2 July 2019
The Marriot case and cybersecurity in the tourism sector
Both those of us who are involved in cybersecurity and those who are not no doubt have in mind the recent hacking of Marriott, one of the world’s most important hotel companies, given the media impact of the news. At the end of last November, we woke up one fine day to discover that the multinational had confirmed it had suffered "unauthorised access" to its client database. We are talking about the data of 500 million people.
Specifically, the access took place through the reservation centre of the company of the Starwood group, a chain with which it merged in 2016. It has been speculated that the data accessed and “extracted” could include names, telephone numbers, email addresses, passport numbers, dates of birth, check in and check out information, as well as client credit card numbers, along with their expiry dates.
The cause, beyond a possible third-party malware attack in the IT systems of some hotels, has not been revealed.
The truth is that this macro-hacking displays a reality which had been clear for some years for cybersecurity experts: the tourism sector is a clear target for cybercrime, and cybersecurity must be a priority for organisations devoted to tourism.
This sector, like so many other industries at the time, has undergone what I personally call the “democratisation” of cybersecurity: the unstoppable advance of digital transformation and the mass use of technology have increased extraordinarily the “attack area” of these companies, thus increasing their likelihood of being a target. Online reservation platforms (accessible both through web applications and mobile apps), systems for the mass analysis of the data of clients and potential clients, based on artificial intelligence, machine learning and big data, the mass use of the cloud, the outsourcing of numerous services (either in the management or marketing process of clients or others in the business value chain), IoT automation of the control of access to facilities and resources, exponential increase in corporate information systems, as well as mobile devices, the mass interconnectivity of systems and technologies and a long etcetera comprise a far greater target for hackers compared to the IT infrastructure of just a decade ago.
Why might the tourism sector be a target? I will attempt to cast light on this matter:
On the one hand, indiscriminate attacks such as phishing, ransomware, malware, etc., are and will clearly become more frequent as the use has increased of information systems “on a user level”, making them also vulnerable to these types of attacks
On the other hand, beyond any attacks more aimed at “traditional” purposes, such as harming the image of the company through the degradation of the service or bad publicity on social networks, corporate or client data theft due to reasons of industrial espionage, etc., we find some “new” reasons.
The information these organisations possess is the key: vast amounts of credit card and banking data which cybercriminals want to traffic to subsequently try and steal cash; enormous amounts of personal data and emails to be used in phishing campaigns, blackmailing, identity theft, fraud and countless criminal uses; the sale of data regarding likes, opinions and trends, etc., for marketing campaigns and market research studies, and for many other criminal purposes.
In addition, there are also far darker reasons, related to cyberespionage, cyberintelligence and cyberterrorism in the tourism sector. Let us imagine that some of these companies might have information on relevant personalities, whether these are celebrities, those holding political, governmental, military or religious positions, high-level dignitaries, executives from large corporations, etc.
Data such as, for example: locations and times/dates (country, city, even the room, including the time or day), likes, allergies, medical afflictions, details of their travel plans (aeroplane, limousine, taxis, and so on) and much more. Clearly, the possession of this information, depending on who accesses it, at what point and with what intentions, could come to have very serious implications for people’s integrity, even on a scale of the global security of corporations, institutions and the national security of whole countries.
To this end, given the relevance cybersecurity might come to have in the tourism sector and its entire supply chain, here at the Information Security area of Auren, as experts in the matter, we also help to advise organisations in the tourism sector and their providers, to analyse, define and implement those prevention and detection measures in matters of cybersecurity in their various business procedures and purely ICT processes (which may be necessary depending on their level of risk exposure) to try to mitigate those threats to which they may be subject.
José Miguel Cardona, Auren Spain