Flying the Not-So-Friendly Skies: Lacking Security in the Travel Industry

Over the past decade or so, the travel industry has significantly grown as consumers and travel companies alike leverage advances in technology to make every experience effortless and more reliable. As technology advances, innovation has changed the way we travel. From the vacation destinations we choose to the activities we do once we arrive, technology’s impact on travel and tourism cannot be understated.

From research to booking, consumers are increasingly relying on digital channels and platforms for all of their travel needs. In fact, according to research from Smart Insights, 60% of leisure and 41% of business travelers are making travel arrangements via the internet today.

And while some hotels, airlines, and travel companies have employed technology to smooth over some of the friction associated with traveling, the travel industry has traditionally been resistant to embracing evolving technologies. Just consider the dot-matrix printers or archaic terminals airlines still utilize as an example of this hesitance. As a result, the travel industry is one of the most vulnerable when it comes to cyberthreats.

Travel = Vulnerable

Historically, the travel industry has not been a high priority for hackers and bad actors seeking to turn a quick profit, but as a result of the industry’s hesitance to adopt innovative new technologies, far too many companies in the travel industry now lack the security controls other industries adopted years ago. Consequently, traveler information is at increased risk.

While companies in the travel sector aim to save customers time and money by making the experience easier, these companies are doing little to protect customers from falling victim to cybercrime. In storing and using critical data for their customers, travel companies have the added responsibility of ensuring that data remains safe, but there is very little awareness surrounding how to securely store and transfer that data. Companies across the industry still utilize unsecured connections and deploy plenty of remote, out of date and unmanaged systems, making the ability for hackers to access sensitive traveler information easier than ever.

In addition to the shifting nature of the industry, the travel industry often attracts high-spending customers that would undoubtedly appeal to scammers.

As a result, the personally identifiable information (PII) of travelers, such as names, addresses, credit card information as well as passport and/or driver’s license info, is increasingly finding its way to the black market, where cybercriminals are using that lucrative information to a nefarious end.

Marriott and British Airways

Consider a pair of recent data breaches as dangerous examples of lacking cybersecurity in the travel and tourism industry.

The massive Marriott breach saw hackers gain access to the reservation systems of many of the company’s hotel chains more than four years ago, ultimately exposing the private details of up to 500 million customers. Particularly troubling was the nature of the stolen data — names, addresses, credit card numbers, and phone numbers as well as even more rare spoils for hackers, including passport numbers, travel locations and arrival and departure dates. Scary stuff.

According to the Washington Post, “The potential value of such information on such a large percentage of the world’s travelers triggered speculation that Marriott may have been the target of nation-state hackers seeking to track the movements of diplomats, spies, military officials, and business executives.” Even scarier stuff.

Last September, British Airways announced it suffered a breach resulting in the theft of customer data. As discussed in interviews with the BBC, the flag carrier airline of the United Kingdom noted that about 380,000 customers could have been affected and that the stolen information included personal and payment information but not passport information. Described by a chief executive as a “malicious criminal attack,” the breach was related to bookings that were made over a 15-day period, and security experts have suggested that hackers were able to copy customer data as it was entered into the system during the purchasing process — a digital version of card "skimming."

If it can happen to travel giants like Marriott and British Airways, it can happen to you, too.

What Can Travel Companies Do to Protect Customer Data?

One of the most effective ways for airlines, travel agencies and their business partners to protect their customers’ data and their business is by engaging in strong cyber hygiene. Just like personal hygiene requires establishing good habits like showering and brushing one’s teeth, when discussing cyber hygiene, "good habits" involve applying operating system and software patches in a timely manner, deploying third-party software and understanding the management and configuration of endpoints under your control.

Given the ever-increasing number of attack vectors an adversary might use in an effort to breach security, it shouldn’t come as a surprise that the overwhelming majority of them are known vulnerabilities that attackers hope you haven't taken the time to remediate yet. So, how can the travel industry securely store and transfer customer data? By ensuring all database and server endpoints are patched with adequate password controls on all endpoints and keeping the same controls on remote and onsite machines, with regular patching and configuration updates.

How Automox Can Help

Enter Automox. Our easy-to-install, cloud-native, automated patching solution allows you to know exactly what your security posture is, seeing which endpoints are misconfigured, missing critical patches or are out of compliance, and then automates the basics of security hygiene, ensuring every system is fully patched and correctly configured regardless of OS, software or geographic location.

As the technology industry moves into an increasingly digital space, employing good habits of cyber hygiene will be crucial for travel companies to avoid the significant financial and reputational harm that comes with a data breach. Ask Automox how you can make your infrastructure more resilient by automating the basics of cyber hygiene.

About Automox

Facing growing threats and a rapidly expanding attack surface, understaffed and alert-fatigued organizations need more efficient ways to eliminate their exposure to vulnerabilities. Automox is a modern cyber hygiene platform that closes the aperture of attack by more than 80% with just half the effort of traditional solutions.

Cloud-native and globally available, Automox enforces OS third-party patch management, security configurations, and custom scripting across Windows, Mac, and Linux from a single intuitive console. IT and SecOps can quickly gain control and share visibility of on-prem, remote and virtual endpoints without the need to deploy costly infrastructure.

Experience modern, cloud-native patch management today with a 15-day free trial of Automox and start recapturing more than half the time you're currently spending on managing your attack surface. Automox dramatically reduces corporate risk while raising operational efficiency to deliver best-in-class security outcomes, faster and with fewer resources.