Notifications
Clear all
Topic starter
12/06/2026 9:57 pm
TL;DR: Airlines are seeing web scraping drive booking slowdowns, lost sales, and customer frustration, while the source report says 51% of travel and hospitality companies are concerned about scraping and that 100% of airline attacks in its dataset were bot-driven, according to Arkose Labs. The governance lesson is that defending digital access now requires treating automated traffic as an operational risk, not just a site-performance problem.
NHIMG editorial — based on content published by Arkose Labs: airline scraping attacks and bot-driven abuse in travel commerce
By the numbers:
- 51% of companies in the travel and hospitality industry are concerned to a moderate or large extent about web scraping attacks.
- 100% of attacks on airlines are perpetrated by bots.
Questions worth separating out
Q: How should airlines stop web scraping without hurting real customers?
A: Airlines should use layered bot detection that combines behaviour, device, session, and network signals, then apply progressive challenge only when confidence is low.
Q: Why does web scraping create more than data loss for travel companies?
A: Because scraping also consumes application capacity.
Q: What signals show that scraping controls are too weak?
A: Watch for rising latency, lower look-to-book ratios, more abandoned booking sessions, and repeated requests that do not follow normal customer behaviour.
Practitioner guidance
- Map high-value request paths Identify the search, fare, inventory, and booking endpoints that create the highest commercial exposure, then classify them by acceptable traffic patterns and user impact if abused.
- Use layered bot detection Correlate browser, network, session, and behavioural signals so that rotating IPs and residential proxies do not become the only basis for trust decisions.
- Separate customer friction from bot friction Apply selective challenge and progressive response only when risk rises, so legitimate travellers keep booking while automation faces increasing cost.
What's in the full article
Arkose Labs' full article covers the operational detail this post intentionally leaves for the source:
- The specific detection layers used to distinguish scraping traffic from legitimate customer browsing
- The example performance and conversion metrics that teams can use to measure scraper impact
- The article's description of how adaptive response routes suspicious sessions into stronger controls
- The practical framing for protecting airline booking flows without degrading user experience
👉 Read Arkose Labs' analysis of airline web scraping and bot abuse →
Web scraping in airlines: what IAM and security teams need to know?
Explore further
13/06/2026 12:24 am
Bot abuse is now a digital access governance problem, not only an anti-fraud problem. The article shows scraping affecting revenue, availability, and customer experience in the same workflow, which means the control plane spans more than fraud detection alone. When automated collection consumes the same booking paths that legitimate users need, the governance question becomes who and what is allowed to consume digital service capacity. Practitioners should treat bot traffic as an identity and access policy issue at the application edge.
A few things that frame the scale:
- 51% of companies in the travel and hospitality industry are concerned to a moderate or large extent about web scraping attacks, according to The State of Secrets in AppSec.
- Only 44% of developers are reported to follow security best practices for secrets management, which means weak operational discipline often accompanies automated abuse paths.
A question worth separating out:
Q: Who is accountable when bot traffic disrupts airline booking systems?
A: Accountability should sit jointly across security, digital commerce, and platform operations, because the failure affects access, performance, and revenue at the same time. The right governance model assigns owners for detection, response, and business impact measurement. That is the only way to prevent bot controls from becoming either invisible or business-breaking.
👉 Read our full editorial: Airline scraping attacks expose the limits of bot defence
