A ransomware attack on currency exchange company Travelex demonstrates travel companies need to do more to protect customer data.
According to GlobalData figures, the value of the global online travel intermediaries market grew by 32.8% between 2014 and 2019 to hit $332bn. This reflects an increasing number of online bookings by holidaymakers, an unwanted consequence of which is an increased motivation to commit hacking crimes as the amount of data that can be mined and monetized grows ever greater.
The travel industry is particularly susceptible because of the large amounts of money people spend. The hackers, confirmed as hacking group Sodinokibi, have reportedly demanded $6m for decryption, restoration of IT systems, and the preservation of customer data. This attack, which was discovered on December 31 2019 has uncovered failures in the system of the company – failures that could well be found elsewhere in the travel industry.
Third-party companies have suffered too because of the hack. Problems at Lloyds, Barclays and Royal Bank of Scotland were reported following ongoing disruption at supermarkets Sainsbury’s and Tesco. Travelex cashiers have even had to resort to using pen and paper in branches to try and minimise disruption. The company’s failure to report the issue to the ICO within 72 hours has also been widely criticised.
Understandably, not all hacks can be prevented but travel companies must ensure they are taking steps to prevent them. Companies should be using resources such as ethical hackers to identify cracks in cybersecurity.
Cybersecurity is sometimes downplayed by companies
In a GlobalData technology study focusing on travel and tourism executives, it was found that cybersecurity is only fully understood by 64% of executives, which is troublesome because of the potentially catastrophic effects should things go wrong.
In the same survey, 77% of respondents said that their company was currently investing in cybersecurity. This means that almost a quarter of businesses could be unnecessarily susceptible to even simple hacks and data breaches.
Huge hacking scandals may have been preventable – in 2019, the Information Commissioner’s Office (ICO) claimed that Marriott failed to take the correct steps to secure its systems after buying Starwood in 2016.
As a result, data from 339 million guests was compromised and the company was fined $123m. British Airways was issued a fine of $240m for another breach, which affected 500,000 people.
The EU’s implementation of new General Data Protection Regulation (GDPR) rules is more reason to invest heavily in cybersecurity. Research from SSL security certificate provider Sectigo has demonstrated that travel companies are not doing enough to protect customers’ data – only 29% of websites were found to display a company-branded SSL bar, which shows the company is using high-level Extended Validation SSL Certificate.
This hack demonstrates the issues that companies operating online have to face. Companies cannot let data be compromised or they will face huge fines and a hoard of angry customers that could turn to competitors.