity.”

As companies work to address these vulnerabilities, they must also prepare for the upcoming Payment Card industry Data Security Standard (PCI DSS) Version 4.0, which will become mandatory starting March 31, 2025. Non-compliance with PCI DSS could result in significant fines, penalties and disruptions to card transactions, along with increased risk of data breaches that could damage a business’s reputation and erode customer trust.

Organizations need to prioritize strengthening their API security, adopt proactive measures to mitigate these risks and deploy protection against both manual and automated AI attacks. Travelers should also remain vigilant and employ strong cybersecurity practices to protect their personal and financial information.

Additional Resources:

• Download the infographic to learn more about how threat actors are trying to turn dream trips into nightmares.
• Learn more about our Unified API Protection platform.
• Follow us on LinkedIn and X.

About Cequence Security

Cequence, a pioneer in API security and bot management, is the only solution that delivers Unified API Protection (UAP), uniting discovery, compliance, and protection across all internal, external, and third-party APIs to defend organizations against attacks, business logic abuse, and fraud. The flexible deployment model supports SaaS, on-premises, and hybrid installations, and APIs can be onboarded in less than 15 minutes without requiring any app instrumentation, SDK, or JavaScript integration. Cequence solutions scale to handle the most demanding government, Fortune and Global 500 organizations, securing more than 8 billion daily API interactions and protecting more than 3 billion user accounts. To learn more, visit www.cequence.ai.

View source version on businesswire.com: https://www.businesswire.com/news/home/20240827836948/en/