Travo Cyber Summit: Protect your 'goldmine' of data from hackers or face 'extinction'

Deloitte data privacy, cybersecurity and telecoms expert Cavan Fabris warned travel is a targeted sector because of the 'goldmine' of personal information companies collecct and keep 

The travel industry was warned because it sits on a goldmine of customer information it is one of the most targeted by cyber criminals.

Deloitte partner Cavan Fabris, a data privacy, cybersecurity and telecoms expert, told the Cyber Summit that well-publicised hacks of travel firms have made the sector more of a target.

He said information like personal details, credit card and payment data, travel plans, and loyalty scheme details are highly prized by online criminals.

“Your industry is one of the most-sought after by hackers for information. Why? It’s because you sit on a goldmine of personal data.

“One attack tends to lead to other nefarious actors to say if company X is vulnerable what about company Y or Z, they all use similar processes.”

Travel’s vulnerability also stems from the multiple systems and payments systems firms use each of which is a single point of vulnerability.

And Fabris warned the sector is also open to attack due to legacy technology, saying: “this is not the newest technology you are sitting on.”

“The back doors into them [travel systems] are pretty well known and can be, and have been, exploited.”

Travel’s large number of external contractors, employees and extensive supply chain leaves it vulnerable as well as the need to use personal data to provide customers with 24/7 assistance.

Fabris said this can be exacerbated by use of low cost data centres in parts of the world where data security is not a priority.

“On top of that you are in the loyalty business. Your business sector was one pf the first to create a loyalty card.

“At the heart of your business is the client. You have built over time loyalty with particular individuals that’s at the heart of your relationships.

“Can you say you have put their personal data at the forefront of your customer experience, the forefront of what you are trying to sell to your customers?

“Or is it a tick box exercise and passed on to the IT department to sort it out? Because it’s if you are going to get hit, it’s when.

“You can take steps but nothing’s going to prevent a determined attacker from getting inside your network. What you can control is what you do next, how you react and that’s being prepared.

“It takes milliseconds to lose that loyalty you have spent millions building. Protect it [data] like you are protecting the individual. It takes time, it takes effort, it takes investment.

“Loss of consumer trust in you industry is unrecoverable because they will go to someone else and you will find yourself in an extinction event.”

Travel firms should look at how they protect customer data and how they interact with third parties so they can answer questions about how they obtain it, where it is and what they have.

This requires careful management of supply chain contracts with partners that are sent personal customer information.

Under GDPR rules a breach must be reported within 72 hours and regulators may investigate and conduct order for an audit to be carried out.

Fabris said the more questions firms cannot answer the greater the intensity of that investigation. And he said data security training must encompass receptionist to CEO and everyone inbetween.

Companies must make sure they keep their training updated, said Fabris. “Training is very much continual, like cleaning a cathedral, not a tick box. It has to be robust, frequent and sophisticated.

“The majority of breaches I see today come from a mistake by someone who either received no training or did not receive proper training and mishandled data.

A data breach response plan should not be “sitting on the shelf gathering dust” and firms should practice it so they are ready to report a breach when it happens.

A data minimisation plan ensuring firms keep only the data they need will prevent the likelihood of a hack as well as managing access to that information carefully.

Fabris said cyber insurance is essential and firms should continual review their covers as hackers are aware of the “basic deductibles” and will tailor their demands to avoid getting insurers involved.

“Insurance is supplemental to what you do. It’s not intended to protect you against attack. It’s like life insurance; we all have it but it’s not a replacement. We all hope we won’t have to use it.”