Q: Our agency received tens of thousands of dollars in debit memos because an employee or an independent contractor gave out his or her GDS login credentials in response to a phishing email that appeared to be from our GDS vendor. The email looked very genuine. Sometime later, over a weekend, late at night, someone logged in and issued dozens of tickets for travel between Abidjan, Ivory Coast, and points in Europe on Royal Air Maroc and Air France. By the time we discovered the fraud and voided the tickets, the travelers had mostly already flown on Monday. Unlike most frauds, there were no credit cards involved, as the fraudster designated them as cash sales. We reported the incident to ARC and the local police. Are we liable for these debit memos?
A: According to ARC's policy, your agency failed to "exercise reasonable care" to prevent unauthorized issuance of electronic tickets, which means that ARC will not excuse your agency from liability. ARC would now take the same position even if no one at your agency admitted to giving out login credentials, as ARC presumes that someone must have done so.
Under the ARC Agent Reporting Agreement, ARC can relieve your agency of liability if ARC determines, after an investigation, that your agency was exercising reasonable care at the time of the theft. One of the ways in which agencies must exercise reasonable care is to safeguard GDS login credentials.
The Abidjan fraud has been going on for almost two years now. At first, ARC could not determine how the GDS break-ins occurred, so ARC eventually sent letters to victimized agencies exonerating them from liability on the grounds that they appeared to have exercised reasonable care.
In those early cases, no one admitted giving out login credentials, and neither the agencies nor ARC may have known how the security breach occurred. However, in the last few months, ARC appears to have discovered cases where an agent gave out the credentials.
In all of the recent instances that I know of, if an agency admits that someone gave out those credentials by mistake, ARC has found that the agency has not exercised reasonable care. Most recently, after an agency denied that anyone fell for a phishing email, ARC has been deciding that someone must have done so, and ARC is quite possibly correct.
The very interesting legal issue here is whether falling for a phishing email, in and of itself, shows that the agency failed to exercise reasonable care. ARC apparently thinks so, which spells danger for agencies.
Agencies that receive a "no reasonable care" letter from ARC can appeal the case to the travel agent arbiter. No agency has done so yet, but I predict that some will do so soon.
Phishing emails today appear so genuine that it's easy to see how a very busy or unsophisticated agent could be entrapped, no matter what precautions the agency took to safeguard login credentials, so the arbiter's decisions should be interesting.
In the meantime, it is urgent for every owner and manager to instruct all employees and independent contractors never to give out their GDS login via computer or telephone, no matter who asks for it. Believe it or not, phishermen masquerade as agency owners and managers, too.
Mark Pestronk is a Washington-based lawyer specializing in travel law. To submit a question for Legal Briefs, email himat [email protected].