It probably is about time we discussed the fact that we are holding important data about each of our clients. A data breach at a large agency could provide a treasure trove of personal information about our clients of great value to hackers and more legitimate entities. We are guardians of some very private information about those who entrust some of life’s greatest moments to our care.
Think about it. Even the smallest mom and pop travel emporium keeps records that can reveal the following about clients:
- Their income and spending habits.
- How often they travel and where.
- The kind of food they prefer.
- How they like to sleep. Who tends not to sleep in the same bed with a spouse.
- Medical conditions that might place limitations on what they can do.
- Recent hospitalizations and medical insurance claims.
- Where they will be traveling next.
- What they read, the magazines to which they subscribe and the websites they use.
- Flight and rental car data and the class of services they prefer.
There are more, but let’s stop there. Our clients tend to spend more with us in a year than they spend with other professionals like their attorney or their physician. We are, perhaps reluctantly, in the data accumulation business. And despite our best intentions, one doesn’t have to be too clever to conclude that if you want to know a great deal about a person you might want to see some of what is stored in the offices of those who handle their travel planning.
In January 2013, I wrote a two-part series on “Facebore.” In the introduction, I wrote “We’ve all been drinking the same Kool-Aid originally mixed up in Mark Zuckerberg’s apartment, but at the risk of being the last Facebook skeptic in the room, I have to tell you I’m not quite ready to turn the lights off.”
I’m still not. Facebook is a clear and present danger when it comes to our own personal information and that of our clients. We need to do a better, more professional job protecting our data. But to do that, we have to have a clear sense of the dangers posed by some of the largest social media players.
We can’t pretend we are immune from this struggle. Their job is harvesting the information we have; our job is protecting it.
In the series, I asked, “What exactly does Facebook produce that justifies its valuation? What product does it sell?”
As it turns out, it only manufactures one thing, one commodity: deep-dive information about each user. It then sells this private stuff to third parties. Why in the world would a sane person support such efforts?
Facebook has several businesses, each built around some form of data collection. Its ad business generated $40.6 billion last year. You know the goal. If they can get what you have stored on your computers, they can tailor specific ads from tens of thousands of companies to reach you when your searches indicate a potential purchase. That is a part of the end game.
But data collection does not end there. Governments also have an interest in collecting data. Knowing who our good citizens might be as well as those who are not good citizens, might increasingly be seen as a valuable tool of government.
There is one major experiment in this new area of using technology to monitor “citizenship.” I will be writing more about this in the future because I think it could be the most fascinating thing going on in contemporary China. The Chinese government is collecting data, including comprehensive photo surveillance in its largest cities. The goal is to give every Chinese citizen a citizenship score, much like a personal credit score. Those with the highest scores will have access to first-class air seats, the best seats on the best trains, even seats at plays and concerts. It is a fascinating Big Brother experiment, and our clients ought to know how it works.
I don’t think very many agency owners have put much thought into protecting client data. How many of us, for example, have hired professionals to assist with our storage requirements? How many have set up effective walls making us immune to hackers and corporations dedicated to collecting as much personal data about our clients as they possibly can?
Facebook knows all the basics about your employer, where you are at any moment and how you live your life. Facebook collects the minute details of the likes and dislikes of its 2.2 billion users.
If you watched Zuckerberg’s recent, uncomfortable testimony before Congress, you could see that even he was confused about the depth of knowledge Facebook has or soon will have about each of its members — everything from wealth and spending to health and political beliefs.
But that is just a general overview. You probably knew all of this. What I think you might not be aware of is the fact that our general lack of data security has already impacted portions of our industry.
No one is more sophisticated about big data and the need to protect it than the Japanese. But Japan’s largest travel agency, JTB, was the victim of a recent cyberattack that led to the theft of data belonging to 7.9 million users.
This might not seem like such a big thing. After all, what could they get? Names, addresses, email accounts? But wait. Embedded in the reporting of this travel industry cyberattack was one other little fact. They got everyone’s passport numbers, a particularly prized piece of information that can be used to create fake passports and travel documents and for identity theft. In other words, in the hacking world, passport numbers are pure gold.
Perhaps the most important message to take away from the JTB hack is that this huge, successful chain likely had one data breach in one branch office where an employee apparently opened a phishing email and downloaded the file attached to it, enabling malware to infect the firm’s computers, which revealed confidential customer information stored on the company’s servers.
Two Hong Kong travel agencies were hacked in January. Goldjoy and Big Line Holiday reported that hackers had broken into their client files, stealing ID card numbers and other personal information.
These two cases are a bit different in that the hackers sent them a letter demanding a ransom to be paid in bitcoin.
Last November, one of Hong Kong’s largest travel agency chains, WWPKG Holdings, revealed that its customer records had been hacked and that a seven-figure ransom was being demanded.
The powerful Hong Kong Information Technology Federation said that firms in industries that collect large amounts of up-to-date customer data, “such as travel agencies,” were among the most vulnerable targets
In September, Hanatour, South Korea’s largest travel agency, was hit by a major cyberattack in which the personal information of just over a million users was compromised. Social security numbers were taken, and Hanatour reported that the group responsible has demanded large payments in bitcoin. They promised to release the data if they were not paid their ransom quickly.
Sabre has been hacked; InterContinental Hotels Group reported that just over 1,000 of its properties had been hit with malicious software. In both cases, some client credit card data was compromised.
Orbitz was hit with a data breach in 2016 that affected 880,000 credit cards.
There is clear evidence the travel industry faces a higher-than-normal threat to the safekeeping of our in-house data. That would seem to suggest that we ought to be considering professional analyses and recommendations. It would also seem wise for every agency to schedule on-site training so that every employee — every single one — fully understands phishing and what files should and should not be opened.
We are the guardians of our client’s well-being when they travel. But we also need to be the custodians of their personal information in the best ways available to us. Double encryption and the strongest available antivirus protection are the first important steps.