Hospitality and travel data breaches in a pandemic create new risks and threats to citizens on a global basis. Data breaches from airline, travel, and hospitality IT and cloud platforms present a potential worst case risk in the current climate. A common pattern in pandemic management today relates to travel companies using contact tracers to advise passengers on flights and in hotels about potential exposure risks to COVID-19. A colleague of mine was recently on an essential flight across the US with a single identified super-spreader. At least 50 people on the flight have been infected, as well as their families, so the risk is real and present.
While clearly necessary and essential, alerts from contact tracers no doubt create strong reactions and significant concern for those impacted. Hearts sink on bad new like this, and given the recent surges of the virus, concern is at all-time high. The resultant fear and concern in turn create an opportunity for phishers looking for higher click-to-breach rates from panic reactions. Spear phishing using groomed and personal travel records encourages emotional responses from vulnerable consumers. So, looking at the pattern of recent attacks, a good chance exists that attackers are revisiting prior database thefts to mount a new phase of virus-related spear phishing. This trend will lead to further data theft and compromise for both citizens and enterprises alike. A phish to a corporate employee operating outside regular controls can be a valuable attack vector for deeper secondary compromise, and an attack that’s highly personalized can lead to a more probable click-to-breach pattern. Similarly, knowing a travel pattern for an employee also creates enticing spear phishing opportunities because they reflect recent stays, create opportunity for fake past billing ‘surprises’, fake overpayments, fake demands for payment, and other email message tricks to get to the click.
Let’s ask the obvious question: is a serious trend emerging around this? Potentially. We recently saw the MGM breach of up to 142m records – an expansion from an earlier reported incident of cloud data compromise. Security researchers recently spotted a cache of vast passenger records circulating again for sale consisting of Thailand and Malaysia citizens. This could be a new breach, but more likely it’s an opportunistic attackers re-visiting the new value from last year’s Malindo/Lion Air breach, another cloud related incident but this time from insiders. This incident took place prior to COVID-19 but involved 46 million passengers’ records, including passport details. Another recent property management corporate breach has shown data from 30,000 citizens including passport photos and driver’s license details. Easyjet in Europe had a recent breach of over 9 million identities, Transavia suffered a breach of 80,000 passengers and India’s Spicejet was also breached with 1.2 million records exposed.
It’s always questionable as to why such high volume data sets are available to either insiders or attackers in the first place with seemingly few controls, but a major factor in the extent of these breaches is the potential availability of copies of data, shared data in cloud platforms, and redundant data from a past process (such as analysis or investigations that have not been expired or destroyed and are now within the realm of the “great unmanaged data” world). Let’s also not forget that Marriott and Choice Hotels have also sustained breaches – data that could possibly be re-purposed in the manner described by the criminally motivated – all pre-COVID-19 and adding to the increasingly large pot of data on traveler and guests globally.
Cloud offers agility
Beyond the harsh economic conditions of the pandemic, a major challenge for enterprises, especially those in the hospitality industry, is first knowing what personal data exists and where it is within less controlled environments in particular. For example, with the shift to cloud-based applications, more and more organizations are also taking advantage of the agility that cloud services offer – yet many organizations still use production data to test in less protected cloud instances of IT where vulnerabilities are more common during development processes. Data thus often finds its way into many corners of the enterprise from production extracts for analysis, extracts for test, and extracts for innovation and insight. This represents a huge risk from insiders, and even greater risk of compromise from mistakes, attacks, or purposeful exploitation.
The number of breaches of S3 buckets or misconfigured cloud orchestration systems leading to leakage is quite staggering, even affecting well-prepared organizations like MGM. S3 storage is relatively simple yet mistakes happen. Even more complex cloud infrastructures, storage, and container application orchestration systems are now in accelerated adoption – cloud breaches are likely to rise in line with complexity. Yet there’s really no reason why such critical personal data can’t be protected everywhere, including the cloud, with modern approaches like tokenization to nullify the risky sensitive data from the hands of attackers especially in databases, data lakes, cloud storage, and cloud SaaS applications. Modern tokenization, combined with intelligent data discovery, creates the ability for automated data protection built directly into business processes, application development pipelines, and DevOps processes for both production and test as well as non-production scenarios – avoiding the need to store data such as in the breach involving 46 million records, which clearly lacked data-centric protection and which is now for sale on the dark-web. Given the ease of implementation, I can find no valid excuse not to take a modern approach deserving of customer’s expectations of contemporary privacy and security standards. Even in complex distributed booking systems, tokenized can be applied quickly. Anyone interested in seeing how this works should contact us.
Given recent incidents, though, recent hotel guests and current travelers should be vigilant and look out for (and even anticipate) suspicious emails purporting to be travel- and potentially pandemic-related. If this occurs, look carefully at the email’s origin and search for signs of phishing to avoid being a double victim of a breach, and then a successful phish.