Why Cybercriminals Are Targeting Travel and Transportation

July 10, 2019
| |
4 min read

Cybercriminals must take vacations sometimes, but right now they are just as likely to be hacking the airline that would get them there or the hotel where they would stay. Last year, when a global airline carrier revealed that millions of customer records had been exposed in a data breach, it underscored a trend that is fast becoming a major concern for the travel industry. The breach — which exposed records such as credit cards, passports and government ID numbers as well as other private customer details — led to a multimillion-dollar drop in the company’s market cap and harsh scrutiny from authorities.

But that company is far from alone, and virtually every other company in the travel and transportation industry faces a similar threat.

Cybercriminals are targeting the travel industry like never before. It’s not hard to see why: The industry is a huge economic engine. In 2018, it generated $2.5 trillion in economic output in the U.S. alone. It’s a major employer, supporting 15.7 million U.S. jobs. And for some countries, it’s a substantial and irreplaceable part of gross national product.

Where money goes, criminals follow. According to data from the “2019 IBM X-Force Threat Intelligence Index,” attacks against the transportation industry skyrocketed in the last two years. From the 10th most-attacked industry in 2017, it leapt to being the second in 2018, behind only financial services.

As the number of attacks has grown, so have the costs. Since January 2018, IBM X-Force estimates that more than 566 million records — including unencrypted passport numbers, customer payment details and other data — have been leaked or compromised, according to publicly reported breaches. This means the estimated cost to travel and transportation companies is a staggering $60 billion based on the average cost per leaked record in those industries, which can include remediation costs, fines, extortion fees and lost business.

Why has the number of attacks against the travel and transportation industries leaped so dramatically? The answer is that the industry has two qualities that make it especially tempting to criminals: increasingly valuable data and customer hospitality demands that make risks harder to manage.

What Types of Travel and Transportation Data Are Cybercriminals After?

Travel companies are often required by law to collect and store valuable government-issued personally identifiable information (PII) such as driver’s licenses and passport numbers. As the prices for stolen Social Security and credit card numbers have plummeted on the black market, cyberthieves are looking to steal higher-value data.

Information gleaned from passports and travel itineraries is perfect for identity theft, resale and spear phishing campaigns, and the prices that the records now command reflect that. On the darknet, a stolen passport number sells for $1,000, with U.S. passports going for as much as $3,500, according to X-Force Red. For comparison, a stolen driver’s license number is worth $20, and Social Security numbers go for as little as $1.

Consider this: A breach of a major hospitality company in 2018 caused 5 million passport numbers to leak, which can fetch on average $1,000 per record, earning a potential payday of $5 billion or more on the darknet. That’s a huge return on investment for threat actors.

Also vulnerable is a form of currency that consumers rarely think of as being at risk: loyalty rewards. Theft of loyalty rewards more than doubled from 2017 to 2018, and it’s estimated that $1 billion worth of loyalty rewards is stolen every year.

It may not seem like the most obvious target, but loyalty rewards are a treasure trove for thieves. In the U.S., there are 3.8 billion loyalty membership accounts. There are a ton of loyalty membership accounts in the U.S., amounting to more than 10 per person, making it a large and promising attack vector. Most people don’t monitor their rewards nearly as often as, say, their bank account, and rewards can be cashed quickly and lost forever.

Meet Customer Demands Without Compromising Security

Beyond the value of the data they hold, travel and transportation companies also have specific — if not entirely unique — risks that are intrinsic to the business. Travelers are increasingly demanding tech-enabled services such as self-service kiosks and mobile charging stations, and competitive pressure ensures that companies will do everything possible to meet that demand.

But there’s a tension between convenience and safety, and the trade-off presents a major dilemma for companies. Travel and hospitality companies thrive on offering comfort and convenience to customers, and every additional convenience that requires additional steps for its customers can hamper the hospitality they have grown to expect.

So, what can companies do?

1. Weigh the Risks of Security Versus Convenience

Find a good balance between security and convenience for your customers. Identify ways to safeguard their accounts and information while limiting the impact of convenience. Consider enforcing things such as multifactor authentication (MFA) for your employees and, if possible, your customers.

2. Understand What Data You Have and Decide Whether You Really Need It

Apply encryption to all the sensitive data you have. Also, evaluate what data your organization has and what you really need. Consider what’s necessary to give travelers the best possible experience. What data do you have in your possession that is doing nothing but putting your customers at risk?

3. Rehearse and Test Your Incident Response

It’s not a matter of if an organization’s incident response plan will be tested anymore, but a matter of when. Create a detailed incident response plan and conduct regular simulations with your core team to test your response. It’s also vitally important to have cybersecurity experts on retainer, including incident response teams, crisis communications and outside legal counsel, so that they’re ready to step in the moment there’s an issue.

4. Hire a Hacker

Organizations should constantly test their security measures, including testing employees responsible for loyalty rewards and customer service. Learn your organization’s risk level by having a white-hat hacker hack your organization before a criminal does.

Caleb Barlow
Vice President - IBM Security

Caleb Barlow is an accomplished security professional and Vice President at IBM Security, where he leads IBM's Threat Intelligence and Incident Response Team...
read more