Cybercriminals must take vacations sometimes, but right now they are just as likely to be hacking the airline that would get them there or the hotel where they would stay. Last year, when a global airline carrier revealed that millions of customer records had been exposed in a data breach, it underscored a trend that is fast becoming a major concern for the travel industry. The breach — which exposed records such as credit cards, passports and government ID numbers as well as other private customer details — led to a multimillion-dollar drop in the company’s market cap and harsh scrutiny from authorities.

But that company is far from alone, and virtually every other company in the travel and transportation industry faces a similar threat.

Cybercriminals are targeting the travel industry like never before. It’s not hard to see why: The industry is a huge economic engine. In 2018, it generated $2.5 trillion in economic output in the U.S. alone. It’s a major employer, supporting 15.7 million U.S. jobs. And for some countries, it’s a substantial and irreplaceable part of gross national product.

Where money goes, criminals follow. According to data from the “2019 IBM X-Force Threat Intelligence Index,” attacks against the transportation industry skyrocketed in the last two years. From the 10th most-attacked industry in 2017, it leapt to being the second in 2018, behind only financial services.

As the number of attacks has grown, so have the costs. Since January 2018, IBM X-Force estimates that more than 566 million records — including unencrypted passport numbers, customer payment details and other data — have been leaked or compromised, according to publicly reported breaches. This means the estimated cost to travel and transportation companies is a staggering $60 billion based on the average cost per leaked record in those industries, which can include remediation costs, fines, extortion fees and lost business.

Why has the number of attacks against the travel and transportation industries leaped so dramatically? The answer is that the industry has two qualities that make it especially tempting to criminals: increasingly valuable data and customer hospitality demands that make risks harder to manage.

What Types of Travel and Transportation Data Are Cybercriminals After?

Travel companies are often required by law to collect and store valuable government-issued personally identifiable information (PII) such as driver’s licenses and passport numbers. As the prices for stolen Social Security and credit card numbers have plummeted on the black market, cyberthieves are looking to steal higher-value data.

Information gleaned from passports and travel itineraries is perfect for identity theft, resale and spear phishing campaigns, and the prices that the records now command reflect that. On the darknet, a stolen passport number sells for $1,000, with U.S. passports going for as much as $3,500, according to X-Force Red. For comparison, a stolen driver’s license number is worth $20, and Social Security numbers go for as little as $1.

Consider this: A breach of a major hospitality company in 2018 caused 5 million passport numbers to leak, which can fetch on average $1,000 per record, earning a potential payday of $5 billion or more on the darknet. That’s a huge return on investment for threat actors.

Also vulnerable is a form of currency that consumers rarely think of as being at risk: loyalty rewards. Theft of loyalty rewards more than doubled from 2017 to 2018, and it’s estimated that $1 billion worth of loyalty rewards is stolen every year.

It may not seem like the most obvious target, but loyalty rewards are a treasure trove for thieves. In the U.S., there are 3.8 billion loyalty membership accounts. There are a ton of loyalty membership accounts in the U.S., amounting to more than 10 per person, making it a large and promising attack vector. Most people don’t monitor their rewards nearly as often as, say, their bank account, and rewards can be cashed quickly and lost forever.

Meet Customer Demands Without Compromising Security

Beyond the value of the data they hold, travel and transportation companies also have specific — if not entirely unique — risks that are intrinsic to the business. Travelers are increasingly demanding tech-enabled services such as self-service kiosks and mobile charging stations, and competitive pressure ensures that companies will do everything possible to meet that demand.

But there’s a tension between convenience and safety, and the trade-off presents a major dilemma for companies. Travel and hospitality companies thrive on offering comfort and convenience to customers, and every additional convenience that requires additional steps for its customers can hamper the hospitality they have grown to expect.

So, what can companies do?

1. Weigh the Risks of Security Versus Convenience

Find a good balance between security and convenience for your customers. Identify ways to safeguard their accounts and information while limiting the impact of convenience. Consider enforcing things such as multifactor authentication (MFA) for your employees and, if possible, your customers.

2. Understand What Data You Have and Decide Whether You Really Need It

Apply encryption to all the sensitive data you have. Also, evaluate what data your organization has and what you really need. Consider what’s necessary to give travelers the best possible experience. What data do you have in your possession that is doing nothing but putting your customers at risk?

3. Rehearse and Test Your Incident Response

It’s not a matter of if an organization’s incident response plan will be tested anymore, but a matter of when. Create a detailed incident response plan and conduct regular simulations with your core team to test your response. It’s also vitally important to have cybersecurity experts on retainer, including incident response teams, crisis communications and outside legal counsel, so that they’re ready to step in the moment there’s an issue.

4. Hire a Hacker

Organizations should constantly test their security measures, including testing employees responsible for loyalty rewards and customer service. Learn your organization’s risk level by having a white-hat hacker hack your organization before a criminal does.

More from Data Protection

Cybersecurity 101: What is Attack Surface Management?

There were over 4,100 publicly disclosed data breaches in 2022, exposing about 22 billion records. Criminals can use stolen data for identity theft, financial fraud or to launch ransomware attacks. While these threats loom large on the horizon, attack surface management (ASM) seeks to combat them.ASM is a cybersecurity approach that continuously monitors an organization’s IT infrastructure to identify and remediate potential points of attack. Here’s how it can give your organization an edge.Understanding Attack Surface ManagementHere are some key…

Six Ways to Secure Your Organization on a Smaller Budget

My LinkedIn feed has been filled with connections announcing they have been laid off and are looking for work. While it seems that no industry has been spared from uncertainty, my feed suggests tech has been hit the hardest. Headlines confirm my anecdotal experience. Many companies must now protect their systems from more sophisticated threats with fewer resources — both human and technical. Cobalt’s 2022 The State of Pentesting Report found that 90% of short-staffed teams are struggling to monitor for…

The Importance of Modern-Day Data Security Platforms

Data is the backbone of businesses and companies everywhere. Data can range from intellectual property to critical business plans to personal health information or even money itself. At the end of the day, businesses are looking to grow revenue, innovate, and operationalize but to do that, they must ensure that they leverage their data first because of how important and valuable it is to their organization. No matter the industry, the need to protect sensitive and personal data should be…

Meeting Today’s Complex Data Privacy Challenges

Pop quiz: Who is responsible for compliance and data privacy in an organization? Is it a) the security department, b) the IT department, c) the legal department, d) the compliance group or e) all of the above? If you answered "all of the above," you are well-versed in the complex world of compliance and data privacy! While compliance is a complex topic, the patchwork of regulations imposed by countries, regions, states and industries further compounds it. This complexity has turned…