Q: I know that you have written several Legal Briefs columns on fraudsters who hack into GDSs and issue cash tickets over a weekend. I also know that ARC holds agencies responsible to pay for the tickets issued. Has this hacking stopped? If not, can you please go over what we can to do to prevent this from occurring at our agency?
A: The problem has not stopped.
Every Monday or Tuesday, I get a phone call or an email from the owner of an agency that was hacked over the weekend. Some of these hacks have resulted in over $100,000 in liability for the agency.
In my experience, the frauds have these aspects in common:
- Only Sabre agencies get hacked. My guess is that Travelport and Amadeus agencies have not been hacked because the hackers don't know those systems, or perhaps because those systems have better safeguards.
- The fraudsters use the Sabre login of a travel agency employee or independent contractor. Regardless of whether any staffer admits that they disclosed their login, ARC appears to get the login information from Sabre's records.
- The logins are obtained because the employee or IC responds to an authentic-looking email purporting to be from Sabre explaining that a Sabre update or the like requires that the employee or IC change their username and password after clicking on a link.
- Tickets are issued late Saturday night or early Sunday.
- Travel is from points in West Africa to points in Europe. Some tickets are one-way, some are roundtrip.
- Tickets are issued on one or multiple airlines.
- Most of the outbound travel is completed before the agency office opens on Monday, so the system will no longer let you void the tickets.
Related Legal Briefs columns:
Here are the steps you can take to make sure it does not happen to you.
First, require your employees and ICs to refrain from giving out their GDS logins in response to any email or phone call.
Second, change your agency location's Sabre settings either to prohibit ticketing on weekends or prohibit cash tickets or both. If you don't know how to take these steps, ask your Sabre rep.
Third, make a habit of reviewing ticketing records early Sunday so that you can try to void any suspicious tickets.
ARC has an article on its webpage that offers similar advice, although in more general terms applicable to all kinds of unauthorized ticketing.
By the way, it does no good to claim that Sabre is at fault for not having better security, such as two-factor authentication or IP address checks. Sabre admits no fault.
ARC drafts your bank account for the full amount of the tickets, and if you don't pay in full (or reach a long-term payment agreement with ARC or settle directly with each carrier) within 30 days, ARC will probably terminate your appointment.
A number of agencies have then gone out of business. Others have arranged to have another agency do the ticketing for them.