A new investigation by Which? has found hundreds of data security vulnerabilities on the websites of 98 travel companies including significant problems at Marriott, British Airways and EasyJet, which were in the top 5 companies with the most discovered risks. Many of the travel companies found to have vulnerabilities have already reported serious data breaches in the past.
The study found that major airlines and hotel chains have failed to secure their online platforms even after previous data breaches and cyberattacks exposed information of millions of customers’ and drew fines from privacy regulators.
This new study is a good reminder to the travel industry that application security should be at the forefront of their security plans. Even with the downturn in travel during the COVID-19 pandemic, security shouldn’t be forgotten, and will be more important than ever as travelers start returning in the next year.
As the Which? article says:
It seems that the travel industry has not learned its lesson, with many breached companies cutting corners when it comes to cybersecurity and the safety of customer data.
“Travel companies must up their game and better protect their customers from cyber threats, otherwise the ICO must be prepared to step in with punitive action, including heavy fines that are actually enforced,” Rory Boland, editor of Which? Travel said.
The Which? article highlights the fact that many organizations continue to have vulnerable code in production, and points out a good reason to protect this code while it’s running. The newly released NIST SP800-53 revision 5 framework also highlights this need and includes a new requirement for Runtime Application Self-Protection (RASP), sometimes also referred to as Runtime Application Security.
K2 Cyber Security can help by providing deterministic runtime application security that detects zero day attacks, along with well-known attacks. K2 issues alerts based on severity and includes actionable alerts that provide complete visibility to the attacks and the vulnerabilities that the attacks are targeting including the location of the vulnerability within the application, providing details like file name and line of code where the vulnerability exists.
Rather than rely on technologies like signatures, heuristics, fuzzy logic, machine learning or AI, K2 uses a deterministic approach to detect true zero-day attacks, without being limited to detecting attacks based on prior attack knowledge. Deterministic security uses application execution validation, and verifies the API calls are functioning the way the code intended. There is no use of any prior knowledge about an attack or the underlying vulnerability, which gives our approach the true ability to detect new zero-day attacks. Our technology has 8 patents granted/pending, and has minimal false alerts.
Get more out of your application security testing and change how you protect your applications, and check out K2’s application workload security solution.