Digital insights, straight to your inbox
This week we are going to focus on the tourism industry to uncover some of the most prevalent methods of cyber intrusions. We will dive some of the issues facing this industry and review some methods on how to mitigate cyber attacks in general.
Cybersecurity In Tourism (Current State)
Most experts in the cyber security field estimate that around 20% of travellers worldwide are subject to cyber-crime. This percentage is a staggering amount considering that over 3 billion passengers travel by plane each year.
Max Goldfarb, chief technology officer for Travel Leaders Group, said far too much of that data is at risk:
"The amount of personal information a travel agency has on consumers is massive, and yet, it's still commonplace to see agencies with inadequate controls around consumer data."
As our population continues to grow, more and more individuals will be part of the monolithic industry of tourism. Oxford Economics projects massive growth in aviation travel through 2030, with travel numbers expecting to reach or even succeed 5.9 billion annually.
With numbers such as these, there is a proliferating desire within certain individuals to increase enterprise-level intrusion efforts in order to obtain the personal data of travellers worldwide. Changing border control policies have enhanced cyber-risk too. Electronic devices are now subject to far higher levels of scrutiny than ever before.
As described by Andrew S. Townley, CEO of Archistry:
“Technology change enabled new access paths and a dramatic increase in attacks, but fundamentals are the same. Regrettably, the core approach to managing cyber risk has hardly changed at all. This is where the biggest changes should take place, but it’s hard to say if it actually will.”
To make matters even more complicated, many travellers from emerging countries are leaving domestic borders for the very first time, further creating a new surge of travellers and travel agencies that are susceptible to malicious data theft.
Common Cyberthreats in Tourism
It can often be very difficult to discern the true bottom line when it comes to cyber attacks. It becomes especially difficult for upper management to account for losses when the reality is, there is no glaring hit to the balance sheet. According to CSO online:
“The biggest loss comes from enforced employee idleness as wrecked networks and dysfunctional computers provide no means to actually do work.”
Ponemon Institute who specializes in data breach studies estimates the average cost of a single attack is $5 million with $1.25 million attributed to downtime, followed by another $1.5 million to IT and end-user productivity loss.
In the past few years alone:
- 1,200 InterContinental hotels in the U.S. were victims to a three-month cyberattack.
- Omni Hotels & Resorts alerted customers to the fact that hackers had infiltrated its networks for six months.
- Hyatt revealed that its payment systems were breached, exposing credit card data from 41 hotels in 11 countries.
Airlines and hotels are not the only hospitality sectors being preyed upon. Uber reported in 2017 that in 2016 hackers managed to obtain the personal information of 57 million customers and employees.
Although the following list of cyber threats is most prevalent in the tourism industry, nearly every major industry is susceptible to these various methods of intrusion.
The method of scraping is often used for non-malicious applications such as the gathering of data on competing websites of various travel agencies. The information obtained can prove invaluable when processed to discern market preferences such as which cities hotels are booked the most, the preferred costs, the places visited most and more.
However, this technique can also be used for nefarious purposes. Throughout all industries, especially tourism, data scraping and information retrieval tools are still very prevalent.
Since all scraping bots have the same purpose, which is to access data, it can be difficult to distinguish between legitimate and malicious bots.
That said, Imperva, a company specializing in data and application security, note several key differences help distinguish between the two.
- Legitimate bots are identified with the organization for which they scrape. For example, Googlebot identifies itself in its HTTP header as belonging to Google. Malicious bots, conversely, impersonate legitimate traffic by creating a false HTTP user agent.
- Legitimate bots abide by a site’s robot.txt file, which lists those pages a bot is permitted to access and those it cannot. Malicious scrapers, on the other hand, crawl the website regardless of what the site operator has allowed.
In September 2018, British Airways announced that cybercriminals had obtained the financial and personal information of customers bookings. The breach involved over 380,000 bank cards. The information was stolen from the website, ba.com, and the mobile app.
- Prevent denial of service (DoS) attacks: It is recommended that you identify and block potentially harmful IP addresses and block requests from reaching your service by filtering through your firewall. Cloud service providers such as Acquia and Pantheon give you access to tools that will block potential attacks.
- Using .htaccess to prevent scraping: Integrated with Drupal CMS and Apache Solr, a configuration file can be tweaked to prevent scrapers from accessing your data.
Cryptojacking is a fairly new and emerging form of malware that has been taking industries by storm. Over the past year, cybercriminals have begun to shift from the less intrusive and less lucrative forms of ransomware and moved towards cryptojacking.
As computing power becomes more and more powerful, so too do the capabilities to enable this form of intrusion. By utilizing a fraction of your systems computing power, infiltrators are able to mine for cryptocurrencies with relative ease and remain mostly unnoticed.
Reports of crypto jacking rose by 459% in 2018 due to an NSA leak which provided a software known as Eternal Blue which was sold online to various groups of hackers. Due to it’s less intrusive nature, cryptojacking will continue to proliferate in the coming years as Brady Keller, Digital Manager for Atlantic.Net mentions:
“The multi-million dollar cryptojacking industry has grown and will continue to grow with amazing speed in the years to come, thanks in part to the spread of untraceable cryptocurrencies such as Bitcoins and the proliferation of kits on the dark web.”
The best methods of avoiding cryptojacking are going to rely heavily on employee training and mitigation tools for your website such as Drupal Anti Virus Protection modules. Other methods are to update and purge browser extensions or to block website-delivered scripts.
Phishing (Spear Phishing)
For quite a few years now phishing and spear phishing has been steadily on the rise. Research shows that just 29% of travel sites offer full protection against phishing attempts. The tourism industry is an advantageous area due to the mass amounts of stored customer data. Most agencies rely on insecure connections causing the surge of phishing activity.
However, it isn't just the tourism industry that is affected. Due to the specificity in its targeting methods, spear phishing is arguably the most dangerous type of phishing attack for any organization. The SANS Institute, who specializes in information security and cybersecurity training states that 95% of enterprise network attacks involve successful spear phishing attempts.
Phishing utilizes highly effective attacks using multiple techniques to acquire sensitive data and deploy an advanced and persistent threat.
Spear phishing is a more aggressive and targeted method designed to hone in on more specific entities. A study of 1,300 IT security decision-makers was conducted on behalf of CyberArk Global Advanced Threat Landscape Report. The survey showed that 56% stated that targeted phishing attacks were the top security threat they faced.
In terms of the general population, as consumer spending continuously increases, they become less aware of the money that is leaving their bank accounts. This disconnect leads to cybercriminals to pursue potentially lucrative opportunities.
The attacks most often depend on two techniques:
- Fileless malware
Most recently, airline services have fallen victim to very creative and successful attacks. According to the Bermuda Email Threat Scanner:
“This attack is a new spin on an old phishing email. We've seen this attack with several of our customers, especially in industries that deal with frequent shipping of goods or employee travel, such as logistics, shipping, and manufacturing.”
The attackers utilize web and email to create seemingly legitimate emails to fool recipients into opening them. Embedded within these emails are .pdf or .docx attachments which consist of a link which is designed to capture company details and credentials.
Fortunately, there are a number of mitigation steps your enterprise can use to defend yourself from phishing. The easiest and most cost-effective methods are:
- Overall increased awareness
- Password policy modules available with the new Drupal 8.7 release
- Deceptive site removers are must-have commands provided by the Drupal content management system.
No matter the method, taking affirmative preemptive action is becoming increasingly necessary for large enterprises who possess mass amounts of personal data.
The Future of Mitigating Tourism Cyberthreats
In recent years, there has been an increase in the ability to store and utilize customer data effectively and securely.
Dr. Robin Pharoah, director of global insight at Future Agenda recently stated that recently, the explosion of opportunities to create digital identities accompanied with identification and authentication protocols has left us with a problem when it comes to truly reliable, secure and interoperable digital identification system.
The Known Traveller
Together with its partners, the World Economic Forum explored solutions to seamless and secure travel challenges and developed the Known Digital Traveller Identity (KTDI) concept. The KTDI is a new way to encompass all data without relying on one central hub. Instead, the information is spread across a private data structure shared among all participating users.
With the steady increase of technological advancements from mobile applications to new security measures during travel, a new form of technology is necessary. Canada and the Netherlands partnered up to run a KTDI pilot project in 2018 for individuals travelling between the two countries, with broader rollout coming as soon as 2020.
KTDI will be the next step forward within the travel and hospitality sector. Fourth Industrial Revolution technologies such as biometrics, blockchain, cryptography and mobile devices enable efforts to overcome challenges faced by stakeholders to achieve a more secure and seamless traveller journey.
KTDI is built around 4 key components:
- Distributed Ledger
- Mobile Interface
Personalizing the travel experience alongside ironclad security measures are vitally important for the KTDI program to be widely adopted. Adam Weissenberg, a global leader of travel, tourism and hospitality at Deloitte Touche Tohmatsu, said at the World Travel and Tourism Council (WTTC) Global Summit in April.
"If you're entrusted with all that guest information to create that great personalized experience for your guests, which is what everyone here wants to do, you also have an obligation to make sure you're not leaving that at risk because if you do, you lose that trust."
Innovation is key to enhancing global competitiveness, mobility and productivity. Leveraging new technological advancements can support risk-based approaches to public safety and security, making air travel more efficient while simultaneously improving the travel experience.
Security concerns will always be justifiable and relevant within any industry. None more so than those which store and process personal information. However, it is important to note the challenges facing identity solutions based on distributed ledgers arise from the same properties that make the technology attractive in the first place.
Surely we are on the right track in terms of creating more secure and streamlined methods of how we utilize and store personal data. It will be interesting to monitor the progression of the KTDI initiative to determine its viability. Only time will tell if this truly is the future of aiding in the mitigation of cyber threats within the tourism industry.
Did you like this piece? If so, subscribe to our blog, the OPIN Mind for your free weekly updates!