Thwarting data breaches in the travel and hospitality industry

This past August, hackers scammed restaurant customers of The Ritz of London into sharing payment card information. (Sheila1988/CC BY-SA 4.0)

Very few people would have predicted the unfortunate events that have consumed 2020 and the impact they will have on generations ahead. Many businesses are still tackling the disastrous effects of the global COVID-19 pandemic, with whole industries struggling to survive. The travel and hospitality sectors have notably suffered badly, and to compound matters, cybercriminals are well aware.  

With valuable personally identifiable information (PII) collected and stored within these organizations, it’s understandable why they are prime targets. However, during this volatile time, when airlines, travel agencies, and hotels are at their most vulnerable, suffering a cyberattack on IT systems could have incredibly damaging long-term repercussions.

A surge of cyberattacks have followed the outbreak of this pandemic, with hackers wanting to exploit the fear and concern raised around the virus. We see this with the recent wave of phishing attacks which hackers use to lure away personal travel records from vulnerable consumers. Because it’s a highly effective and successful attack method, phishing will lead to further data theft and compromise for both citizens and enterprises alike.

As a result of these conditions, high-profile data breaches have hit the hospitality and travel sectors since the beginning of the year, most notably hotels and airlines. This past August, hackers scammed restaurant customers of The Ritz of London into sharing payment card information while more than 10 million MGM hotel guests had their PII uploaded to an online hacking forum. The Marriott, which suffered a data breach in 2018, disclosed yet another incident in March after hackers gained access through hotel employees. Airlines have also had their difficulties  of late, with EasyJet also alerting 9 million customers that their credit card information was stolen.  

With international brands suffering frequent data leaks and with so many critical datasets exposed, these attacks cost these companies reputational damage and loss of trust. This leaves angry customers seeking answers as to why their data was not protected, and it also triggers high legal costs. People wonder why companies don’t protect valuable information, why it’s so easy for  insiders or attackers to exploit sensitive data in environments with few security controls in place. Additionally, because of the extent of these breaches, concerns are raised over the potential availability of multiple copies of exploited datasets or shared data in cloud platforms, as well as redundant data from past events. The answer: These datasets are essentially redundant, obsolete, and left unmanaged, which makes for a dangerous combination.

Businesses operating within the hospitality and travel sectors often have a hard time just knowing what personal and sensitive data they are housing and where all that data resides. Many businesses have either already adopted or are beginning to shift toward digital transformation, with more organizations wanting to take advantage of the agility offered by cloud services.

However, many of them still use production data to test in less-protected cloud instances where vulnerabilities are more common during development processes. As a result, data often finds its way into many corners of the enterprise, from production extracts for analysis, to extracts for test, and even to extracts for innovation and insight. This reality represents a huge risk from insiders, and even greater risk of compromise from mistakes, attacks, or purposeful exploitation.

While businesses have begun to take note and assume greater responsibility, we still see undesirable lapses in data security. Just look at the high number of breaches or misconfigured cloud systems that make the headlines. It’s truly disturbing. From the relatively simple cloud infrastructures like S3 storage buckets, to the more complex container application orchestration systems, security breaches are a constant theme.

Let’s face it: hackers don’t care where companies store the data. They only they have one objective: steal the data for monetary gain. Therefore, securing and protecting personal data wherever it resides, including the cloud, will greatly reduce the success rate of threat actors exploiting the data. Thankfully, modern security has evolved to tackle the new wave of threats, while simultaneously enabling compliance with regulations such as GDPR in Europe and CCPA in California.

For example, the industry has moved to data-centric protection such as tokenization, especially in databases, data lakes, cloud storage, and cloud SaaS applications. To fully enhance the security experience, organizations should couple tokenization with intelligent data discovery. This encourages automated data protection built directly into business processes, application development pipelines, and DevOps processes for both production and non-production scenarios.

With travel and hospitality organizations collecting and housing sensitive PII in the form of credit card details, passport information, and personal addresses, putting the necessary security in place will greatly reduce the number of data breaches now and moving forward.

Yes, we live in very challenging times, but with evolving data protection and security regulations affecting more and more organizations, companies can no longer neglect their data security responsibilities. Security teams have no valid excuse for not adopting a modern approach to security and fulfilling consumer expectations of having adequate privacy and security standards protecting their most sensitive data.

Trevor Morgan, product manager, comforteAG

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.