How Secure Are the Leading Travel Aggregator Websites?

AAA predicts that a record number of Americans will be taking to the skies and roads this holiday season—103 million between Dec. 23-Jan. 2, a 1.5% increase over 2015. 57% of these travel reservations—that's 148 million travellers—booked online. Airfare/hotel/car rental comparison websites are an increasingly popular way to book travel these days, but how good are they at protecting their users' data? Let's take a look at the top 8 online travel aggregators' CSTAR ratings to find out.

Also known as travel metasearch websites, online travel aggregators use multiple search engines and third party query tools to generate their own search results. For example, Orbitz searches across a myriad of airlines and third-party websites to find matching flights and car/hotels rates. Aggregators source their data using a variety of methods: API access to the airline booking system, manual data upload, web scraping, and more. Some aggregators book reservations on users' behalf and are responsible for credit card processing and underlying data security.  

Free DevOps and Security eBooks

The travel industry has been fraught with security incidents as of late—from major reservation systems to global hotel and casino chains, travel-based enterprises have been actively targeted by cyber attackers. Some websites in this roundup have already fallen victim; for example, Expedia suffered a data breach last year that left names, phone numbers, emails, and other customer booking information exposed.

Travel Aggregator Website Roundup

Many of the following companies have been around since the dawn of the consumer Internet—for example, Priceline.com was founded in 1997 and remains a leading online travel aggregator. Competing websites Hotwire and Orbitz are also longstanding favorites for finding/booking travel deals online.

1. Orbitz - 669 out of 950

CSTAR - Orbitz

Initially a collaborative effort of several major airlines, Orbitz is now a subsidiary of online travel congomerate Expedia. The company's executives led a discussion last year urging the government to adopt post-data breach notification standards for companies to follow; how does its own website perimeter security hold up? Its average 669 CSTAR score is the result of several shortcomings: server information leakage and lack of DMARC, among others. Additionally, its low CEO approval rating makes the company more prone to insider threats.

2. Hotwire - 670 out of 950  

Screen Shot 2016-12-22 at 1.32.15 PM.png

Like Orbitz, Hotwire was initially a joint initiative of 6 major airlines: American, Northwest (Delta), Continental (United), America West (American), and United. Late last year, the company was among 16 worldwide companies that failed to properly encrypt customer credit card following the CardCrypt vulnerability, potentially putting hundreds of thousands of customers at risk. The company scores an average rating when it comes to resilience: server information leakage, lack of secure cookies, and disabled DMARC make its website prone to security compromises.

3. KAYAK - 668 out of 950 

Screen Shot 2016-12-22 at 1.35.32 PM.png

KAYAK was founded in 2004 by Orbitz co-founders—the company has since been acquired by Priceline.com's parent company The Priceline Group. Back in 2012, the company experienced a security incident in which customers' personal information was exposed. To make matters worse, the flaw was first discovered by a curious customer.

The company's website an average CSTAR rating of 668. Several security gaps make its resilience posture less-than-ideal: lack of secure cookies, server information leakage, and disabled DNSSEC, and more. Additionally, at the time of this writing, its SSL certificate expires in less than 30 days.

4. Priceline.com - 721 out of 950

Screen Shot 2016-12-22 at 1.37.50 PM.png

You may remember William Shatner's run as the "Negotiator" in Priceline.com's long-running commercial series. Priceline has been quietly gobbling up competitors in recent years, including online hotel reservation websites Booking.com/Agoda.com and fellow CSTAR roundup member KAYAK. In terms of cyber resilience, its CSTAR score of 721 is good, but not optimal: lack of DMARC/DNSSEC and missing HTTP transport security are a few of its shortcomings. Additionally, a 59% CEO approval rating means that the firm is more likely to suffer from insider attacks.

5. Travelocity - 680 out of 950

Screen Shot 2016-12-22 at 1.39.08 PM.png

Another Expedia-owned web property, Travelocity was founded in 1996 by Sabre Corporation. The company has experienced its own share of security incidents over the years, including a data breach that exposed the personal data of 51,000 customers on a company server. Its average CSTAR score of 680 is a result of multiple website perimeter security flaws: server information leakage, lack of HttpOnly/secure cookies, missing DMARC/DNSSEC, and more.

6. Skyscanner - 732 out of 950

Screen Shot 2016-12-22 at 1.40.58 PM.png

UK-based Skyscanner was founded in 2001 as a search engine for finding European budget airline flights; the service has since expanded to cover global travel with international carriers. The company's CSTAR score of 732 is good, but nonetheless falls short due to several flaws: lack of HttpOnly Cookies/secure cookies and missing DMARC/DNSSEC, among others. 

7. Cheapoair - 586 out of 950

Screen Shot 2016-12-22 at 1.42.23 PM.png

Appropriately-named Cheapoair is a popular, no-frills website for finding cheap flights online. The company was founded in 2005 as a subsidiary of leading travel technology company Fareportal. Its average CSTAR score of 586 is a result of numerous flaws detected in its website's perimeter security: lack of HttpOnly/secure cookies, missing DMARC/DNSSEC, to name a few.

8. Expedia - 731 out of 950

Screen Shot 2016-12-22 at 1.34.04 PM.png

Expedia may need no introduction, but on top of being the most recognizable name in this roundup, the company also takes the cake for experiencing the most security incidents in the past few years. The company fell victim to multiple data breaches in 2015 alone; in January 2016, it suffered an insider attack resulting in the theft of confidential corporate information. Its CSTAR score of 731 is the best in this roundup, but security shortcomings like server information leakage, lack of secure cookies, and missing DNSSEC weaken its resilience posture.  

Conclusion

In general, these 8 leading travel aggregators maintain a competent basic level of security, with none of their CSTAR scores falling into the "warning" range. That said, similar security issues plague all of their websites, and two companies—Orbitz and Priceline.com—suffer from dismal CEO approval ratings, a common red flag for potential insider threats. Want to find out how resilient your preferred online travel aggregator is? Try out UpGuard's CSTAR risk grader web application and chrome extension for instantly validating its website's security posture.

Get a Guided UpGuard Demo

More Articles

How CSTAR Works

All the information needed to perform a CSTAR assessment is bundled into the UpGuard platform. Learn more about CSTAR.
Read Article >

What's In the Website Risk Grader?

The UpGuard Website Risk Grader provides a low friction way to get an initial assessment of a business' risk profile.
Read Article >

Understanding Risk in the 21st Century

And as we enter 2016, the risk of data breaches in particular threatens to hamper business innovation.
Read Article >

Topics: security, CSTAR, cyber risk