Equifax, Yahoo, Ebay – all major brands that have been the targets
of cyber criminals, with millions of customers impacted in each case.
Those attacks have been so large as to attract worldwide
attention, but smaller attacks happen every day and across every sector.
And as customer data is compromised, brand reputation and
revenue can also take a hit.
In travel, several big players have been affected, with companies such as Orbitz, Sabre, IHG, Delta and Hyatt all announcing breaches in the last year.
The vulnerabilities exist in a variety of ways. Some
established brands are running on legacy systems with outdated – and inadequate
– security controls. Storing data on one centralized database also creates
risks because one hack can lead to a massive data breach.
With billions of dollars in transactions and billions of
pieces of personally identifiable information passing through travel companies’
digital systems every year, cybersecurity is a critical issue for the
industry.
Brands rely on data
to create personalized, seamless experiences for customers – it’s much easier
to book a hotel room or flight if the guest’s past preferences and payment
information are already in the system.
Subscribe to our newsletter below
The challenge is how to manage data processing and storage,
not only to protect it from criminals but also to comply with regulations such
as GDPR that goes into effect May 25.
For this month’s theme of privacy and security, we are
looking at these issues from a variety of angles. We begin with insights from
two cyber security experts.
Background
According to a May 2
report from password management company Dashlane, 89% of travel-related
sites have unsafe password practices, leaving their users’ accounts exposed to
hackers.
Dashlane examined password security on 55 of the world’s
most popular sites from airlines, hotels, car rental companies, cruise lines
and online travel agencies against five criteria.
We make our tools better, they change their tactics and techniques. We modify our tools and they do the same.
Karl Sigler - Trustwave
Only six met the company’s
minimum threshold of passing in at least four of the five categories: Hilton,
Marriott, United Airlines, Hawaiian Airlines, Royal Caribbean and Airbnb – with
that company receiving the only 5/5.
Only two sites – Airbnb and Booking.com – offer two-factor
authentication for logins, something that is considered a best practice in
password protection.
Intelligence security company Trustwave’s 2018 Global
Security Report - based on its investigation of breaches affecting thousands of
entities across 21 countries in 2017 - found the hospitality sector ranks third
as a target, with nearly 12% of all attacks. That puts it just behind retail
(17%) and finance and insurance (13%).
“People swiping cards, inserting chips, buying tickets
online and all of these are juicy targets for criminals still this day,” says
Karl Sigler, threat intelligence manager for Trustwave. “In the end it comes
down to money. So they are targeting businesses that process lots of credit
cards.”
Online attacks
While cyber crime at brick-and-mortar businesses is down - point-of-sale
attacks dropped by one-third in 2017 - Sigler says it is up in ecommerce.
In Trustwave’s recent code audits, “every single web
application that we audited, 100% of them were vulnerable to something. The
median number of vulnerabilities was 11,” he says.
And as web and mobile interfaces become more complex, with enhanced
features for personalization, the potential for vulnerabilities also increases.
For travel brands, this is of course an enormous issue due
to demands from travelers – and pressure from competitors – to create personalized
digital interfaces that require the gathering and storing of data.
“They have a responsibility for securing that information,”
says Austin Berglas, global head of cyber forensics and incident response for cybersecurity
firm BlueVoyant.
“So making sure the content management program, the website
itself is secure and tested frequently for vulnerabilities, and making sure
there is a complete and secure separation between the website and PII
[personally identifiable information] they’re collecting so if someone
compromises the website they can’t fight their way in and access the PII.
"And if
they’re not constantly doing vulnerability assessments and constantly
penetration testing the environment, that’s the wrong answer. We want to take
the view of the adversary and find ways in just like an adversary would be
doing.”
Cat-and-mouse game
The rapid pace of technological development coupled with a competitive
business environment can prompt companies to prioritize being “first” – a mindset
that can expose them to security vulnerabilities.
“We see new technology,
we want to bring it into the organization. But before we bring it into
production, are we mitigating risks? Do we have compensating controls in place
to protect ourselves? Oftentimes the answer is no,” Berglas says.
On the other side, the cybercriminals are more sophisticated
than ever. They are also persistent and have the time and resources to work
round-the-clock to penetrate their targets.
Trustwave’s Global Security Report offers an example of clever
new ways criminals are attacking hospitality brands: “One common attack vector
used to target hotels and restaurants last year was telephone-initiated spear
phishing. The caller, who often was associated with the Carbanak-targeted
attack group, would complain about being unable to make a reservation on the
victim’s website and ask to email his details to the staff member.
"The attacker
then emailed a message with a malicious file attached, waited until the victim confirmed
they opened the attachment and then hung up the phone.”
“We make our tools better, they change their tactics and techniques.
We modify our tools and they do the same,” Sigler says.
Best practices
Security experts agree for most companies it is a not a
matter of if they will be a victim of cybercrime but when.
Simple steps such as prioritizing security – in budgets, in
staffing and in the development of new products – as well as maintaining good
firewalls and conducting regular intrusion audits can help to minimize risk.
“If an organization is able to detect a breach internally – so
they have the resources to do the logging and the human know-how to actually spot
an intrusion themselves – it will take maybe a day or two to actually detect
the breach and recover from it,” Sigler says.
“But organizations that are not set up that way, organizations
that have to wait for some third-party to let them know that they’ve been
breached… those breaches can last months and in a couple cases we’ve seen years.”
Brands also need a comprehensive plan to address a breach
internally and externally if it does happen.
“We call it a three-legged stool,” Berglas says.
“First, outside counsel that specializes in data privacy.
The second piece is an outside forensic firm to do the investigation and
mitigation. And third would be your public relations firm. That should be written
into every company’s incident response plan.”
Sigler suggests companies prioritize transparency – coming out
with full details as quickly as possible –which can ultimately help to shore up
their reputation.
“We are absolutely getting better. I think that
organizations are really developing a security awareness that is paying off,”
he says.
“That said, crime will never go away. It hasn’t in the
physical realm. We have physical bank robberies every single day. I don’t see
it ever totally disappearing in cyberspace either.”