Light Dark
July 10, 2019 By Caleb Barlow 4 min read
Data Protection
Fraud Protection
Incident Response

Cybercriminals must take vacations sometimes, but right now they are just as likely to be hacking the airline that would get them there or the hotel where they would stay. Last year, when a global airline carrier revealed that millions of customer records had been exposed in a data breach, it underscored a trend that is fast becoming a major concern for the travel industry. The breach — which exposed records such as credit cards, passports and government ID numbers as well as other private customer details — led to a multimillion-dollar drop in the company’s market cap and harsh scrutiny from authorities.

But that company is far from alone, and virtually every other company in the travel and transportation industry faces a similar threat.

Cybercriminals are targeting the travel industry like never before. It’s not hard to see why: The industry is a huge economic engine. In 2018, it generated $2.5 trillion in economic output in the U.S. alone. It’s a major employer, supporting 15.7 million U.S. jobs. And for some countries, it’s a substantial and irreplaceable part of gross national product.

Where money goes, criminals follow. According to data from the “2019 IBM X-Force Threat Intelligence Index,” attacks against the transportation industry skyrocketed in the last two years. From the 10th most-attacked industry in 2017, it leapt to being the second in 2018, behind only financial services.

As the number of attacks has grown, so have the costs. Since January 2018, IBM X-Force estimates that more than 566 million records — including unencrypted passport numbers, customer payment details and other data — have been leaked or compromised, according to publicly reported breaches. This means the estimated cost to travel and transportation companies is a staggering $60 billion based on the average cost per leaked record in those industries, which can include remediation costs, fines, extortion fees and lost business.

Why has the number of attacks against the travel and transportation industries leaped so dramatically? The answer is that the industry has two qualities that make it especially tempting to criminals: increasingly valuable data and customer hospitality demands that make risks harder to manage.

What Types of Travel and Transportation Data Are Cybercriminals After?

Travel companies are often required by law to collect and store valuable government-issued personally identifiable information (PII) such as driver’s licenses and passport numbers. As the prices for stolen Social Security and credit card numbers have plummeted on the black market, cyberthieves are looking to steal higher-value data.

Information gleaned from passports and travel itineraries is perfect for identity theft, resale and spear phishing campaigns, and the prices that the records now command reflect that. On the darknet, a stolen passport number sells for $1,000, with U.S. passports going for as much as $3,500, according to X-Force Red. For comparison, a stolen driver’s license number is worth $20, and Social Security numbers go for as little as $1.

Consider this: A breach of a major hospitality company in 2018 caused 5 million passport numbers to leak, which can fetch on average $1,000 per record, earning a potential payday of $5 billion or more on the darknet. That’s a huge return on investment for threat actors.

Also vulnerable is a form of currency that consumers rarely think of as being at risk: loyalty rewards. Theft of loyalty rewards more than doubled from 2017 to 2018, and it’s estimated that $1 billion worth of loyalty rewards is stolen every year.

It may not seem like the most obvious target, but loyalty rewards are a treasure trove for thieves. In the U.S., there are 3.8 billion loyalty membership accounts. There are a ton of loyalty membership accounts in the U.S., amounting to more than 10 per person, making it a large and promising attack vector. Most people don’t monitor their rewards nearly as often as, say, their bank account, and rewards can be cashed quickly and lost forever.

Meet Customer Demands Without Compromising Security

Beyond the value of the data they hold, travel and transportation companies also have specific — if not entirely unique — risks that are intrinsic to the business. Travelers are increasingly demanding tech-enabled services such as self-service kiosks and mobile charging stations, and competitive pressure ensures that companies will do everything possible to meet that demand.

But there’s a tension between convenience and safety, and the trade-off presents a major dilemma for companies. Travel and hospitality companies thrive on offering comfort and convenience to customers, and every additional convenience that requires additional steps for its customers can hamper the hospitality they have grown to expect.

So, what can companies do?

1. Weigh the Risks of Security Versus Convenience

Find a good balance between security and convenience for your customers. Identify ways to safeguard their accounts and information while limiting the impact of convenience. Consider enforcing things such as multifactor authentication (MFA) for your employees and, if possible, your customers.

2. Understand What Data You Have and Decide Whether You Really Need It

Apply encryption to all the sensitive data you have. Also, evaluate what data your organization has and what you really need. Consider what’s necessary to give travelers the best possible experience. What data do you have in your possession that is doing nothing but putting your customers at risk?

3. Rehearse and Test Your Incident Response

It’s not a matter of if an organization’s incident response plan will be tested anymore, but a matter of when. Create a detailed incident response plan and conduct regular simulations with your core team to test your response. It’s also vitally important to have cybersecurity experts on retainer, including incident response teams, crisis communications and outside legal counsel, so that they’re ready to step in the moment there’s an issue.

4. Hire a Hacker

Organizations should constantly test their security measures, including testing employees responsible for loyalty rewards and customer service. Learn your organization’s risk level by having a white-hat hacker hack your organization before a criminal does.

 |  |  |  |  |  |  |  |  |  |  | 
Caleb Barlow

More from Data Protection
November 19, 2024

Communication platforms play a major role in data breach risks

4 min read - Every online activity or task brings at least some level of cybersecurity risk, but some have more risk than others. Kiteworks Sensitive Content Communications Report found that this is especially true when it comes to using communication tools.When it comes to cybersecurity, communicating means more than just talking to another person; it includes any activity where you are transferring data from one point online to another. Companies use a wide range of different types of tools to communicate, including email,…

November 8, 2024

SpyAgent malware targets crypto wallets by stealing screenshots

4 min read - A new Android malware strain known as SpyAgent is making the rounds — and stealing screenshots as it goes. Using optical character recognition (OCR) technology, the malware is after cryptocurrency recovery phrases often stored in screenshots on user devices.Here's how to dodge the bullet.Attackers shooting their (screen) shotAttacks start — as always — with phishing efforts. Users receive text messages prompting them to download seemingly legitimate apps. If they take the bait and install the app, the SpyAgent malware gets…

November 7, 2024

Exploring DORA: How to manage ICT incidents and minimize cyber threat risks

3 min read - As cybersecurity breaches continue to rise globally, institutions handling sensitive information are particularly vulnerable. In 2024, the average cost of a data breach in the financial sector reached $6.08 million, making it the second hardest hit after healthcare, according to IBM's 2024 Cost of a Data Breach report. This underscores the need for robust IT security regulations in critical sectors.More than just a defensive measure, compliance with security regulations helps organizations reduce risk, strengthen operational resilience and enhance customer trust.…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature