The travel industry needs to rethink how it approaches security breaches as the rate of attacks increases and the nature of threats change.
Recent reports reveal how travel and transportation has moved up the list to second or third place in terms of number of attacks, depending who you believe, compared to a tenth a few years ago.
But, the big question: "Why?"
Caleb Barlow, IBM Security vice president, X-Force Threat Intelligence, says while personal information might have become a bit of a commodity, travel information enables bad actors to infer a lot more about a person.
He adds that the travel industry knows where people are going, how they are spending their time, a pretty good idea of their political views, their aspirations and the business deal they are about to do.
Speaking at last week’s Amadeus T3CH event in Madrid, Barlow says that this type of information is valuable to nation state adversaries - i.e. those that work for a government to target another government, organization or individual.
“I don’t see that slowing down any time soon. If you’re a nation state, you’re building large scale databases of people because the more you understand about people, the more you can manipulate and extort," he says.
According to Barlow, the industry needs to think about what information it really needs to have about customers and how it “obfuscates it, how it encrypts it and how long it keeps it for.”
A further change in the past couple of years is in the move from data "exfiltration" and ransomeware attacks to cryptojacking, a reoccurring revenue stream for hackers which uses someone else’s computer to mine cryptocurrency.
Subscribe to our newsletter below
Barlow says that travel organizations need to realize that this is worth between $600 billion and $1 trillion.
“Thats bigger than the GDP of many European nations so the motivation is there. The challenge is we have been collecting the data in systems that are 20 years old. Organizations need to plan for being breached and plan for how they are going to respond.”
He says travel companies must “reground themselves in the real motivation for attacks.”
“Not all attacks want to leverage the information straight away. Nation states might want to use it in 20 years.
“The second thing to reground ourselves is in not thinking about attacks in terms of how many records were stolen. We have to think about it in terms of loss of control, what did they have the potential to download, change or disrupt and for how long?
"How long did it take to regain control and can we verify that? And, what is their likely next move and worst move?”
* This reporter's attendance at the event was supported by Amadeus.