Espionage, kidnappings, ransom demands – it sounds like the makings of a classic Bond movie, but with the recent spate of cyber attacks making the headlines, fact is fast gaining ground on fiction
Earlier this year, there was a high profile data breach involving ‘married dating service’ Ashley Madison. Hackers – or ‘hactivists’ in this case, known as Impact Team – divulged the company’s username database, and passwords. Previously, Sony had sensitive details of its staff leaked in a major attack, courtesy of a group called the Guardians of Peace, and internet provider Talk Talk suffered a “significant” hacking attack last month.
In the travel sector, Thomson Holidays suffered a data breach in August that reportedly resulted in the loss of more than 450 customers’ personal details including addresses, telephone numbers and flight dates. Hilton Worldwide, meanwhile, is said to be looking into reports that credit card information might have been released following cyber attacks at its properties across the US.
A ‘frighteningly easy’ crime
So should the UK travel industry be worried? Yes, according to Richard Bristow, sales director of travel systems firm Tamite. “The Ashley Madison news story illustrates the sort of problem that can occur to any business,” he says. “The theft of client data is frighteningly easy and many companies seem to ignore the problem, hoping it will happen to someone else.” He adds that a recent Computer Weekly study revealed the UK is now the top target for cyber criminals, even beating the US.
Travel is a particular target due to its large volumes of data – involving financial and personal information that is “meat and drink to hackers”, Bristow adds. Most hacks begin with a phishing attack, where emails are sent to employees to entice them to click on malicious attachments, or visit websites where malware can be downloaded to their machines.
Hackers can also enter systems through vulnerabilities in an organisation’s website, to access back-end databases containing administrator passwords. Meanwhile, Distributed Denial of Service (DDOS) is an attack that originates from hundreds or thousands of sources, flooding the victim’s systems. And so the infection begins.
“TMCs are naturally big targets for fraud, theft and data attacks because of the very nature of high net worth clients and customer employees,” Bristow says. “They are often seen as potential back doors into their clients’ systems. Both internal and external networks and websites are vulnerable to attack.”
He adds that while no public announcements have been made from TMCs of any such attacks, “we are aware of many data breaches this year”.
Held to ransom
Yet Darren Hodder, director at Fraud Consulting, argues that criminals are increasingly realising the value of data, with bolder tactics emerging. “Attackers can access data, then encrypt it – with the company then held to ransom, to pay a certain amount of bitcoin to get it back,” he says. “That’s morphed now, with hackers stating: ‘We’ll do a DDOS unless you pay us.’”
Meanwhile, Bristow cites one example of a chief executive’s travel itinerary being hacked in Russia, followed by their kidnapping, taking cyber attacks to a whole new level.
But he adds: “All companies are attacked and mostly they are not even aware of it. DDOS attacks are now believed to be, in many cases, a diversion to cover other criminal activities, such as placing spyware or botnet apps secretly on the target’s websites or networks that can access data in the background without the company being aware.”
Hodder agrees. “There is some level of corporate espionage,” he says. “For example, at Sony, some staff were directly targeted. An increasing number of different types of organisations are being hacked, and it’s no longer just payment data they’re after.”
However, when it comes to data security one TMC, HRG, believes headline-grabbing incidents may cause people to think less, not more, about data security.
“It perpetuates the impression given by almost all the headline-making security breaches, such as those that affected Sony and Target [a US retailer that saw 40 million credit cards compromised in 2013] that the big risk lies in electronic ‘safes’ containing thousands or millions of records being cracked, and that data security is ‘somebody else’s problem’,” says Dave Arnott, HRG’s compliance and service optimisation director, group technology and data services.
“Just as great a threat exists at a personal level, whether through bank statements being thrown in the bin or passwords being disclosed to someone who purports to be from ‘technical support’,” he says.
Indeed, Fraud Consulting’s Hodder notes that illegal tools exist on the internet that allow hackers to launch attacks on websites, automatically entering username and password combinations simply based on a person’s email. “Criminals will do anything to get data; they’ll test all the social media platforms,” he says. “For data security officers, it’s a challenge.”
A risk also emerges where travellers post trip data to public areas of social media sites – “which can give everyone, from hackers to housebreakers, a windfall,” Arnott adds.
Regular scrutinisation
For TMCs, it is the very nature of the business they are in – international travel – that could perhaps lead to most cause for concern. Travellers’ personal data is transmitted to, and stored by, a variety of organisations ranging from GDSs and agents to airlines, hotels and border control agencies.
“We have several major client contracts that depend on us being able to demonstrate high levels of security, and we are regularly scrutinised as a part of ongoing agreements, so this is a subject close to our hearts,” says Arnott.
Trust, and brand image, therefore play a key role in securing, and retaining, clients. As Arnott says: “Data security and data risk management are critical to our business and to our sustained commercial success.”
For one travel buyer, trust is crucial. Peter Macey, facilities and central purchasing officer at the Medical and Dental Defence Union of Scotland (MDDUS), says his organisation has not thought about increasing data security following the Ashley Maddison hacking news.
“We do trust our suppliers to keep our information, however basic, secure and this is part of my negotiation when dealing with suppliers,” says Macey. Moreover, he argues the information provided to the TMCs will often be minimal, with the basic travel profile comprising title and name for the UK.
“All of our hotels and hotel agents provide a full bill-back service, so all invoices come back to me for processing and, as such, there is never a requirement for personal cards to be used.”
Another buyer, who prefers to remain anonymous but represents a large multinational company, says the high-profile attacks have not led to questioning security credentials: “It’s had no effect – we believe our systems are secure. Credit cards are protected against fraud. Personal address and work phone numbers are in the profiles but this is not considered a massive risk.”
Simon McLean, Click Travel’s executive chairman, agrees. “Ultimately, any organisation that acts as a data controller in the eyes of the Data Protection Act should be taking data security seriously without the need for high-profile breaches to remind them of their duty to do so,” he says.
Click has an ISO 27001 certified information security management system, which is regularly audited, both internally and externally. “This is tough to achieve and tough to maintain, so it certainly keeps us on our toes,” McLean notes, adding while many TMCs outsource technology, Click does not. “By keeping it all under our control we provide clients with total confidence that their data is secure, and we thoroughly understand every process that deals with their data,” he says.
The trust ethos may extend to the GDSs too, with their very existence built upon the secure movement of data. An Amadeus spokesperson told Buying Business Travel: “We implement, maintain and monitor multiple lines of defence to protect information at all times but recognise that in the face of criminal attacks, it is a battle that requires constant vigilance.
“We take that threat very seriously and place the security of our systems and the integrity of data as one of our highest priorities, investing heavily in these areas.”
For now, tour operators and hotel chains have proved the easier targets in travel. Within business travel, vigilance, keeping pace with criminals’ methods and continually reviewing policies are key to keep hackers out of the headlines.
New EU Laws on the cards?
The European Commission is looking to reform the European Commission’s (EC) 1995 data protection rules to strengthen online privacy rights. In January 2012 a reform was proposed, yet this has yet to be finalised.
“Expect delays,” warns Fraud Consulting’s Darren Hodder. “It’s a most contentious piece of legislation.”
However, once approved, he adds there will be a stronger requirement to report a data loss or a data incident. “At the moment, data protection is treated individually. The concept is common, but the treatment varies.
But the EC is trying to find commonality. In the UK, there’s a fairly liberal attitude to data protection. For example, many companies share data, but that will be tightened.” The EC says: “A single law will also do away with the current fragmentation and costly administrative burdens, leading to savings for businesses of around €2.3 billion a year.”
Safer Steps
When it comes to advice, HRG’s Dave Arnott, compliance and service optimisation director, group technology and data services, offers these tips.
1. Don’t volunteer information about yourself, your employer or your trips without good reason.
2. If you are unexpectedly asked for such information, think before you respond.
3. Treat such a request as suspicious until you can establish otherwise.
4. Report anything that you think could constitute a security incident or a security risk – don’t assume that someone else will do it so you don’t need to.