Google has been busy notifying some of its US-based employees that their personal data may have been breached.
The breach is not internal but happened during its TMC's — Carlson Wagonlit's — regular booking of hotels on behalf of Google's employees with SynXis. SynXis is a SaaS (software as a service) hotel booking platform owned by Sabre and from which hotels can distribute their inventory through GDS, OBTs and SBTs.
Data was hacked between August of last year and this March.
Like the new Travelport tool announced this week, SynXis's design is very retail-influenced and thus reflects the modern hotel business model, ie to encourage direct bookings and ancillary sales. Moreover using a standard platform to do this enables the data to be easily collected.
A tool that combines user-friendliness with the ability to collect and consolidate data sounds like a travel manager's dream. But that retail element which makes SynXis so appealing to one part of Sabre's customer base, namely the suppliers, also carries potential drawbacks for its other customers, namely the TMCs and corporates.
The hospitality industry seems especially vulnerable to cybersecurity attacks. Earlier this year IHG announced that during the last quarter of 2016 credit card details of some guests at 1,200 of its US properties had been appropriated. Some expert onlookers say that hackers' ability to gain remote access to the point of sale devices popular in properties' bars and restaurants is at the root of hotels' vulnerability.
In truth any exchange of data carries the potential for hacking. There are two questions to consider:
1. How much hacking is there of travellers' data?
This breach only came to light because one enterprising reporter spotted it cited in Sabre's filings to the SEC (Securities and Exchange Commission) in May. In addition California law requires any breach involving 500 or more employees to be notified. The Google employees may merely just be aware of something that colleagues in smaller companies or other areas of jurisdiction are not.
The truth of the matter is that there have probably been more than the IHG and Google incidents and this number is likely to grow.
2. How can any corporate respond to such a threat?
There are two ways of looking at this — what to do before and what to do after?
Every corporate should expect all its suppliers and intermediaries to be able to demonstrate what precautions they take when gathering, storing, transferring and processing data as well as what measures they take for their own internal cyber-security and data protection.
Google is offering its travellers two years of identity protection and credit monitoring services and is asking its employees to be vigilant and check their credit card statements.
Every corporate should check the data protection measures its suppliers take with their employees' data. They should also have a response strategy in place should such a breach ever occur.
Such breaches may well be an annoying regular occurrence as systems become more open and user-friendly.
Related: Douglas O'Neill: Payment data security: a battle you can't afford to lose