How to protect your data when booking a holiday online
Breaches are increasingly common but there are several useful ways to avoid your personal details being stolen
Your support helps us to tell the story
From reproductive rights to climate change to Big Tech, The Independent is on the ground when the story is developing. Whether it's investigating the financials of Elon Musk's pro-Trump PAC or producing our latest documentary, 'The A Word', which shines a light on the American women fighting for reproductive rights, we know how important it is to parse out the facts from the messaging.
At such a critical moment in US history, we need reporters on the ground. Your donation allows us to keep sending journalists to speak to both sides of the story.
The Independent is trusted by Americans across the entire political spectrum. And unlike many other quality news outlets, we choose not to lock Americans out of our reporting and analysis with paywalls. We believe quality journalism should be available to everyone, paid for by those who can afford it.
Your support makes all the difference.As consumers, we’ve never had more freedom – to research holidays, compare prices and book online.
But with such freedom comes risks: the instances of big data breaches seem to be on the increase when it comes to the travel industry, with high profile hacks in recent years including Expedia, British Airways, booking.com and Marriott.
According to Chris Morales, head of security analytics at Vectra, there’s nothing in particular these companies are doing wrong – but once a hacker has decided to target a business, all they have to do is bide their time.
“Anything can be compromised with enough intent, will and desire. It’s a case of focus, time and effort. The question is, how quickly could a company know they were compromised and how quickly do they respond to it?”
Here’s everything you need to know about protecting your data when booking a holiday online.
How do websites get hacked?
It’s common to compromise the website itself, according to Morales, which is what happened in the Expedia case.
“Once they’re on, they put software on the site and then start to extract information as people click through and make purchases. From there, they can also start to get deeper into other connected systems that tend to have lots of data – for example, with Expedia they had access to hotels, rental car companies, cruises. It’s a lot of information.”
He says the way hackers get in is fairly benign, usually taking advantage of a flaw in the website. “Once they’re in, it’s all about how long they can sit on there unnoticed,” says Morales. “It’s kind of like someone breaking into your house – how long would it take you to notice, and how long for the police to come and get them out?”
What do hackers use the personal data for?
The short answer is, it depends.
“For something like credit card data, they’ll put it on the black market – the dark web usually – and sell it immediately,” says Morales. This is because data has a lifespan of value; credit card details are good if they’re still fresh, before the hack is noticed and people start changing their card numbers.
However, there are other types of data hackers are interested in.
“The Marriott hack was more about spying on people – nation states trying to understand the movements of political figures,” says Morales. “It’s one thing to know someone’s credit card details, and quite another to know where they’re going to be, which countries they go to and when.
“That’s more what we’d call cyber espionage.”
Morales said he’d also noticed a trend of hackers targeting airlines and hotels to steal airmiles or reward points.
“It turns out you can sell those for a profit or use them yourself,” he says. “That’s something I’ve only heard of happening in the last couple of years.”
American Airlines and United both admitted they were compromised during the last 18 months, with the perpetrators stealing the miles from 10,000 reward accounts.
“The only things that get reported are when personal information or credit card numbers are stolen. Because of that, airmiles and points are easier to take and no one notices.”
How can consumers protect themselves when booking a holiday?
It’s tricky, according to Morales. We’re a digital society now, and using the internet to pay for things is often unavoidable.
However, there are some things consumers can do.
“Try to minimise how much you use your credit card,” says Morales. “I prefer using third party apps such as Paypal wherever possible.”
However, a credit card is preferable to a debit card, he says, because if someone makes unauthorised payments on your credit card, you’re covered under the Consumer Credit Act. This means you should be able to claim your money back as you’re jointly liable with your credit card issuer.
Being aware of any suspicious activity in your account is also important.
“I’m quite strict about checking bank accounts regularly,” says Morales. “It’s less about trying to stop the compromise, because we can’t control that. But the one thing we can manage is ourselves – staying vigilant means we can keep on top of any fraud and cancel our cards before things escalate.”
Anything else you can do?
“Be vigilant,” says Morales. “I do credit checks all the time, to see if anyone’s opened a credit card in my name or used my card.”
He also recommends regularly changing passwords online, and getting a new credit card each year.
“I request a new card every January,” he says. “Then, if someone like Expedia is hacked, there’s a greater chance it will be my old data that’s stored on the site.”
What precautions can holidaymakers take to protect their data while abroad?
There are three key things to be aware of.
Firstly, using public wifi hotspots. “Think about where you are and what you’re doing,” says Morales. “It’s OK to go to Starbucks and look up restaurant choices online; but don’t go to a hotspot and check your bank account. You never know who might be looking.”
Secondly, be aware of ATM credit card skimmers – small devices in cashpoints that take your card information. This can happen more frequently when travelling in countries where the authorities are less vigilant.
“Try to use trusted locations to take money out, such as a bank, rather than a random ATM on a street corner,” says Morales.
Finally, a new concern for security is holidaymakers posting social media updates in real-time.
“I’m always curious about people using Instagram in real-time – telling whoever’s watching that your house is empty if they wanted to rob it! It’s interesting, because it’s something happening in the cyber world that can facilitate physical, real-world crime.
“I don’t post until I get home. Post the picture when you get home, enjoy the scenery while you’re away.”
What should you do if you think your data has been breached?
It depends what you think was lost. If you see suspicious activity in your bank accounts, or something odd comes up on a credit check, contact your bank immediately.
“Change all passwords,” advises Morales. “I got nervous that someone had compromised my Google account, so I changed the password straight away, killed all connections to the account and reset them.”
He also suggests using two-factor authentication wherever possible – getting a website to ask for additional information on top of a password when signing in or making a purchase.
Unfortunately, holiday booking sites don’t often give this as an option. “A travel site is all about efficiency rather than security – they want to make it as easy as possible to book,” says Morales.
But until companies learn to see security as a serious priority, there will likely be many more data breaches in the travel industry’s future.
Join our commenting forum
Join thought-provoking conversations, follow other Independent readers and see their replies
Comments