Top tips to keep your data secure

Using Google may be a quick and easy way of searching for information.

However, browsing the web isn’t without its pitfalls.

“Always use a secure connection,” says McGowan. “Simply having ‘https:’ at the beginning of the browser’s URL bar can protect you from a large variety of potential threats.”

These include “drive-by attacks”: cybercriminals looking for insecure websites to plant malicious code on one of the pages. When agents visit the site, malware is installed on their device. Such instances are called drive-by attacks because they require no action on the part of the victim. Locking the windows and doors of your agency doesn’t mean it’s safe from attacks either, says McGowan.

“At the end of the day, shut down, or at the very least, switch off wireless and Bluetooth on all devices. This prevents hackers from accessing devices if they are connected to an open network or any other connection.”

Feherty Travel in Bangor, Northern Ireland, has recognised the importance of keeping data secure. Company director and part owner Scott Parker has ensured his business is protected through education and implementing practical measures.

“I attended a course on general data protection regulation (GDPR), which I then wrote up and trained our staff on. We have also installed new filing cabinets with locks to keep data secure, purchased shredders and replaced door locks on our archive room,” he explains.

McGowan says agents should warn clients about using public Wi-Fi in airports, hotels and cafes.

“Because information that’s transmitted is generally unencrypted. It’s not just the hotspot that’s public – it’s your data too. You might as well shout out your details. A compromised router can vacuum up a lot of personal material relatively simply.

"Just getting into your emails, for instance, gives hackers access to your usernames, passwords, and private messages. It’s fairly easy to set up a fake access point (AP), and it’s well worth the effort for cybercriminals.”

Using a VPN in this instance will provide a level of encryption between the user and a website, says McGowan. It makes intercepted data unreadable by a hacker without the correct decryption key.

“‘Packet sniffing’ is another method used by hackers to acquire airborne information then analyse it at their leisure. A device transmits a data packet across an unencrypted network, which can then be read by free software like Wireshark. The bottom line is, never turn your Wi-Fi or Bluetooth on in public places unless you are in a trusted area.”

Finally, for agents embarking on fam trips, McGowan recommends taking a loaner device to deter cybercriminals.

“This is when the IT department would lend an agent a clean laptop or smartphone for their trip. This ‘loaner’ would be better protected if it were misplaced or stolen, as they would be able to guard the data more effectively. For a small business, buying one laptop for travel and making someone responsible for keeping its security systems updated and patched would also work.”

Farina Azam, partner at Travlaw, offers legal advice to consider when handling customer data

What are the implications for travel agencies if they misplace or misuse client data?
Under GDPR, travel businesses are under obligation to have appropriate technical and organisational measures in place to ensure the personal data they hold and process is kept secure. What would be considered appropriate measures will depend on the type of personal data being processed (i.e. the volume of data being processed, why and how sensitive it is), as well as the travel business in question, its size, employees and activities. If a travel business doesn’t have appropriate technical and organisational measures in place, and personal data is misplaced or misused, this would be a breach of GDPR, as well as being a data breach, which needs reporting. As we all know, fines under GDPR are hefty – up to £17 million or 4% of global turnover.

What happens when data is stolen despite the best possible efforts having been made to keep it secure?
If possible, the agent will need to assess who has stolen what data and what the potential risk is to the client whose data has been taken. If there’s a risk to rights and freedoms, the agent will have to report the breach to the Information Commissioner’s Office (ICO). If there’s a high risk to a customer’s rights and freedoms, for example if passport details have been stolen, then the agent will also have to report the data breach to the affected customers. The obligation to report a data breach applies regardless of the circumstances of the breach, including where the agent has done everything they could to keep the data secure.

Where can agents look for more advice?
The ICO (ico.org.uk) has advice and information on complying with GDPR and data security, especially for small businesses.