How the travel industry can fight back against cyberthreats

Travel and hospitality businesses have become lucrative targets in recent years for cybercriminals who have stolen from the industries in attacks that often take more than half a year to identify.

In the past three years alone, the hotel industry has faced 13 serious attacks, according to an IntSights study. The travel and leisure sectors suffered a 155.9% year-over-year rise in suspected online fraud attempts worldwide in the second quarter, according to a TransUnion study, compared with a 16.5% increase in overall alleged intrusions. And the criminals haven’t let up during the pandemic, so airlines have had to continue fighting fraud and cybercrime.

The hotel industry attracts cybercriminals because it handles so many financial transactions in so many countries. What types of attacks should hotel IT staff and contractors be on the lookout for?

Hotels’ main cyber concern

The top threat to hotels is phishing, a scam in which hotel guests may receive fake phone calls claiming to be from the front desk. The caller could claim that there is an issue with the credit card on file and that they need to re-verify the payment method.

DarkHotel hacks are another significant threat. These target travelers via hotel Wi-Fi. Digital certificates are sent to guests, like a familiar adobe update, which will retrieve sensitive information. Hotel chains are combating these hacks by suggesting that guests use a virtual private network.

Malware (malicious software) is something criminals email employees, under the guise of the attachment or link looking innocent or legitimate. But when the user opens the file or clicks on the link, their system (and more) can be hacked into by the criminal. Hotels are combating malware by installing and regularly updating anti-malware software and ad-blockers and by training employees on when to access links or files.

Other safeguards

There are various methods that can help lessen the chances of a cyberbreach. For example, the IT department should routinely update operating systems and back up data and files, and every employee should double-check sources when asked for software administrative permissions. Also, strong firewalls can limit bad traffic and provide security.

Software and hardware can help prevent breaches, but employee training is also an essential part of any hotel’s cybersecurity. Sabre Hospitality President Clinton Anderson notes that industry members would be shocked by “the number of malevolent, ill-intended actions happening in big companies especially in hospitality where you have a lot of turn-over at that front desk.”

What happens when you’re hacked?

In 2018, a Marriott reservation system was hacked. More than 500 million customer records, including credit card information and passport numbers, were stolen. The company said the hack went back four years prior to the discovery and, when it was noticed, the company started using computer and mobile device monitoring software.

“Guests can enroll in a service called WebWatcher, which monitors the sites where personal information may be shared and alerts guests if evidence of their personal data is found,” said Marriott International President & CEO Arne Sorenson. “In the United States, enrollment in WebWatcher provides two additional benefits: fraud loss reimbursement coverage and unlimited fraud consultation services.”

Airlines are being hacked too

Hotels are not alone in being targeted by cybercriminals: The airline industry has faced serious cyberattacks as well, and many airlines still aren’t equipped to handle them. This year, the SITA Passenger Service System reported that only around 35% of airlines and 30% of airports are prepared for cyberattacks. The communications and IT vendor, which serves 90% of the world’s airlines, was once breached. It was a “highly sophisticated attack” that stole passenger data from the company’s US servers. More than 580,000 Singapore Airlines customers were affected and New Zealand Air and Japan Airlines were two of the many airlines breached.

The SITA hacking was a wakeup call for many. It revealed the extent of the dangers the airline industry faces from cyberattacks.

“The proliferated effect of the attack on SITA is yet another example of how vulnerable organizations can be solely on the basis of their connections to third-party vendors,” said Ran Nahmias, the co-founder of Cyberpion. “If these kinds of seemingly legitimate connections are not properly monitored and protected, they can result in damaging breaches that unleash highly confidential data, as evidenced in this situation.”

The aviation industry faces dangers such as ransomware and distributed-denial-of-service attacks. Following the SITA attack, HackerOne solutions architect Shlomie Liberow stressed that airlines need to prepare for the worst.

“We’ve seen the aviation industry hit particularly hard over the past year, perhaps because criminals know they will be vulnerable and their focus and priorities on remaining in business,” Liberow said. “However, traditional enterprises like airlines have always been an attractive target since few are digital-first businesses, and therefore have relied on legacy software, which is more likely to be out-of-date or have existing vulnerabilities that can be exploited.”

Vendors are a security risk

The airline industry needs to keep third-party vendors in check when it comes to protecting information. Given the high stakes involved, experts suggest that blind trust is not an option.

“You simply cannot know whether your third parties meet your company’s security controls and risk appetite until you’ve completed a full vendor security assessment on them,” said Panorays Chief Technology Officer Demi Ben-Ari. “But through automated questionnaires, external footprint assessments and taking into consideration the business impact of the relationship, you can get a clear, up-to-date picture of supplier security risk. It’s important to note that the best practice is not a ‘one-and-done’ activity, but through real-time, continuous monitoring.”

Cyberattacks lead to serious consequences, including grounding flights. In 2015, hackers targeted Polish airline LOT’s ground operations system, affecting 1,400 passengers. The hackers made it impossible to create flight plans and flights. It was the first attack of its kind, and it caused concern about cyberattacks one day remotely taking control of planes.

Best security practices

Hackers are a destructive force in the travel industry. These criminals make calculated strikes to make money and cause chaos. To address the threat, the standard advice is to back up and store data in multiple places, including off your physical premises, and have one copy of it be offline. Multifactor authentication and long, complicated passwords will take longer to crack. Updating and patching systems regularly helps companies avoid being victimized when a new exploit is discovered. Reducing or eliminating shadow tech helps companies avoid having a small hole in their armor that they didn’t know they needed to patch. Treating cybersecurity as a companywide concern, not an IT concern, encourages each employee to take ownership of their actions and knowledge and to seek help proactively instead of making an “innocent” mistake that costs the company millions of dollars. Gamified training, and microlearning, can increase retention of training lessons, reducing the risk that an attack succeeds. And zero trust, while it can be difficult to implement, can also sharply reduce breaches. Finally, companies should avoid simply throwing money at the problem: Not all cybersecurity solutions work together, which wastes money and increases the risk of a breach.