Guest Post: Paying the price for travel’s addiction to data

Secure, compliant and trusted systems are in the travel industry’s self-interest, says Peter Matthews of Nucleus

Secure, compliant and trusted systems are in the travel industry’s self-interest, says Peter Matthews of Nucleus

Two leading travel brands are paying a high price for serious data breaches which have shone a spotlight on fundamental weaknesses in the way they protect their customer data.

First, British Airways was served a record fine of £183 million by the ICO following a data breach that exposed about 500,000 customers whose credit card details were skimmed, and now Marriott International, whose Starwood database was hacked last November, are facing a possible £99 million fine for allegedly breaching European data protection law.

In the case of Marriott International, data belonging to roughly 500 million Starwood guests, was compromised in the second-largest cyberattack on a company in history. The hackers gained access to their customer database, which included guests’ names, mailing addresses, phone numbers, email addresses, passport numbers, dates of birth, genders, reservation dates as well as credit card numbers and expiration dates.

Starwood Preferred Guest account information was also hacked which, one presupposes, contained quite personal preference data and loyalty history.

Personalisation data

For years now, the hospitality business has shared BigTech’s addiction to customer data, but rather than sell it to advertisers, hotels and airlines use it to personalise travel experiences. Hotels, particularly luxury hotels, collect customer data to build profiles which can include explicitly personal details, from room, pillow and favourite cocktail preferences to potentially compromising guest details.

Personalised customer service increasingly depends on CRM systems, rather than the General Manager’s personal knowledge of a valued client’s fondness for a particular indulgence. It doesn’t take too much imagination to picture some clients not wanting this ‘white glove’ information to be shared in the public domain.

If valued clients learn this data has been acquired by third parties – potentially malicious third parties – how will that make them feel about the brand they previously trusted to be discreet?

If this can happen to one of the biggest players in the business whose cyber and data security budget other hotels can only dream of, how exposed are smaller groups and individual hotels?

Perhaps privacy has just become a potentially highly valuable competitive advantage?

Outdated practices

The recent spate of data breaches only goes to highlight how vulnerable many travel booking systems and CRM systems are. The pursuit of digital marketing and CRM has made travel marketing much more effective, but the overhead of governance, compliance and security has been underestimated. Cyber security firms must be rubbing their hands in glee.

There is now an urgent need for travel brands to review their practices to secure systems and comply fully with the regulations, as well as define a customer data strategy identifying what is and isn’t collected and then how it is used and shared to improve the customer experience.

In our experience few travel brands place cyber security and GDPR compliance sufficiently high on their list of priorities. Few implement customer identity management platforms, like we did for Carnival Corporation recently, where we used the Gigya platform to automate secure and compliant profile management, preferences, opt-ins and consent settings.

GDPR was the first step to ensure customer data is only held with full consent, but has everyone fully complied? Have you noticed a dramatic drop in spam emails since last May? I haven’t.

As well as customer profiling and consent issues, it remains common for luxury hotels and agents to email booking forms to clients and request, preferences and credit card details as part of the booking process. This is often provided without any security and is a practice that surely has to stop.

Using security and privacy to competitive advantage

In this context, privacy and security could become a differentiator with a value proposition aligned with best practice. It’s a proposition that would appeal to all consumers, but particularly to the very wealthy and famous, who have traditionally valued discretion.

There is no doubt that personal data can improve the quality of service, but guests are rightly going to be even more wary about sharing their information than ever before. Demonstrating that there are secure data governance strategies in place is going to become table stakes in future.

This will mean going way beyond promising customers that their data will not be shared with any third parties. Even knowing that they have the right to delete their data at any time and that it will not be used for any algorithmic “learning” is academic in the face of what unscrupulous individuals will do if they get hold of this data.

Securing systems and compliance with GDPR are simply the first two steps, but both need to be part of a full review of how every travel brands uses customer data for marketing and enhancing customer service.

It’s in the travel industry’s self-interest to provide secure, compliant and trusted customer data management, because if they get it wrong, the fines will be eye-watering and the damage to brands irreversible.

More: Guest Post: Cyber Security – lets reiterate the basics