by Robert McGarvey
For some years I have reported on cybersecurity fails on the part of airlines, hotels, and miscellaneous other travel players. In the background always a question haunted me: why are so many travel companies so bad at cybersecurity? Sure, hackers hack just about everything but travel companies seem favorite targets, in part because they are indeed sources of valuable data of affluent people but also because, somehow, they just seem less capable at protecting their digital valuables (our digital valuables).
And now there’s a suggestion from Bitglass, a cloud app security broker, that just maybe hospitality companies are in fact utterly deficient in cybersecurity. In its report An Analysis of Cybersecurity in the Fortune 500, Bitglass said it “conducted research on the 2019 Fortune 500 in order to identify whether the world’s leading companies are prioritizing information security and customer privacy. Their websites were scoured for keywords, phrases, and executive security personnel in order to learn about the steps that they are taking to protect personally identifiable information (PII) and customer privacy.”
Bitglass added: “The results demonstrate that many organizations lack an authentic, lasting commitment to enhancing cybersecurity.”
It gets worse. Bitglass found that 77% of Fortune 500 companies “make no indication on their websites of who is responsible for their security strategy.”
Guess what sector is most derelict. Hospitality. 0% – none – have a named executive in charge of cybersercurity on their websites. And that’s despite the industry’s many breaches. Eight hospitality companies are in the Fortune 500, all failed.
Manufacturing is next worse. Only 8% name a cybersecurity exec on their websites. Telecom comes in third worst with 9%.
Hair splitting time. In this context “hospitality” refers mainly to hotel companies and some restaurant groups. Not airlines which are grouped under “transportation.”
Hospitality also comes in at the bottom regarding the percentage of companies with website info “about how they are protecting the data
of customers and partners.” Just 25% of hospitality companies offer this info, tied at the bottom with oil and gas companies and construction companies.
That double fail wins hospitality a starring role in Bitglass’ list of least security conscious industries.
Transportation, by the way, does much better. 57% list an executive in charge of cybersecurity and 36% have a statement. This is not to say breathe easily at airline sites (loyalty programs have had their hacker problems). But they do do better than their hotelier brethren.
Here’s the question that matters: What are we to do to stay safe? The start is accepting it is our job. Hospitality companies don’t have our backs. If we are to be safe it is because of what we do (or don’t do).
Rule one: Assume that any hospitality site you use will be hacked. Take that seriously. It means that any data you leave at the site may end up in criminals’ hands. Personally I am just as suspicious of airline sites. I follow the same precautions at both kinds.
Never use passwords that are used at important accounts – a credit union or bank, for instance – at a hospitality site. Hackers use computers to automate testing of stolen passwords at leading banks precisely because they know many of us are lazy and dumb and use a password at multiple locations. Just don’t.
Personally I use Google generated passwords at most hospitality and airline sites, mainly because I generally log in on a mobile phone with a fingerprint and a long, complex password is fine. Either way, though, remember that a hospitality site probably will be hacked.
Do keep tabs on anything of value that you have at hospitality websites. Loyalty programs have for some years been hacker targets. Your points may already have been stolen. A corrective is to regularly monitor balances. How often is enough? It depends upon how valuable a stash is. I think I have some Delta miles but couldn’t tell you when I last looked because I know there aren’t many.
But with the sites where I have large deposits of loyalty points I log in at least monthly. I can’t say I have personally seen miles stolen but I nonetheless do check regularly.
Personally, just this week I ignored my advice because my cellphone hotspot was anemic and I had free hotel WiFi via Hilton Honors and I was traveling with an old Chromebook that had no personal data on it. I also didn’t access any sensitive sites (banking for instance).
But whenever possible, use something safer than hotel WiFi.
Can you travel and not get hacked? Maybe. Sure in fact. I don’t believe I ever have been. But my inflexible advice is to always assume you will be hacked. That’s how to stay safer on the road.