With the popularity of mobile Internet，traveling is more and more dependent on online services. However，the security of users’ data is becoming more and more serious when online travel services bring convenience. This article lists several recent data leakage events about online travel enterprises and analyzes the internal and external causes of data leakage. The internal reasons include the company’s weak security awareness，the existence of “mole” and the lack of data security protection system；and the external reasons include hacking，regulations need to be improved，technological progress and weak public data security awareness. This paper also lists several sensitive personal data types that are easy to be leaked out，and puts some suggestions on data security protection for tourism authorities，online travel enterprises and tourists. Tourism authorities should establish the data security standard regulations and raise public data security awareness through promoting；Online travel enterprises should completely construct safety protection system，timely update technology，and positively strengthen staff training and supervision；Finally，tourists should pay attention to the protection of personal sensitive information and actively report organizations that illegally collect sensitive information.