Travel Companies Are Hacker Targets Because You Are


By Robert McGarvey

Probably your principal travel providers – airlines, hotels, online travel agencies, and the like – know a lot of information about you, very sensitive information, perhaps including passport number, driver’s license details, credit card information, and loyalty program details.

The bad news is that, increasingly, travel companies are hacker favorites, ranking second or third among the chief targets.

You already know that hotel restaurants, bars, and gift shops are under relentless assault – so much so that my loud advice is to never use a debit card in them, really try hard not to use a credit card, and pay cash to maintain safety.

And then there have been the many attacks on hotel loyalty programs.  

But what IBM is talking about is something different.  Sophisticated nation state players are suspected of hacking into travel company databases in a  search for information about travelers.

“I don’t see that slowing down any time soon. If you’re a nation state, you’re building large scale databases of people because the more you understand about people, the more you can manipulate and extort,” said Caleb Barlow, an IBM vice president, at a recent Amadeus event in Madrid.  

He added, according to Phocuswire reporting on the event,  “Not all attacks want to leverage the information straight away. Nation states might want to use it in 20 years.”

That has to scare you.  

Do you want a nation such as Saudi Arabia or Hungary or Russia to have your travel history and preferences at their disposal?

Do you want the US to have it?

A morsel of good news is that, recently, per IBM’s Barlow, many hackers have shifted from data exfiltration to cryptojacking, which is putting victim computers to use mining cryptocurrencies for money.  

Travel sites too appear to be victims of this. What impact might that have on travelers? Hard to say, since currency mining as such shouldn’t impact a consumer’s data. But when a hacker has control of the computers it stands to reason he/she would also pull out useful data to keep or to sell, simply to optimize the financial return of the hack.  So I don’t see cryptojacking as mutually exclusive with data exfiltration. Not hardly.

Exactly what can you do to protect yourself in an age where travel sites are getting hacked?

I play with the idea of registering under a false identity, using, say, a good quality but fake Irish driver’s license and a fake passport.  The problem of course is that fakes won’t pass scrutiny by government employees such as TSA.  At a hotel, sure, I believe fakes generally will work fine.  Note: I am not advocating scamming hotels, just creating false data trails that when stolen by a hacker will deadend.

But then there’s the problem of my data that already is in the system at multiple hotel groups, airlines, and assorted other travel vendors.  A new, fake identity won’t erase the past, accurate data.

So here’s what I am doing in response to the epidemic hacking at travel providers: going online, stripping out all data that isn’t needed and filling in false data where possible — challenge questions for instance. There is no need whatsoever to use your father’s real middle name in a challenge.  The only requirement is knowing what fake name you used.

My sense is that it is easier and safer to use substantial fake data with hotels.  Not so much with airlines.

And keep remembering that ever more travel company data is in the hands of hackers.  

Remember too that the hackers often appear to be highly skilled and that means the worse news is that very possibly there are plenty of hacks that so far have gone undetected. But our data may be leaking out.

That puts the burden on you.  Keep monitoring financial accounts and regularly – at least yearly – look at a credit report.  I also check my credit score monthly (free via various banks, credit unions, and credit card issuers).

But the sticky issue is if the thefts are by nation states with no intent to monetize the data via fraud it just may be impossible to divine what data has been copied.

That’s maddening.

But it also is reality.

Leave a Reply

Your email address will not be published. Required fields are marked *