(This blog was originally published in December 2018. In February 2019, Micro Focus acquired Interset)
As we plan our holiday travels here at Interset, we can’t help but think back to the numerous security incidents that have plagued travel-related businesses this year. The hospitality and transportation industries have had their share of trouble in 2018. In fact, hospitality is one of the most targeted industries for cybersecurity attacks, likely due to the treasure troves of payment information available in these companies’ systems.
Several breaches in these industries were disclosed this year—let’s take a look.
In March, online travel agency (OTA) Orbitz, a subsidiary of Expedia, disclosed that around 880,000 payment cards were compromised and that hackers accessed personal information submitted for purchases made through an older website or an unnamed partner platform between January 1, 2016, and December 22, 2017.
If you’re going the direct purchase route, however, your data is still at risk—several other hospitality and transportation industry breaches made headlines this year. The Marriott data breach, in particular, highlighted how hotels are especially vulnerable to data breaches.
This one was most disconcerting and made its mark as one of the biggest breaches ever recorded. On November 30th, hotel giant Marriott revealed that hackers had gained access to its Starwood guest reservation systems, compromising information of 500 million customers including names, credit card information, passport numbers, and more. The biggest kicker of the breach is that the hackers, according to Marriott, had access to this database for four years.
If you’ve stayed at a Starwood residence on or before September 10, 2018 then you’ve likely been impacted. The investigation is still underway and the total cost of the breach is yet to be determined, although Marriott is facing in the region of US$1 billion in regulatory fines and litigation costs and class-action lawsuits seeking US$12.5 billion in damages. Needless to say, Marriott can expect a dip in guests this holiday season.
Hackers had access to the IT platform of its e-commerce websites for three months, according to Rail Europe North America’s filing with the California attorney general. The service is used by many Americans to purchase train tickets in Europe. According to the company, credit card numbers, expiration dates, card verification codes, name, addresses, and more, were stolen via credit card-skimming malware. While Rail Europe has faced scrutiny for not discovering the breach for three months, delays like this are not abnormal as it can be difficult to cut through the noise caused by too many false positives and a flood of alerts. Security analytics augments the SIEM and other existing security tools to detect threats faster and prevent cyber attacks.
Airlines: Air Canada, British Airways, Cathay Pacific
It seems like 2018 was the year of airline data breaches, as we discussed in a previous blog. Air Canada, British Airways, and Cathay Pacific all suffered significant data breaches of different natures. The Air Canada and British Airways breaches affected 20,000 and 429,000 customers, respectively. Cathay Pacific, of course, fared the worst, with 9.4 million customers impacted after “unauthorized access” to the company’s systems. According to the company, passenger names, dates of birth, passport and ID card numbers, and more were exposed in the breach.
If you’re a traveler, be vigilant this holiday season—or anytime. While you can’t control if a service provider gets hit by a breach, you may have some control over what information gets compromised and how much a breach impacts you. Here are a few tips:
- Don’t provide your passport information (or any personal information, really) unless it’s required. Some booking sites might request this, but double check to see if it’s optional or mandatory.
- If you do provide your information, only do so on secure sites that feature an https connection and a valid security certificate.
- Explore options for credit card safety. Your bank may allow you to add a second layer of verification in the form of a one-time passcode for transactions, meaning hackers can’t complete a transaction with just your credit card info. Some folks even utilize a separate card just for online purposes or a virtual credit card that offers a single-use number that expires after a certain amount of time.
If you’re on the provider side, get proactive. The airline industry is facing enormous scrutiny due to its successive breaches, as is the hospitality industry following the Marriott disaster. For hospitality or transportation vendors, increased security measures are imperative for 2019. Select your security partners strategically, and understand what technologies are best suited for your security needs.
If you’re looking to monitor activity within your network closely for any unusual activity, contact us to discuss how our user and entity behavioral analytics (UEBA) can give your company peace of mind and a more proactive security posture. Stay safe and secure this holiday season!
Melissa Howell is a Sr. Marketing Manager at Interset.