The collection of personal data is commonplace in the tourism and leisure sector. While players in the field such as hotels, casinos and resorts strive to secure their information systems, no one is immune to data theft. But how to react to these cyber threats ?
Data theft in the tourism sector? Child’s play !
It is estimated that 70% of hotels expose our personal data, a significant figure revealed by a study conducted by Symantec among 1500 hotels in 54 countries in North America and Europe. 5 travel search engines were also impacted. The entire tourism sector seems to be affected by this major cybersecurity problem, regardless of location or status.
The main reason for this is the confirmation emails that you receive after each booking. In general, they contain an active link that allows you to access your reservation directly on the hotel or transport company’s website. To make life easier for the customer, their reservation code and email are often integrated into the URL. However, many hotels share this information with third parties. If the third party is not well-intentioned, it’s easy to steal the guest’s address, name, passport number and phone number. And it gets worse, as some establishments don’t even bother to encrypt the links included in the confirmation emails. A boon for hackers!
What are the risks for tourism professionals ?
While the attack suffered by Mariott remains the most prominent in the sector for now, all parts of the tourism industry are now affected. As a reminder, on November 30, 2018, Mariott announced that it had been the victim of a hack. For 4 years, the hotel group had the data of 500 million customers stolen. This is a big blow to the reputation of the famous hotel group. The same goes for Cathay Pacific, which had the data of 9.4 million passengers stolen. In total, 860,000 passport numbers, 245,000 Hong Kong ID card numbers, 403 expired credit card numbers and 27 credit cards without cryptograms were compromised.
Tourist transport is also increasingly affected, whether it be passenger aircraft or yachts. This is why the US federal department has asked the manufacturers of electronic systems used in light tourist aircraft to review the security of their equipment. One of the issues is the vulnerability of an on-board system called CAN, for Controller Area Network. This process is used to manage the transmission of data from the aircraft’s avionics (equipment, sensors, instruments, etc.). Despite its relative importance, this system is not secure at all. However, in order to hack the CAN, one must gain physical access to the aircraft.
Ski resorts are not immune to cyber threats. Several cable car operators have been victims of ransomware. These attacks are very profitable for the hackers, as the operators cannot afford to have their systems shut down for long periods of time.
Finally, malicious bot intrusions on sites should be closely monitored. They primarily seek to access customer accounts in loyalty programs, but can also be the result of competitors deploying software to place options on seats and thus block inventory and hurt sales. A spike in simultaneous login requests combined with unsuccessful attempts is a key indicator of an attempted attack. On average, there are 3 to 4 such attacks per month on airline websites.
All these attacks are of course totally anti-productive for companies and greatly damage their image. This is why it is important to protect yourself by anticipating the threats.
What solutions are there to protect yourself effectively?
Being a victim of an attack is not a fatality. On the contrary, it can be an opportunity to transform a crisis situation into a real competitive advantage. On the condition that you react quickly and are accompanied by cybersecurity experts. Today, no professional in the tourism industry can afford to avoid this issue.
Given the diversity of websites, motives and types of attacks, it is difficult to make general recommendations. Nevertheless, here are some best practices:
- Monitor traffic variations for any anomalies. If there is an unexplained increase in traffic, the causes of the spike should be investigated.
- Investigate unsuccessful login attempts.
- Be accompanied by a team of cybersecurity experts to draw up a map of IS vulnerabilities. This will determine the action plan to follow.
- Equip yourself with real-time threat detection tools such as the probes developed by Gatewatcher. These are capable of analyzing continuous streams of files on a daily basis.
- Develop machine learning within the company to anticipate the evolution of hacking methods.
- Raise awareness, train and educate teams, partners and customers on the different types of cyber attacks.
Finally, if you are a customer and you book a hotel, a flight or an activity, you can also take some precautions at your level. When making a reservation, be sure to check the link in the confirmation email before clicking on it. If the URL has a security hole that could compromise your data, it will look like this: https://booking.the hotel.tld/retrieve.php?prn=1234567&mail=john_smith@myMail.tld .
As you can see, the password “1234567” and the email “john_smith@myMail.tld” are visible. So avoid clicking on the link if it looks like this example. In parallel, you can also use a VPN if you make changes to your reservation while connected to a public WiFi network.
To go further