Are Your Holiday Bookings Safe? Trip.com, Skyscanner, Marriott, and Other Popular Travel Websites Struggling with Serious Cybersecurity Vulnerabilities How Will These Risks Impact Your Personal Data and Online Security?

Published on August 5, 2025

Cybersecurity Risks in Travel Websites: A Growing Threat for Global Travelers

A recent analysis conducted on the top 20 travel and tourism websites has raised serious concerns about the cybersecurity practices within the industry. The study revealed that only two websites out of the twenty analyzed received an “A” grade for their security measures, pointing to a troubling state of cybersecurity in the travel sector. The research highlighted that 18 out of 20 of the most popular travel websites had employee credentials circulating on the dark web, a major red flag for travelers’ personal and financial data security.

Leaked Credentials from Past Incidents: Persistent Threats

The study’s findings indicated that these leaked credentials were not the result of new data breaches but rather remnants of older security incidents that are still accessible on the dark web. This raises a critical question: Have employees updated their passwords since these breaches, or are they continuing to use the same exposed credentials? The research found that, in many cases, employees did not change their passwords, leaving accounts open to further compromise.

Furthermore, the study revealed an alarming trend: in half of the companies analyzed, employee credentials that had been exposed in one breach were later found to be compromised again in subsequent incidents. This suggests that a significant portion of employees continue to reuse their passwords, creating serious security risks for both the companies and their customers.

Methodology: A Comprehensive Cybersecurity Evaluation

To assess the security measures of these travel websites, the study utilized several key criteria, including software patching, web application security, email protection, system reputation, hosting infrastructure, and SSL/TLS configuration. After examining these factors, the researchers assigned a grade to each website based on its overall cybersecurity performance.

The results were mixed, with only two websites standing out as leaders in cybersecurity. Trip.com received a near-perfect 98/100, owing to its strong security protocols and minimal SSL errors. Flightradar24 came in second with an impressive 96/100, excelling in patch management and overall security measures, despite having six exposed employee credentials from previous breaches.

Poor Security Practices in Major Travel Companies

Unfortunately, the study uncovered poor cybersecurity performance from several high-profile travel companies. Four of the companies analyzed received failing grades, underscoring the critical gaps in their cybersecurity measures:

• Skyscanner received the lowest score of 55/100, with 989 leaked credentials still available on the dark web and 24 critical vulnerabilities identified.
• Marriott International and Hilton each scored 66/100, with tens of thousands of employee credentials from previous breaches still circulating in underground markets.
• Wetter.com, a popular German weather website, earned an “F” grade with 15% of its employees continuing to reuse passwords that were exposed during previous security incidents.

Breakdown of Cybersecurity Grades and Scores

The following is a breakdown of the cybersecurity scores and grades of the 20 most visited travel and tourism websites:

Growing Global Risks for Travelers

The findings from this analysis underscore a growing global concern regarding the cybersecurity of travel websites. As more travel platforms transition to online booking systems, the risk of data breaches and the compromise of personal and financial information increases. The continued circulation of leaked credentials on the dark web shows that even the most well-known travel websites remain vulnerable to future breaches.

The fact that these credentials have not been adequately addressed, especially with the persistent issue of password reuse, heightens the risk for global travelers. This poses a serious threat, as tourists may unknowingly expose their sensitive data while booking their travel through websites with insufficient security measures. As more travelers become aware of the cybersecurity vulnerabilities, they may start to gravitate towards platforms that offer stronger protection, pushing companies to take better security precautions.

The Urgent Need for Enhanced Cybersecurity in the Travel Industry

The findings from this study should serve as a wake-up call for both travel companies and their customers. While Trip.com and Flightradar24 set a strong example in terms of cybersecurity practices, the majority of companies continue to fall short in implementing adequate security measures. Websites that do not prioritize data protection expose not only their customers’ sensitive information but also risk suffering from reputational damage and financial losses.

For travelers, the increasing awareness of cybersecurity vulnerabilities means they should exercise more caution when booking online. Ensuring that the websites they use are secure is now more crucial than ever. Companies, on the other hand, need to recognize that safeguarding customer data is paramount and that they must invest heavily in stronger security systems to avoid further breaches. The travel sector must evolve to meet the rising demand for data privacy and cybersecurity in order to remain competitive in an increasingly digital world.

A Stronger Commitment to Cybersecurity is Essential

The current state of cybersecurity in travel websites is concerning and demands urgent attention. As the industry becomes more reliant on online platforms for booking and other services, the risks to personal data continue to escalate. Travel companies need to take a proactive approach by improving their cybersecurity measures, changing exposed passwords, and safeguarding their customers’ information. As travelers grow more aware of these issues, they will increasingly seek out platforms that offer robust data protection.

For the travel industry, the findings highlight the need for immediate action to improve cybersecurity standards. Websites must prioritize stronger protection to prevent future breaches, rebuild consumer trust, and ensure a safer and more secure experience for all users. Without this commitment, companies will continue to face the risks of financial loss, reputational harm, and customer distrust, while travelers remain exposed to potential threats.