Six years ago, then-FBI director Robert Mueller said there were two types of companies: "Those that have been hacked and those that will be."
Few would argue that his statement isn't even truer today. More than half of U.S. businesses (53%) said in 2017 that they had experienced a cyberattack in the previous year, according to a report from HSB Insurance Co.
Travel companies, including agencies, are not immune. In fact, some experts say they are even more vulnerable than other businesses.
In the past few years alone:
- 1,200 InterContinental hotels in the U.S. were victim to a three-month cyberattack.
- Omni Hotels & Resorts alerted customers to the fact that hackers had infiltrated its networks for six months.
- Hyatt revealed that its payment systems were breached, exposing credit card data from 41 hotels in 11 countries.
Nor is it only hotels that have been preyed upon. Sabre in 2017 reported a cyberattack on one of its reservations systems, and Uber revealed last year that in 2016, hackers stole the data of 57 million customers and drivers.
Last month, Akamai Technologies said in a report titled "Summer 2018 State of the Internet/Security: Web Attack" that while the theft and abuse of stolen credentials is a major risk for all internet-driven businesses, data from the report revealed that "the hospitality industry experiences many more credential abuse attacks than other sectors."
In fact, the 2018 Global Payments Insight Survey by ACI Worldwide and Ovum found the hospitality sector had been the most heavily affected, with 29% of respondents having experienced a breach.
Many cybersecurity experts say the amount of personal client information that the travel industry collects makes it a particularly alluring target for hackers.
"Huge for the whole industry is creating a personalized experience, but to do that you need data," Adam Weissenberg, global leader of travel, tourism and hospitality at Deloitte Touche Tohmatsu, said at the World Travel and Tourism Council (WTTC) Global Summit in April. "If you're entrusted with all that guest information to create that great personalized experience for your guests, which is what everyone here wants to do, you also have an obligation to make sure you're not leaving that at risk, because if you do, you lose that trust."
The BitSight security ratings firm found that the most prevalent type of breach in the hospitality industry is point-of-sale attacks (see chart page 20) followed by web applications being compromised. The data in question can include passport information, addresses, names, birthdays and travel plans.
Max Goldfarb, chief technology officer for Travel Leaders Group, said far too much of that data is at risk.
"The amount of personal information a travel agency has on consumers is massive," Goldfarb said. "And yet, it's still commonplace to see agencies with inadequate controls around consumer data."
Steve Bates, executive director of risk for Ernst & Young Advisory Services, said the hotel sector is one of the most breached.
"A lot of it has to with where you see the online and point-of-sale systems, things of that nature," Bates said.
He added that while those types of attacks are pervasive, nowadays there are additional threats, such as the Internet of Things -- think Amazon Echo's Alexa -- wireless door locks and remote home automation controls.
"The largest amount of attacks these days tend to go to the software itself as opposed to the underlying infrastructure," Bates said. "With that move to do more digital transformation, you end up with more software and bigger attack profiles."
Part of the problem, he said, is the rush to adopt new technologies that end up not being installed or maintained by security experts, enabling breaches to go undetected or necessary patches not being installed.
"Take for example Facebook or Twitter," Bates said. "If you need to have a patch applied to increase security, you go into your device and it easily updates. With the Internet of Things a lot times, or with things like wireless door locks, being able to update that a lot of times requires physical access [to the device]. ... That means when there is a vulnerability, the ability to react and close that takes a lot more effort and a lot more time and leaves you exposed to those vulnerabilities."
As a result, Bates said, he believes the number of travel industry breaches will rise.
"My sense is it's going to become more prevalent," he said. "Hotels are advertising that keycards are going away; they've got applications on your mobile phone."
Once those are breached, huge systems can become vulnerable.
"Security is always a trade-off," Bates said. "So you have to balance the features and functionality with privacy and security. And the feeling of privacy and security can vary across an industry."
Experts believe this is why some companies still don't employ the cyber safeguards necessary to combat increasingly sophisticated cybercriminals.
Digital security company Dashlane reported in May that, based on password requirements, 89% of the travel industry websites it analyzed did not provide users with adequate protection from hackers.
Airbnb, Hawaiian Airlines, Hilton, Marriott, Royal Caribbean and United each passed the Dashlane test, while Norwegian Cruise Line, American Airlines, Carnival Cruise Line, TripAdvisor and Trivago did not.
"Applying security patches and making sure systems are up to date is as critical now as it has ever been," Bates said. "Organizations know that, but it requires diligence."
Dee Waddell, general manager of IBM’s Global Travel & Transportation Industry, and Nick Fishwick, an adviser at HSBC, on a panel at the WTTC summit.
A commitment to diligence, experts say, must come from the top executive ranks, something stressed by other speakers at the WTTC summit.
Dee Waddell, general manager of IBM's Global Travel & Transportation Industry, said of cybersecurity, "It's a board issue, hands down. If [board members] don't feel it's their responsibly and accountability, you have a problem. Particularly in the travel space, this will have significant impact."
Nick Fishwick, an adviser at HSBC, said a weakness at too many companies is that the people at the top view cybersecurity issues as "a tech problem" to be handled by the tech department. But he also said he sees that changing.
"More companies are now realizing that cyberthreats are not something to send off to the CIO," Fishwick said. "It's something the board and senior executive team have to know about and have to take ownership of."
Asleep at the wheel
Travel Leaders' Goldfarb said agencies can be "prime targets" for cyberattacks due first and foremost to "the lax investment in information security and end-user training" that he said is very common within travel agencies.
"This is very unfortunate, given that the travel agent population tends to be older and less tech-savvy, making them more susceptible to falling victim to these types of attacks," he said.
Certain industry practices also contribute to cyber vulnerability, Goldfarb said, such as wire transfers still being a routine payment method in the high-end international luxury space and prepayment for hotel stays using hotel authorization forms, which require full copies of credit cards, still used by many hotel suppliers that don't have web-based payment systems.
Goldfarb said travel agents are particularly vulnerable to phishing emails and online booking portals schemes.
"Everyone will fall for a phishing scam eventually," he said. "And once they do, cyberthieves are able to sit and wait, monitoring agents' emails for the best opportunity to get in the middle of a travel transaction."
The biggest problem of all might be that travel agencies overall still don't understand or have the resources to counter cyberthreats.
"Industrywide, progress is slow," Goldfarb said. "Especially at smaller travel agencies that don't have the necessary resources to invest in information security and training."
Travel Leaders invests in end-user training and protection systems and has online fraud detection and fraud prevention processes. Goldfarb said that this has kept fraud-related costs at a minimum for Travel Leaders agencies.
Given the importance of an agency's reputation in retaining existing clients and attracting new ones, it is imperative that agencies consider the cost of reputation damage. For that reason, Deloitte's Weissenberg said, as agencies and other companies grow and handle more data electronically, their strategies must include a cybersecurity plan.
"If you're talking about your strategy to grow online and connect with customers and gather data payments, with each one you also have to consider the risk with that," he said.
Companies that fail to do this risk reputational damage, which Weissenberg said is sometimes overlooked: "It can be massive and very costly if you're viewed as a place that can't hold the data, and the data is easy to access, and you don't have the proper protocols in place."
Weissenberg knows firsthand about reputational risk. Deloitte was the victim of what he described as a very small cyber hack that became a big public relations disaster. The breach only affected a few clients and was quickly contained, but once bloggers caught wind of it, "it created a much worse scenario than the reality."
Clients started calling and asking if they had been impacted, Weissenberg said, forcing the company to do reputational damage control.
What Deloitte learned, he said, is that it's dangerous to gamble on whether or not a cyber breach will become public.
"The irony is nothing really happened; no data was taken," he said. "It was contained, but the damage from this getting out, which you have to assume it will, and getting blown out of proportion was far worse."
A universal business threat
Two tech experts offer a list of ways travel agencies can try to protect themselves and their clients.
Not all experts think travel is more at risk than other industries. Technology consultant Shelly Palmer, citing Mueller's take on the pervasiveness of the risk of cyberattacks, said that whether the travel industry is more or less vulnerable than other sectors is the wrong question to ask.
"Every industry is vulnerable," he said. "The question is what you can or should be doing."
Palmer said there are certain aspects of travel that make it somewhat easier to target, such as transient people moving through hotels.
"You have no idea who's walking in with a fake ID or a real ID, and they are not there long enough for you to check," he said, adding that by the time the hotel gets a chargeback from the credit card company, the person is long gone.
Palmer agreed with Goldfarb that phishing and spoofing attacks are a huge problem in the travel space, with fraudulent emails that look convincingly like deals from major travel companies being sent out en masse.
"But that can happen with Star Wars movie tickets, Super Bowl tickets; it's not unique to the travel industry," he said. "This is every business now."
In fact, Palmer said, other industries yield better data for bad actors than travel industry databases. The vast majority of hotels, for example, no longer hold credit card information, Palmer said. They use third parties to handle those transactions and take the payment information via a gateway. The hotel, he said, only gets a hash token that says the credit card is valid and the process has been completed.
Palmer said that anyone who embraces 21st-century technology has to deal with the risks that it come with.
"Cybersecurity is an issue, and there are limited things that people can do about it," he said. "Corporations do have a big burden to protect us, and we should hold them to that standard."
He added: "We're living in dangerous times. There's a bad-guy industry. It's very profitable. So the good-guy industry has to be better than they are. And on any given day, one is better than the other. That's the nature of arms races."
Jeri Clausing contributed to this report.