Cybersecurity analysis reveals critical vulnerabilities across 20 major travel & tourism websites
Be careful booking holidays – most popular travel & tourism websites are plagued with security issues.
Think twice before entering your credit card details when booking your next holiday: only 2 out of the 20 most popular travel and tourism websites have strong enough cybersecurity to earn an “A” grade, a new analysis finds.
Despite processing millions of travel bookings and handling vast troves of personal and payment data, most large travel websites are riddled with security issues, such as leaked credentials, weak password practices, and misconfigured encryption.
In fact, researchers discovered that half of the analyzed companies have employees reusing passwords already leaked in earlier data breaches. It was also found that previously leaked credentials of 18 out of 20 analyzed websites are still circulating on dark web marketplaces.
To understand how safe these sites really are, the Business Digital Index (BDI) evaluated and ranked 20 of the most visited travel and tourism websites by their cybersecurity posture. Each company’s score reflects performance across seven security categories: software patching, web app security, email protection, system reputation, hosting infrastructure, SSL/TLS configuration, and data breach history. (More details on the methodology are available at the end of the report.)
20 most popular travel & tourism websites ranked by cybersecurity (best to worst)
Only two companies received A grades
Out of the 20 travel and tourism websites analyzed, just two—Trip.com and Flightradar24—achieved an A grade.
#1 Trip.com (us.trip.com)
Grade: A
Score: 98
Trip.com stands out with near-perfect results in every measured dimension and only 4 SSL errors.
#2 Flightradar24
Grade: A
Score: 96
Flightradar24 can boast about its up-to-date patching with very few SSL issues (47) and minimal presence of employee credentials in public leak databases (only 6 leaked employee credentials found).
Four companies got F grades for their digital security
Out of the 20 travel and tourism websites analyzed, these four—Wetter.com, Hilton, Marriott, and Skyscanner—received the lowest cybersecurity scores.
#17 Wetter.com
Grade: F
Score: 69
Although patching is strong, older credential thefts continue to surface, and several domains are open to email spoofing. CDN coverage is just 2%.
Moreover, 15% of Wetter.com employees reuse breached passwords. The site faces 270 SSL configuration issues, and 2 domains are vulnerable to email spoofing (with one potentially spoofable domain).
#18 Hilton
Grade: F
Score: 66
Serious credential exposure (35,000+) from historic leaks is now available for purchase, along with over 600 SSL issues. Only 8% cloud reach and 9% CDN reach.
20% of Hilton employees reuse breached passwords. Moreover, the company has 2 critical and 6 high-risk vulnerabilities detected.
#19 Marriott International
Grade: F
Score: 66
More than 24,000 credentials from earlier breaches are circulating in new underground dumps, and there are over 500 SSL issues. Cloud adoption at 37%.
14% of Marriott employees reuse breached passwords and there are 16 critical and 30 high-risk vulnerabilities detected.
#20 Skyscanner
Grade: F
Score: 55
Lowest-ranking: 989 previously leaked credentials are still accessible; more than 20 domains are vulnerable to email spoofing.
4 critical vulnerabilities and 20 high-risk vulnerabilities detected. Only 14% of its systems are CDN-protected, resulting in the lowest score among major travel and tourism websites.
Key risks explained
| Issue | What it means | Why it matters |
| SSL errors | Problems with a website’s encryption settings (e.g., expired certificates, weak encryption, or misconfiguration) | Attackers may intercept sensitive data like passwords or credit cards. |
| Leaked credentials | Employee or user emails and passwords that have appeared in past data breaches and are now exposed on the internet or dark web. | Allows criminals to take over accounts, commit fraud, or launch further attacks. |
| Password reuse | Employees using the same breached password on multiple sites. | Increases risk of “credential stuffing,” where attackers use one leaked password to access several services. |
| CDN coverage | Use of global, distributed servers (Content Delivery Network) to deliver web content. | Improves website speed and security, and adds protection against DDoS (denial-of-service) attacks. |
| Email spoofing | Company’s domain is not protected against impersonation (lacks proper anti-spoofing records like SPF/DKIM/DMARC). | Enables phishing: attackers can send emails that appear to come from the company. |
| Critical and high-risk vulnerabilities | Serious flaws in a company’s servers or web systems. | May allow attackers to steal data, install malware, or take control of the site. |
| Cloud adoption | Portion of company’s systems hosted in cloud environments . | Cloud providers often offer better, more consistent security controls and faster updates. |
About the Business Digital Index
The Business Digital Index (BDI) is a cybersecurity tool that scans and grades organizations’ external digital security using publicly available information. Each scanned website receives a numeric score (0–100) and a letter grade, reflecting its digital security across seven areas: software patching, web app security, email protection, system reputation, hosting infrastructure, SSL/TLS configuration, and data breach history. The BDI relies on passive scanning techniques, IoT search engines, domain reputation, and breach databases to provide an independent, standardized ranking. In-depth methodology is available here.
Get your Business Digital Index report
Take a moment to understand how your company appears to the outside world. This report uses verified public data to highlight potential risks.