A hack of a trip: the hotel industry and personal data

The travel and hospitality industry is loved by all – businesses and customers alike. In the past few months, we’ve seen tech giants make curious moves that demonstrate their growing interest in this lucrative vertical, believing that if you want to rule the world, you might as well focus on those busy exploring it. With the hotel industry making up a big slice of the industry expected to generate £162.3 billion by 2026, the data collected by players in a field of this size needs to be an important discussion.

Looking at the broader relationship between the travel industry and technology, we have seen big names making headlines. For instance, Amazon announced an intriguing collaboration with Indian domestic flight booking company Cleartrip, which analysts believe to be a telling sign regarding the company’s travel tech strategy. Google, which already offers several travel-related tools, also added new features to its Google Travel platform meant to encourage users to book their trips via the company. 

When two of the big-four tech companies pay attention to something, we pay attention too. There are a few good reasons data-hungry tech giants are focusing on the travel and hospitality sector: firstly, it is incredibly lucrative, with the value of the global online market trend reaching more than $629 billion in 2017, and is expected to reach approximately $818 billion this year. Moreover, travel data enables deep insights into a user’s status and preferences. In other words, those who know how you choose to travel, know more about the type of person you are, which for companies like Google and Amazon, is core to their business operations. 

Unfortunately, the travel sector is known for suffering some of the biggest data breaches in history. Not long ago, Marriott International lost $126 million in 2019 following a massive security breach that leaked around 383 million guest records, including passport details and credit card information. In November 2019, it was revealed that Gekko Group, a subsidiary of Accor Hotels, also suffered a major data breach that may have affected a customer base of 600,000 hotels worldwide.

Cyberattacks targeting the hotel industry show no signs of levelling off – a 2019 survey from AirPlus International, in partnership with the Global Business Travel Association, even shows that 68 per cent of business travel managers think the risk of fraud is worse today than it was two to three years ago. Just a few months ago, British Airways faced the largest data breach fine in history and was asked to pay more than £183 million following a 2018 hack that revealed the personal data of around half a million passengers. A year earlier, Cathay Pacific Airways suffered the world’s biggest airline data breach that included the credit card, passport and personal information of around 9.4 million customers. 

Hackers’ motivation to focus data in the travel industry

It is no coincidence the travel industry is becoming a notorious target for cyber security attacks, here are a few reasons behind hackers motivation:

Many travel websites include online purchase options, and online booking forces users to enter detailed, accurate personal information. This gives hackers easy access to identity theft opportunities and credit card details. Even sites that do not include payment options can reveal a lot to hackers about the dates in which users plan to be away from home, which might lead to break-ins.   

Hotels and airlines are traditional businesses that have made the transition to digital without taking into consideration the appropriate security measures. The majority of these businesses are not digital-first, so complexities related to online security can be more complicated to confront and this increases the risk of being breached. 

On the other hand, some of the many new platforms and technologies that aim to provide travel solutions may need more time to adjust to the required security standards. Certain young startups want their product to meet the market as soon as possible, and make the mistake of going live without meeting the highest security standards. 

Users are becoming price-focused and are hunting for deals all over the web. This means that many will compromise on the quality and credibility level of a travel site or hotel if it offers the best price. We witness small websites and travel aggregators rising to traffic greatness without offering the proper security support, which is alarming. 

We conducted a study and found that the average user’s digital footprint includes 19 travel companies, which make up 6 per cent of their total digital footprint and includes mostly companies that were only used once by the user. Out of the companies that found their way to users’ footprint, on average, 2-3 were breached in the past. Mine also found that the top ten travel companies to be present in users’ footprint are: Airbnb, Booking, Tripadvisor, Expedia, Easyjet, Hotels.com, Kayak, Delta, United, Ryanair, Lufthansa, Tripit, Wizzair, Rentalcars.

Advice to hoteliers 

As almost 70 per cent of business travel managers think the risk of fraud is at its worst, time is more than just ‘of the essence’ for accommodation providers to self-assess the way data is being handled and steps that can be taken to prevent hackers. 

As mentioned, travel and hotel booking is nothing new to the world, and because they stem from a traditional background, many players in the industry have struggled to keep up with rapidly evolving technology and ditch its own legacy tech. An essential step for hoteliers is to look into the booking process and assess how customers data is collected and stored. 

Firstly, avoid collecting unnecessary information and where data is needed, it is essential that it is collected and used in a safe and secure way that does not give hackers a chance of getting their hands on it. Furthermore, by keeping up with technology, hoteliers can ensure that when data requests are made, customers are able to take back ownership of their data in an immediate, streamlined manner.

An important note for hoteliers – and businesses in general for that matter – is to be aware of the legislation in place to help aid the protection of data and act accordingly. The current regulations of GDPR and CCPA allows those booking to know what data different travel companies hold on them and manage it.

The EU has taken a stance with its close regulation of how travel websites suggest offers to users. For example, companies like Booking.com were put on the spot for encouraging shoppers to close a deal using means that might be considered manipulative. We hope that a rise in awareness and discussions around the topic of travel tech security will encourage regulators to add another aspect to their new rules. 

When it comes to travel, consumer attitudes are changing. As travellers become more educated and empowered to take control of their personal data, organisations need to make sure they have the tech to facilitate this. Increasingly, data management and protection is no longer a conversation for the future and should be a priority.

Be in the know.

Subscribe to our newsletter »