As COVID-19 mauls the travel sector and hotels, airlines and cruise lines shutter their doors or park their planes and ships, this interlude may present them an opportunity to address how they handle passenger information. Each of these sectors of the travel industry collects personally identifiable information and each has suffered considerable breaches or lapses in how data is handled.
The Cruise Sector
Carnival Cruise corporation saw two of its subsidiary cruise lines, Princess Cruises and Holland America, suffer data breaches in 2019. These breaches occurred in April and July, yet Carnival didn’t notify the State of California until March 3, 2020.
As Princess tells the story, in May 2019 the company discovered suspicious activity and got to work on sleuthing out the “potential security issue.” It would learn via its third-party contractor hired to conduct the cybersecurity forensic inspection that a miscreant had accessed employee email accounts and that these accounts contained the PII of employees, crew and guests.
The type of information compromised included names, addresses, Social Security numbers, government ID numbers, passport numbers, driver’s license numbers, credit card numbers, financial account info and personal health information.
But rest easy—the company didn’t turn up “any evidence of misuse of the personal information affecting any individual.”
How would it? Carnival kept the breach quiet for many months. And given the breadth of the breach with respect to data, the identities of the individuals will be at risk for hijacking for some time to come.
The Airline Sector
Three separate airlines had difficulty maintaining the security of the data collected about their passengers. These were British Airways, Transavia (Dutch) and Spice Jet (India).
British Airways was forced to face the music concerning its breach of 380,000 persons’ personal and financial details, which occurred in the August-September 2018 time frame. The UK Information Commissioner’s Office (ICO) hit the airline with £183 million fine.
Transavia noted in late-February that 80,000 of its passengers’ data was breached in a cyberattack. The airline notes that the lost information was contained within an email and was “five-year-old” data compromised of names, dates of birth, luggage and wheelchair assistance requests. The data was limited to passengers who flew between Jan. 21-31, 2015.
The airline offered assurances: “After investigation, we have no reason to believe that the unwanted access to the mailbox was aimed at obtaining this data. In addition, practice shows that with this combination of data (name, date of birth and flight data) the chance of abuse is minimal.”
No worries. Though Transavia never did explain why the database was being emailed about.
Then we have Spice Jet, which didn’t seem to have a problem with storing its backup files in unencrypted form. An ethical hacker discovered the data trove of 1.2 million passengers and alerted CERT-India, which in turn alerted Spice Jet.
Spice Jet noted in its statement the importance of the safety and security of passenger data and that its systems are “fully capable and always up to date to secure the fliers’ data which is a continuous process. We undertake every possible measure to safeguard and protect this data and ensure that the privacy is maintained at the highest and safest level.” To Spice Jet’s credit, the data files were password-protected, but according to the security research, that password was easily guessable.
The Hotel Sector
Like British Airways, the hotelier Marriott Corp. was socked with a £99 million fine by the ICO for its 2018 exposure of 383 million customers booking information.
There is no doubt that the hotel industry is awash with personal data on their guests and are ripe for targeting by cybercriminals.
While the ICO was meting out its fines to Marriott, a subsidiary of the Accor Hotel group, Gekko Group discovered that its secured data wasn’t all that secure, when a research team from vpnMentor found more than a terabyte of data sitting unprotected on servers hosted in France belonging to OVH SA. The data included a plethora of PII and travel details for a number of guests of the Teldar Travel and Infinite Hotels, two booking systems that serve a great deal of the European market. Additionally, the researchers discovered login credentials were also stored and available for the harvesting.
Don’t Collect What You Can’t Protect
Every infosec professional will tell you, don’t collect what you can’t protect. These examples from within the travel industry serve to drive home that point. In the case of the Gekko Group and Spice Jet, their attempts to protect their data revealed configuration errors or a lack of understanding. With respect to Marriott, British Airways and Carnival, they were subjected to an attack that managed to maneuver through their defenses. What is inexplicable is the time delay between discovery and disclosure. These should happen in rapid succession to close the delta of vulnerability for those potentially affected by a breach or theft of their PII.
— Christopher Burgess