Digital Security in the Travel and Tourism Industry

Digital Security in the Travel and Tourism Industry
Share article
twitter linkedin medium facebook
The travel and tourism industry was reaching peak digitalization levels before COVID-19 struck in early 2020. Airline companies were already going online, with thousands of tourism eServices sprouting up. The good news is that air traffic is regaining momentum in 2021 and so is the industry. The cybersecurity implication is simple – more travel and tourism targets for hackers and malicious entities. Let’s learn more about the risks involved and how to mitigate them.

As of 2019, prior to the COVID-19 outbreak, online travel bookings and reservations saw a 10% YoY growth, reaching a staggering total global value of $755 billion.

Digital Threats in the Travel and Tourism Space

The travel and tourism industry is facing a wide range of cybersecurity risks due to the post-COVID spike. The common denominator in all of the following fields is that hundreds of millions of private and business customers are now trusting eTourism and eTravel businesses with their Personal Identifiable Information (PII), credit card details, and other sensitive details. 

With an average of over 60 external digital applications and third-party tags being used on these websites for development and business purposes, CISOs and security teams are having a hard time identifying blind spots and dependencies that are being created on them. While this external code boosts functionality, there are also many security and compliance implications you have to take seriously.  

Travel and tourism websites are extremely dynamic as the pricing varies from user to user. They are dictated by the current demand, amongst other dynamic parameters (data) that are fetched from multiple sources, making website digital security even more challenging. There is also ongoing communication between airlines, hotel chain brands, and aggregators to make everything happen seamlessly.

Let’s dive into the risks that the three main travel and tourism industry categories are facing today on an ongoing basis: 

1 – Airline Companies and Affiliates 

Online webpages on airline booking websites, internal and third-party, have become big targets for hackers and malicious entities. The infamous British Airways exploit was not a one-off case (more on this later). Air India recently reported a massive data breach with over 4,000,000 personal records stolen. Customers of other airlines (Finnair, Luftahansa, etc.)  were also impacted due to the data linkage to Air India.

The culprit – SITA, an important aviation IT firm. This third-party fell prey to a supply chain breach that impacted the aforementioned airline companies.


2 – Accommodation and Travel

Not only are these omnichannel models extracting sensitive data from multiple sources, they also are using external code to improve their functionality. Take a look at Uber’s megahack, where over 57 million personal records (600,000 drivers in the U.S.) were stolen. Hackers exploited a third-party cloud-based service to get into Uber’s GitHub account, via which they accessed data stored on Amazon servers.

Additionally, two huge hotel chains (with over 100 hotels in 14 countries) were hacked via a Magecart attack that exploited Roomleader, a vulnerable third-party. Hotel chains need to manage different local websites for their different hotels, which makes it even more challenging to monitor them on an


3 – Attractions, Events, Conferences

Ticketmaster UK was hacked via a faulty chatbot plugin, Inbenta. This seemingly harmless add-on, which was boosting customer engagement on the website, was exploited to initiate the infamous breach that is still making headlines due to its huge security and regulatory implications. Over 40,000 customer records were exposed and sent off to remote servers by the hackers. Read more here.

These kinds of breaches can also be politically motivated. For example, the hacktivist group RedHack took down the Turkish Ministry of Tourism website.


Related: All You Need to Know About Web Skimming Attacks

Data Controllers, Not Processors, Have to Answer for Data Breaches

It’s pretty clear that all travel and tourism related activity is going online fast(er), especially with the world starting to recover from the COVID-19 pandemic. But with millions of tourists and business travelers leaving their Personal Identifiable Information (PII) and credit card details on various websites, cybersecurity risks and challenges are growing at an unprecedented pace as well.

In order to understand the severity of the issue (and its implications), let’s take a closer look at the British Airways Magecart attack. Over 400,000 personal records were harvested via this infamous hack. This GDPR violation led to a massive £20 million fine by the Information Commissioner’s Office (ICO), not to mention the ongoing class-action lawsuit filed by more than 16,000 victims.

  • What was stolen? Names, addresses, credit card numbers and details
  • What was the weak link? Modernizr JavaScript (JS) library
  • How was the hack performed? Magecart (22 lines of malicious skimming code)
  • Where was the hack performed? BA’s baggage claim webpage (online form)

The biggest takeaway from this major heist, besides the growing need for website digital security, was that the data controller (British Airways) was held responsible. Even if a third-party vendor (data processor) or an external app is the weak link that enables the breach, the General Data Protection Regulation (GDPR) and other privacy laws will always hold the data controller accountable.


Related: Top 10 Data Privacy Laws to Watch in 2021

Is Your Online Travel and Tourism Business Website Safe?

As per our latest research, over 95% of travel and tourism online businesses use external digital applications and third-party tags to supplement their marketing, sales, operational, administrative, and business processes. Besides this enablement, these digital assets help reduce development and maintenance costs while improving performance and time to marketing (TTM) metrics significantly.

However, not having a proper risk-based approach can prove to be counter productive and introduce a wide range of security and compliance issues. 

The most common cybersecurity threats you may be looking at include web skimming (Magecart) threats, web supply chain attacks, and remote domain vulnerabilities. Traditional application security tools and solutions can’t possibly detect these problems since you have no control over this external code and a compromised remote server is not something you can address.

So what’s the right way to tackle these security blind spots on your website?

  • Ongoing Risk Mitigation – You need to be on top of things at all times when it comes to external digital applications and third-party tags on your website
  • Dynamic Digital Inventory – Having a constantly updated digital asset inventory can help you govern your third-parties and unveil dependencies
  • Track Data Movement – As a Data Controller, only you are responsible for data breaches on your website. You need to know where your data is going

Reflectiz offers the aforementioned functions in a non-intrusive way, without adding a single line of code to your ecosystem. This is very important in travel and tourism websites, where performance metrics are extremely crucial due to customers performing complex searches and price comparisons. All digital assets can then be monitored via a centralized dashboard to enforce ongoing client-side security.

Air France-KLM has already chosen Reflectiz to handle the post-COVID spike in online activity and to safeguard it’s sensitive data. The time for digital security is now. 

Take control

Stay up to date with the latest news and updates

Your Website looks great!

But what’s happening behind the scenes?

Discover your website blind spots and vulnerabilities before it’s too late!

Try for free