BA, MGM, EasyJet, Marriott. Big names. Big breaches. But what makes travel companies such a big target for bad actors?
Travel & Tourism, which falls within Hospitality, is a major sector – it’s the 4th largest employer in the UK and directly generates over £73bn to the UK economy (pre-pandemic).
Travel companies collect and store vast quantities of verified personal data, including full legal names, passport numbers and credit card information. And with data constantly moving between agents and their third parties, it’s at greater risk than it would be when stored in a central system surrounded by robust cyber security controls.
For travel companies, the greatest threat actor is organised crime, which seeks to obtain data for financial gain. Cyber criminals sell holiday packages on the Dark Web at 30% of their retail value using stolen credit cards, reward points and air miles. At the same time, bulk passport data sells for as little as $14 per document.
Data breaches are always bad news. But for smaller travel companies, it’s not just the cost of the breach or resulting regulatory fines; it’s the reputational damage that can prove fatal – 60% of SMEs that have suffered a breach close within 6-12 months.
In this article, we explore the importance of data privacy for travel companies and highlight some areas of focus for reducing data privacy risk.
How much do you value your reputation?
According to the Ponemon Institute, personal data breaches are one of the worst offenders for damaging brand reputation. And it doesn’t matter how loyal you think your customers are because 87% of consumers say they will walk away and take their business elsewhere following a breach of their data.
With evidence this damning, you would expect most travel companies to be set on maintaining a strong cyber security posture. And yet a study by Which? discovered that the technologies used by the Travel & Tourism industry remain rife with ‘critical’ and ‘high’ security vulnerabilities, despite several high-profile breaches.
Why are many travel companies falling short on data privacy?
It’s easy to condemn a travel & tourism company for lax cyber security and privacy controls, but it’s worth considering the context they operate within:
- PII data is difficult to control when you need to share it with many suppliers (e.g. hotels, airlines and tour companies).
- Travel & Tourism companies are often dependent on the use and security of third party booking systems.
- Most travel & tourism companies are SMEs without a dedicated cyber security team or Chief Information Security Officer (CISO).
- Cyber security is a complex and multi-disciplinary area that requires ongoing attention.
Despite the inherent challenges listed above, it’s difficult to defend that only half of travel & tourism executives say they understand cyber security.
Lack of education or understanding is not a valid excuse for explaining to regulators, customers and shareholders why a cyber security breach occurred.
Reducing data privacy risk for travel companies
Every travel & tourism company is unique and faces its own cyber security risks that require a distinct set of controls to minimise the likelihood and impact of a personal data breach.
However, as a starting point, it is worth considering the following principles to reduce the risk of a data privacy breach:
- Prioritise the protection of CRM / Booking Systems: Such systems will typically contain millions of PII of records and should therefore be top of the list for risk assessment and implementation of mitigating security controls.
- Minimise the Data you Collect and Share: Although it might seem convenient to collect and share the same customer data with all suppliers, it is unlikely necessary. For example, does a safari operator need to be sent full scans of customer passports before the trip?
- Only Keep Data for as long as needed: Carefully consider how long you need to keep PII data to operate your business and meet regulatory requirements. A clear retention policy should be created and processes implemented to purge data that is no longer needed.
- Focus on Access Control: With most PII data now stored in cloud solutions, e.g. Salesforce, software, identity & access management has become the new network perimeter. Start by enabling 2FA for all accounts and simplify administration by using Single-Sign-On (SSO) where available.
- Monitor and control the use of shadow IT: travel companies typically have extensive sales and marketing teams in place which, with good intent, are inclined to upload data into a range of non-approved online tools. For example, data analytics platforms
Hiring the right people to reduce data privacy risk
When it comes to hiring security and privacy expertise, it is often more cost-effective to bring in an external team on a part-time basis than recruiting permanent staff members.
CyPro currently provides data privacy managed services to several SMEs, including a leading tailor-made travel company.
For less than the price of a single full-time Head of Security, CyPro provides the following capabilities:
- Chief Information Security Officer
- Cyber Security Manager
- Cyber Security Analyst
To learn more about how CyPro could help your business reduce data privacy risk, please get in touch with us here.