This weekend is World Tourism Day, a celebration of the global travel industry and the cultural, economic, and social connections it fosters. However, as the tourism industry continues to grow and evolve, it faces an increasing array of cybersecurity threats. From data breaches targeting personal traveler information, like the 6 million customer records stolen in a Qantas breach this summer, to sophisticated ransomware attacks on major airports, like the recent attack on Collins Aerospace that shut down airports across the EU, the industry must address these challenges to ensure the safety and security of travelers worldwide, so you can explore the world safely.

The Importance of Cybersecurity in the Tourism Industry

The tourism industry has undergone rapid digital transformation in recent years, reshaping how travelers plan, book, and experience their journeys. Travel apps had a market size of over $1 trillion in 2024, and is projected to increase even more this year. Online booking systems have become the backbone of travel agencies, airlines, and hotel chains, allowing customers to make reservations with just a few clicks. Mobile applications provide travelers with seamless access to itineraries, boarding passes, and real-time updates, while digital payment platforms enable quick and secure transactions across borders. Increasingly, agentic AI capabilities are also being embedded into these platforms, automating trip planning, dynamically rebooking flights, and tailoring recommendations based on user behavior. While these innovations make the travel experience more personalized and efficient, they also introduce new risks, as autonomous AI-driven systems can be manipulated, exploited, or misused by attackers. This integration of advanced technologies has created a complex digital ecosystem that is increasingly vulnerable to cyber threats.

At the same time, the tourism sector has become a high-value target for cybercriminals. Travel companies handle an immense volume of sensitive data, including personal identification details, credit card information, and travel itineraries—even data the customer doesn’t know they collect, like SMS messages or location data. Airlines, for instance, process millions of passenger records that contain passport numbers and frequent flyer accounts, while hotels store payment card data alongside guest preferences and loyalty program information. This concentration of valuable personal and financial data makes the industry particularly appealing to attackers seeking to commit fraud, identity theft, or large-scale data breaches. Without robust cybersecurity measures, the tourism industry faces not only reputational damage but also significant financial losses and regulatory consequences when breaches occur.

Key Threats

Data Breaches:

The tourism industry has witnessed several high-profile data breaches in recent years, underscoring the risks of handling large volumes of sensitive customer information. Travel agencies, airlines, and hotel chains routinely process data such as passport numbers, credit card details, and complete travel itineraries. When attackers successfully breach these systems, the fallout can be devastating. WestJet revealed that passport information was among the data leaked in a June cyberattack, leading to heavy insurance implications. In one of the biggest examples, a 2018 data breach on Marriott systems exposed over 5 million unencrypted passport numbers, likely stolen by Chinese threat actors. Exposed data not only puts travelers at risk of identity theft and financial fraud but also damages the trust customers place in travel brands. For businesses, the consequences include regulatory fines, lawsuits, and long-lasting reputational harm that can impact bookings and revenue.

So far, data leakage attacks have accounted for nearly 10% of all attacks on travel sites, targeting a wide range of businesses across the industry. Car rental agencies, booking and travel platforms, hotels, and airlines have all been affected at relatively similar rates, pointing to how indiscriminate these attacks can be. Unlike more specialized attack types that exploit unique business logic or user flows, data leakage stems from attackers probing for misconfigurations, exposed files, or unprotected databases, weaknesses that can exist in any digital environment. No single segment of the travel sector is exempt; any organization storing sensitive customer data such as payment details, passports, or itineraries is a potential victim.

Fig. 1: Breakdown of data leakage attacks by industry type

Ransomware Attacks:

Ransomware poses a growing and particularly disruptive threat to the tourism industry. In July, the FBI warned that one of the most prolific ransomware groups, Scattered Spider—who famously ransomed MGM Resorts in September 2023 and led to over $100 million in losses—had turned to targeting airlines, and predicted delays for travelers flying during the peak summer travel season. The aviation sector alone saw a 600% YoY increase in cyberattacks, targeting not only airlines but also avionics and aviation supply chains. An April attack targeting Malaysia’s Kuala Lampur airport locked up flight information displays, check-in counters, and more, demanding a $10 million ransom and suspending operations for over 10 hours. Several large hotel chains have already been targeted in 2025, and if numbers are anything like 2024, over 82% of hotels can expect to see some form of cyberattack this year.

Fig. 2: Mentions of travel sites on ransomware forums in the past year

Attackers who infiltrate systems in the travel industry—whether it’s booking systems, airline check-in services, or hotel management software—can effectively paralyze operations by encrypting critical data and demanding ransom payments for its release. For companies that depend on continuous system availability to serve customers, downtime can result in severe revenue loss and chaos for travelers. In many cases, organizations feel pressured to pay the ransom just to restore operations quickly, which only emboldens attackers to continue targeting the industry. The rising frequency of such incidents highlights the urgent need for robust backup strategies, segmentation, and incident response planning.

Business Logic Attacks:

Beyond traditional breaches and ransomware, business logic attacks present a particularly insidious threat to travel websites. These attacks exploit flaws in how applications are designed to handle processes like booking, cancellations, loyalty rewards, and payment flows. For example, attackers may automate bulk reservations without payment to block seat availability, manipulate coupon or loyalty systems to steal points, or scrape information and prices. Because these attacks mimic legitimate user behavior, they are notoriously difficult to detect with standard security tools. For travel companies, the consequences can include lost revenue from fake bookings, strained customer trust when systems appear unreliable, and increased operational costs in addressing fraudulent activity. As travel sites scale to handle global demand, attackers are increasingly probing these business processes for weaknesses, making proactive defenses such as bot management and anomaly detection critical.

Business logic attacks are the most frequent threat to travel sites, at almost 70% of all attacks we’ve seen this year. Business logic attacks disproportionately affect airlines, at over 50% of all attacks. Imperva’s Bad Bot Report last year also showed that 44% of all traffic to travel sites comes from bad bots, which can automate the process of scraping prices, taking over loyalty accounts, holding seats on airlines, and more.

Fig. 3: Breakdown of business logic attacks by industry type

AI and Emerging Threats:

The rise of artificial intelligence is reshaping the cybersecurity landscape in tourism, primarily as a tool for attackers. Cybercriminals are using AI to craft highly convincing phishing messages, automate large-scale social engineering campaigns, and probe systems for vulnerabilities more efficiently than ever before. At the same time, travelers themselves are increasingly relying on AI tools to help them find the best deals on flights, book accommodations, or even generate customized itineraries, with 51% of Americans alone in 2024 using AI tools to help with travel. This growing dependence on AI-driven platforms introduces new attack vectors, such as prompt injection, where attackers manipulate an AI’s instructions to generate malicious outputs like fake booking confirmations or phishing links, or data manipulation, where poisoned training data skews recommendations and directs travelers to fraudulent sites or unsafe vendors. Both techniques give adversaries new ways to steal personal data, spread misinformation, and erode trust in digital travel services. As AI becomes more integrated into the travel experience, both companies and consumers face heightened risks of exploitation. In one example, Air Canada lost a court case when their AI chatbot provided a customer with information contradictory to their actual policy. The court ruled that Air Canada “did not take reasonable care to ensure its chatbot was accurate”, despite the company investing heavily into AI tools.

In 2025, travel sites have faced an average of more than 420,000 attacks per day originating from AI-driven tools—including ChatGPT, Claude, Gemini, and AI crawlers like ByteSpider—and that number is only increasing. While it remains unclear whether these are fully autonomous actions by large language models or the result of attackers exploiting them through jailbreaking techniques, the trend is undeniable: AI is rapidly becoming a defining force in the future of travel security, powering both the ways people increasingly plan travel and the attacks that target these platforms.

Fig. 4: AI-driven attacks per month, 2025 to date

Impact of Cyberattacks

Cyberattacks can inflict significant economic damage on tourism businesses, where revenue depends on always-available systems and smooth customer experiences. Disruptions to booking platforms, airline check-in services, or hotel management software quickly translate into lost sales, while ransomware attacks can pressure companies into costly payments just to restore operations. Even after systems are brought back online, the financial burden continues with breach remediation and customer support costs, often reaching into the millions. These losses can be especially damaging for mid-sized operators that lack the financial resilience of global airlines or hotel chains.

Beyond direct financial harm, cybersecurity incidents strike at the heart of customer trust, a cornerstone of the tourism industry. Travelers must feel confident when sharing sensitive details such as passports, credit card numbers, and itineraries, but a single breach can erode that trust and lead to a sharp decline in bookings. The reputational fallout is often compounded by legal and regulatory consequences, as companies face penalties under frameworks like the GDPR, which can levy fines worth a percentage of global annual revenue. In some cases, businesses also face lawsuits from affected customers, further amplifying financial and reputational risks. Together, these economic, reputational, and regulatory consequences highlight why cybersecurity is not just a technical concern but a critical business priority for the tourism industry.

Conclusion

As the world celebrates World Tourism Day, it’s important to remember that the same technologies making travel faster, easier, and more personalized are also expanding the attack surface for cybercriminals. From business logic abuse and data leakage to ransomware and AI-driven attacks, the threats facing the tourism industry are no longer just theoretical, they are daily realities with direct consequences for both businesses and travelers.

Protecting travel globally requires more than just reactive defenses. Travel companies must invest in layered security measures, build resilience through backup and response planning, and implement proactive defenses such as bot management and anomaly detection. Just as importantly, collaboration across airlines, hotels, platforms, regulators, and security providers will be critical to closing the gaps that attackers exploit.

Cybersecurity in tourism is ultimately about trust: ensuring that when travelers book a flight, check into a hotel, or rent a car, they can do so with confidence that their data and their journey are protected. This World Tourism Day, let’s commit to not only celebrating the connections travel creates but also securing the digital pathways that make those connections possible.

The post Securing the Journey: Cybersecurity Challenges in the Tourism Industry appeared first on Blog.

*** This is a Security Bloggers Network syndicated blog from Blog authored by Gabi Sharadin. Read the original post at: https://www.imperva.com/blog/securing-the-journey-cybersecurity-challenges-in-the-tourism-industry/