Tourism and Hospitality: A Hackers Paradise

The Tourism and Hospitality industry is a hotbed for Cyber Security issues in that it has to collect and share all kinds of Personally Identifiable Information on it's clients as part of it's business practice.

Integrations between online travel package systems, hotel reservation systems, automobile rentals, air travel, restaraunts, etc allow for several vectors of attack along the supply chain.

Failure of any one partner in the supply chain to protect the shared client information can put all partners at reputational risk.

As a participant in this complex chain of information sharing, how do you know that you are doing your due diligence to protect no only the data that your clients have directly shared, but that shared by your partners?

• Have you vetted both the technology and the *contracts* between you and your online hospitality partners?
• Do you know what types of information you are collecting/sharing on your clients?
• Do you have the appropriate levels of consent for the collection and sharing?
• Have you reviewed and understand your obligations with regard to the various Privacy laws regulating your client relationships (Such as GDPR)

"Cybercriminals infiltrate systems in various ways, one of which is by pretending to be customers and then luring salespersons into believing they have lost their reservation details. When the fake customers are asked to give personal information for checking, they propose to send it via email and do so with an attachment of data-stealing malware, which automatically downloads once clicked. The malware then breaks into payment systems where it collects loads of personal data such as credit card information."                   https://www.epldt.com/growing-tourism-industry-warned-as-hackers-target-visitor-information/

According to a Data Protection Report, 45% of large businesses in Canada report having been breached in 2019, a staggering jump from 24% in 2018.A lot of firms are over confident when it comes to their information security however a recent study by the Canadian Internet Registration Authority has provided some insightful statistics. They found that 78% of companies were confident in their level of cyber-threat preparedness yet 37% didn't have protection against malware and a staggering 71% didn't have a formal patching policy, this exposes these companies to massive security holes!If this doesn't sound any alarms only 54% of small businesses provide cyber security training for their employees even though the most common form of malware exploited is phishing attacks, these directly exploit employees as a point of weakness and could lead to million dollar breaches. Another very important statistic that the CIRA brings to light is that 70 per cent of data breaches happen against companies with fewer than 100 employees!

So we know that these firms are vulnerable to exploits but what ARE the consequences?

• destruction, alteration, or loss of files
• unauthorized access to (client and non-client) sensitive data
• virus, spyware, or malware infection
• downtime/loss of billable hours
• temporary loss of network access
• temporary loss of web site access
• potential replacement of hardware/software
• LOSS of reputation.

Lets take a look at some major breaches to really see how destructive they can be.Marriott International - September 8th 2018, the Marriott hotel chain announced that one of its reservation systems had been compromised, with up to 500 million customer records, including credit card and passport numbers, being ex filtrated by the attackers. This breach to this date has cost the company $72 million!Uber - In late 2016 Uber suffered a data breach where the personal information of 25 million drivers and customers was leaked. Uber has paid over $148 million from the effects of this breach.British Airways - In the summer of 2018, cyber-criminals stole payment card details from an estimated 500,000 passengers who bought flights on the ba.com website or through the British Airways app, or made transactions involving Avios. This breach cost the company $314 million CAD

TeamCISO was formed in 2015 by a group of CyberSecurity practitioners with experience in large enterprise. Our mission is to bring those frameworks and practices to help small to medium businesses get and stay cyber secure.Our team can help you asses your current information Security and Privacy Controls to ensure that you are doing you due-diligence in managing your corporate risk profile.If any gaps or vulnerabilities are discovered, our team will document these as well as define a road-map to remediation.

Set up a free 30 minute Cyber Security Consultation!

Refrences:

• https://skift.com/2019/07/04/hotels-face-increasing-risk-of-security-breach-by-cyber-hackers/
• https://www.bitsight.com/blog/what-marriott-breach-can-teach-us-about-cybersecurity-in-tourism-hospitality-industry
• https://www.cpacanada.ca/en/news/canada/2018-12-12-statcan-cyberattack-survey
• https://www.csoonline.com/article/3441220/marriott-data-breach-faq-how-did-it-happen-and-what-was-the-impact.html
• https://www.businesstraveller.com/business-travel/2018/09/07/ten-travel-related-data-breaches/
• https://www.npr.org/2018/09/27/652119109/uber-pays-148-million-over-year-long-cover-up-of-data-breach
• https://www.epldt.com/growing-tourism-industry-warned-as-hackers-target-visitor-information/
• https://www.opin.ca/en/article/easy-target-cybersecurity-tourism
• https://www.fcmtravel.com/en-ca/resources/insights/why-cyber-security-fastest-growing-source-travel-risk
• https://www.reference.com/world-view/many-people-travel-year-e644f08d024ae72c
• https://www.hotelspeak.com/2018/03/a-hoteliers-guide-to-gdpr/
• https://www.hotelmanagement.net/tech/gdpr-inhospitable-to-hospitality
• https://setupmyhotel.com/train-my-hotel-staff/front-office-training/589-hotel-personal-identifiable-information.html