The travel and tourism sector has become a prime focus for cyberattacks. And what is worse, is that these can result in ransomware incidents arising from data breaches, according to data analytics company, GlobalData.
GlobalData found that cybersecurity concerns within the industry had risen by 4% in 2022 compared with 2021. During this period, concerns over cybersecurity in airlines had risen by 6%, travel services by 4% and accommodation 1%.
GlobalData Business Fundamentals Analyst, Misa Singh said: “Companies are consistently working to set up a reliable technical protection and security management mechanism to ensure customer security and prevent data leakage. A severe data security incident can lead to operational disturbances and cause significant financial damage to the business.”
US- and UK-based Omnicyber Security reports that the travel sector is an attractive target for cybercriminals, as sensitive personal and corporate data is relayed online and stored in databases. It identifies the following types of cyberattacks in travel and tourism:
* Phishing: Most common, phishing emails trick readers into thinking they are genuine company-issued emails. Whaling phishing attacks target managers with the intention of stealing data or money, while spear phishing attacks target employees while intending to breach company networks and access computer systems.
* DDos attacks: Distributed Denial of Service attacks aim to extort financial gain by halting a company’s online services. Company servers and systems are flooded with an abrupt increase in Internet traffic, effectively taking services offline.
* Malware and ransomware: Malicious software can infect and corrupt computers and access data as access is barred and the cybercriminal holds it for ransom. The attacks can destroy data, spy on it, or install further infectious and harmful malware across systems or networks.
Asata CEO Otto de Vries told Travel News he wasn’t aware of any current breaches in the local market but, however, was certainly aware of airline-related breaches that were in the public domain. “The amount of data agents and airlines ask from their customers to fulfil the booking and drive value-added upselling, places a lot of responsibility on those entities to secure and protect that data,” he said.
Jenna Law, Head of Risk and Audit, Flight Centre Travel Group SA, said looking at the latest trends associated with risk, cyber risk is still on the rise, and the group was certainly not immune to this. “It is for this reason that we have stringent processes and protocols in place when onboarding new suppliers or vendors who may need to integrate into our existing systems or should there be a requirement to share personal information with these suppliers, such as the information of our employees or clients.
“We are extremely diligent in performing a Third-Party Privacy and Security Questionnaire and all responses are reviewed by a Data Protection Officer and Chief Information Security Office prior to approval. These are some of the steps that we take, ensuring we are always vigilant and that we only collaborate with suppliers or vendors who have passed privacy and security minimum requirements.”
Security is #1
Andy Hedley, Amadeus MD Southern Africa, stressed that there should be no risk for travel agents when using the Amadeus GDS. Bearing in mind that data security was a huge concern for the EU government and authorities, the group had multiple systems and teams in place considering the amount of data it processed, he told Travel News.
“We have not been caught out with such attacks. We have a massive amount of resources dedicated to fraud in terms of continuous training of staff in IT security. Security processes are onerous because we are well aware of the data we hold. Our ringfences cannot be accessed and security policies are continually updated.”
Hedley said Amadeus spent a “very high amount” on cybersecurity in the face of prevalent danger, and that it was high priority within the systems the company used.
“There are holes in the industry though, with people still providing credit card details over the phone and logins are not always protected. In our business, security is number one.”
Hedley said the top concern is phishing attacks, with malicious links or data infecting systems.” The company’s teams have identified the signs of phishing, and accordingly, the filters and quarantines attached to the Amadeus email system mean that attachments may take up to five minutes to open. “Other companies have been penetrated in the past – we don’t stint on security. Amadeus has automated systems in place on the lookout for breaches.”
Scott Moser, Chief Security Officer for Sabre, said: “Cyberattacks such as email phishing attempts to steal credentials are increasing globally and across industries. The best defense is to learn how to recognise such attacks and vigilantly protect login, password and other sensitive information. Users should be very careful whenever they receive an email request with a link to enter their credentials on a website. We do not send emails with links to customers asking them to log onto a website or change a password.” He said Sabre has regularly assisted agency customers by distributing useful information to help them educate employees on cybersecurity.
Travelport’s Katie Cline, Senior Director, Global Head of External Communications said Travelport was unable to comment on the issue at the time of the request for comment.
