In October 2018, Cathay Pacific Airlines announced in a tweet that it discovered “unauthorized access to some of our passenger data.” (1) The breach exposed dates of birth, passport numbers, home addresses, historical passenger travel data, and other vital information needed for travel. In subsequent weeks, investigators discovered the airline had undergone a sustained attack over three months. In a process known as an advanced persistent threat (APT), cybercriminals took the data of 9.4 million past and present Cathay Pacific passengers. To date, this represents the largest airline data breach. When combined with the growing number of compromised hotel chains, (2) a serious threat for travelers has emerged.
Cathay Pacific first detected intrusion into its IT infrastructure in March of 2018 and took immediate action to “head off” the breach. Unfortunately, it was too late. The effectiveness of an APT attack rests with the cybercriminal’s ability to hide in plain sight and monitor for and catch what information they deem as the target. So, for six months, the airline knew of an intrusion and potential data breach, but could do little until it found where the cybercriminals were hiding inside Cathay Pacific’s IT infrastructure. Meanwhile, travelers that used the airline during that six months had no idea their data was at risk.
A broad lens of the issue reveals many Americans do not trust institutions that use and manage their personal data. However, as the Pew Research Center points out, “Cyberattacks and data breaches are facts of life for government agencies, businesses and individuals alike in today’s digitized and networked world.” (3) Cybersecurity experts recommend password management software for securely managing the multiple passwords we use in our digital lives. Despite this, Pew found 86% of respondents used memorization to remember their passwords. These users tend to use passwords they easily remember. Unfortunately, cybercriminals know this and exploit it.
Like other industries, such as banking and healthcare, the travel industry uses sophisticated electronic information systems for managing passenger itineraries and payment information. Known as global distribution systems (GDS), passengers cannot remain anonymous; they must be able to authenticate their identity for security reasons. While there is little a traveler can do to avoid being part of the collection of GDSs that manage the travel industry, there are key things a passenger can do that will protect his or her personal data while travelling.
SECURITY BY DESIGN
When it comes to protecting your personal data while traveling, nothing should be taken for granted. Before doing anything else, travelers should understand that it is not possible to be too careful. Plan the trip with digital data security as a backdrop of safety. Cybercriminals are on the lookout for flaws in design.
Some in the software industry employ the concept known as security by design. Margaret Rouse of TechTarget.com notes: “Security by design is an approach to software and hardware development that seeks to make systems as free of vulnerabilities and impervious to attack as possible.” Moreover, an “emphasis on building security into products counters the all-too-common tendency for security to be an afterthought in development.” Travelers might take for granted the systems they are relying on are secure. In fact, many travel-focused companies may only address existing vulnerabilities and patch security holes with reactive rather than proactive fixes. Travelers need to build security into their travel plans and not assume the businesses they deal with manage their personal data with user privacy in mind.
KEEP TRAVEL EXPENSES SEPARATE FROM EVERYDAY EXPENSES
Conceptualizing security by design can be challenging for the user who frequently employs easily remembered passwords. This is because the password strength needed for today’s security purposes needs to be strong enough that cybercriminals cannot figure them out. Therefore, it is unlikely that one could even remember the collection of characters needed for today’s password needs. Password managers are not a cure-all. Users still must be vigilant and keep their eyes open for suspicious use. This is much easier with a password manager.
Perhaps the most crucial element of a password manager is its ability to help us compartmentalize our digital lives. In other words, password managers help keep our healthcare data separate from our financial data. Travel data has its own purpose that should be separate from all other digital data. So, too, must a traveler separate travel expenses from everyday expenses. Cybersecurity experts recommend not using your everyday credit cards and getting one just for travelling. (4)
Compartmentalizing your travel expenses from your everyday ones offers an extra layer of protection if the credit card is lost or stolen.
MAXIMIZE THE SECURITY CAPABILITIES OF ALL YOUR CONNECTED DEVICES
The Pew Research Center found that: “Many Americans fail to follow cybersecurity best practices in their own digital lives.” This carries over to mobile devices such as smartphones and tablets. According to Pew, 28% of Americans admit they do not use lock screens on their smartphones. Even though two- and three-party authentication is now the norm, many chose to bypass these added security features, opting instead for the easier solution.
Those who use a cloud storage service need to examine its security. While automatic syncing and uploading of those “precious moments” saves us time and streamlines our digital storage needs, this always-connected posture invites cybercriminals. Cloud users often forget that the connection between them and the cloud service depends on a strong password and device encryption. Do not give cybercriminals a back door by using a weak password that is easily hacked.
Do not assume all your devices have encryption protection. While Apple and iOS have built encryption into their products, Android-based devices are playing catch-up. Devices that use Windows are not encrypted by default. The user must install an encryption program on his system.
One particularly troubling aspect of our devices and smartphones is their ability to connect to wi-fi hotspots. Many of us have probably ensured that the “Ask to join a Network” option is changed to “automatic” once we trust the hotspot. This is a result of our routines as we live our lives, but many may not realize that automatically connecting to hotspots gives unauthorized users an invitation to come into our digital lives. An inventive cybercriminal could set up a “rogue” network to mimic a trusted network in hopes of trapping victims as they come into range. The easiest solution is to set up a personal hotspot with your smartphone. Even here a traveler must be careful and create an access password that is strong and deters intruders.
The safest option is a virtual private network (VPN). Installing a VPN on your smartphone means your identity is invisible while the device is connected to the Internet. This is an encrypted link to the Internet that only your devices can connect to. Once connected, the VPN continues to mask identity by creating anonymity.
FINALLY, MASK YOUR SOCIAL MEDIA PRESENCE
For many of us, our social media presences are integral parts of our lives. It is on platforms such as Facebook and Twitter that we socialize with friends and stay connected with family members. Because traveling and vacations do not happen on a regular basis, we tend to tell people using Facebook where we are going and how long we will be gone. This is like holding a sign saying, “I’m vulnerable now” so come hack my smartphone.