Travel Agents Must Remain Cyber-Vigilant

by Richard D’Ambrosio July 18, 2016

A number of recent high-profile data breaches in the travel industry have put travel agents back on notice that a variety of cyber schemes put their businesses at risk.

In June, JTB Corp, one of Japan’s largest travel agencies, announced that data from more than 7.9 million customers was compromised when an employee opened an infected e-mail attachment. The hacked information included customer names, addresses, e-mail addresses and about 4,300 valid passport numbers, JTB said.

The cyber-attackers used PlugX (Korplug) and Elirks malware to get into one employee’s computer, which then allowed the hackers to install a “backdoor Trojan” software program that granted them wider access throughout JTB.

Experts call the JTB attack a form of “spear-phishing,” using an e-mail that appears to come from a trusted party. The JTB email appeared to be a travel booking request from All Nippon Airways. JTB was one of many Japanese businesses similarly targeted at the time. Chinese hackers are suspected.

On July 8, Dallas-based Omni Hotels & Resorts became the latest in a long list of hotels whose properties’ point-of-sales-systems have been attacked, putting at risk anyone who used a credit or debit card on-property. Omni said guests who didn’t use a physical card likely were not affected.

Omni, which has 60 hotels in the U.S., Canada, and Mexico, initially learned of the attack on May 30, and held off announcing the breach to the public while it conducted an investigation. Possible affected information includes guest names, credit and debit card numbers, card expiration dates and card security codes, Omni said.

Travel agents at risk
What these prominent breaches point out is that the travel industry is still highly susceptible to cyber security breaches, and agents are especially vulnerable because they cannot afford technology solutions to detect things like credit card fraud.

There’s been no indication that JTB’s stolen customer data is being used in fraudulent transactions, but hackers sometimes wait a few years.

Mary Pat Sullivan, a leisure analyst for PhocusWright, says that the greatest vulnerability for travel agents are those with gross annual sales volumes of $1-10 million. PhocusWright recently wrapped up a research study with more than 160 travel agencies, 80% of whom have been in business for 10 years, with about a 57% leisure travel booking share.

Sullivan said that agents that are entering into new geographic markets, increasing their online reservations, booking overseas trips to and from certain destinations, or relying on manual reviews of travel requests can find themselves booking trips with stolen credit cards. Air, cruise and package vacations are the largest targeted areas, Sullivan said.

Because agencies with $1-10 million in sales generally are short-staffed and have less money to spend on sophisticated, software-based technology tools, their “detection and review are almost entirely manual,” the study found.

Even large agencies pay the price of fraud, PhocusWright said. About 7% of their bookings are flagged for possible fraud and manually reviewed by an average of six employees, creating productivity issues. The most common methods used to validate a credit card are verifying the card number and address verification.

When a reservation is made on a fraudulent card, agencies experience chargebacks from their credit card providers that typically end up hitting the bottom line. According to PhocusWright’s data, agencies with more than $10 million in gross sales challenge 21.4% of chargebacks, but win a reversal only 14% of the time.

With such a poor winning percentage, “a lot of agencies just walk away from chargebacks,” Sullivan said.

Turning away good customers for fear of bad ones
Additionally, agents who have been burned often turn away business from potential new, honest customers. “They steer away from new business where they suspect higher risk,” said Sullivan. One owner of a $35 million agency told PhocusWright through the survey, “I don’t want strangers booking with me.”

Agents are trying to deal with the issue. According to PhocusWright, 27% of respondents said they want to add fraud monitoring technology tools in the next 12 months, but 61% will simply continue manual reviews.

Doing nothing can hurt an agency’s ability to grow, or damage relations with existing customers if a review mistakenly causes an agency to reject a valid reservation. Nathan Wood, director of product management at Visa’s CyberSource, a provider of credit card processing, fraud and security risk management solutions, asks agents to think about their investment in fraud management as a growth strategy.

“When you add automated tools, you’re really trying to help your good customers,” Wood said. Adding fraud prevention tools also allows agencies to explore technology that can enhance their customers’ experience.

“We’re seeing so many creative mobile apps in the travel industry,” he said. “But fraudsters love anything new. They will try to exploit any back door.” Adding fraud prevention tools allows agencies to comfortably develop new products and services that rely on software and mobile technology.