Family claims scam exposes loophole in holiday site

A family that was targeted by scammers fear their experience has exposed a security loophole in an online travel agent's booking platform.

Marion Tyler, from County Antrim, unwittingly called a scam number when attempting to phone loveholidays about a booking and then shared details that allowed fraudsters to access her account.

Later, when trying to resolve the issue, Ms Tyler's daughter-in-law found she could access her mother's account even after log in details had been changed.

She said she believed scammers "must be getting in again and again" because of an issue with the firm's authentication process, but loveholidays has backed its system.

Marion Tyler had booked a holiday through loveholidays.com for herself, her daughter and two grandchildren to Lanzarote in August.

When she wanted to pay off some of her balance, she phoned a number, from an online search, that she believed to be the firm but was actually a scam company.

The scammers tricked Ms Tyler into thinking she was speaking to loveholidays and she shared personal details that allowed them to access her account.

"I genuinely believed it was loveholidays, because she knew all the details of our holiday," said Ms Tyler.

"She knew right down to the flight times, she knew everything."

After moving Ms Tyler to a WhatsApp conversation, scammers tricked her into transferring £2,000, saying it would save her money on her holiday.

But when Ms Tyler rang the real loveholidays the next day to confirm her remaining balance, she was told the firm had not received any payment from her.

"I actually felt sick. I was in a state of panic," she said.

"I was absolutely gutted and devastated. It really did affect me and I didn't sleep. I was annoyed at myself for being stupid enough to do it and for falling for it.

"It's soul destroying, how easily they were able to access it and get that very definite information about the holiday."

Ms Tyler alerted loveholidays to the scam and was advised to change the email address on her booking and add a password.

But, while she was on the call with loveholidays, changes were made to her booking - scammers were changing the destination of her holiday and the passenger times.

Ms Tyler's family feared even after updating their security details, scammers could still access her booking.

Her daughter-in-law, Marie Tyler, took over and contacted loveholidays.

During that call, she opened her internet browser and logged on to the firm's website - having previously used the computer to access her mother-in-law's account, she expected to have to log-in again as the account details had been changed.

To her surprise, however, the site brought her straight into Ms Tyler's booking.

"I was in shock," Marie Tyler said.

"I was getting ready to get the verification link sent over to me. I thought: 'I'm in!'"

She said she told loveholidays' customers service team that the scammers "must be getting in again and again because you're not reauthenticating people".

The family has reported the scam to Action Fraud and contacted the Information Commissioner's Officer over their data protection concerns.

They are also working with their bank to recover the money.

Loveholidays told Consumer Fight Back they were "sorry to hear about Marion's experience after calling a number that was not associated with loveholidays and, unfortunately, falling victim to a scam".

"The fraudster managed to maintain access to her booking through their cache. We have been in touch with the family and have secured the booking by transferring it to a new account with a new reference number," the company said.

"We are confident that the industry standard two-factor authentication process ensures our platform and our customers' data is secure, with the issue, in this case, stemming from the customer handing this access over to the scammer."

The firm said it had "initiated further steps" should future customers find themselves in a similar position, including improving internal processes "to ensure access to the account is immediately revoked when we are alerted that a customer's account is compromised".

Ms Tyler still hopes to go on the holiday later this year with her daughter and grandchildren.

"I'm actually really still annoyed about it.

"It's not pleasant, it's not nice and it's a lot of money, but it's not the worst thing that can happen in your life.

"We have to put it in perspective. What else can you do?"

You can listen to the full story on Consumer Fight Back with Holly Hamilton on BBC Sounds.