With a number of high-profile data breaches in the headlines towards the end of 2018 – including Heathrow airport paying £120,000 in fines after an employee lost a memory stick containing personal data, and hackers making off with the personal information of more than nine million Cathay Pacific passengers – it feels as if there is still a gap in data protection education.
Enter Graeme McGowan, senior tutor and advisory council member at the Global Cyber Academy – a software training institute offering data security courses to individuals and businesses. Here, he gives tips to help travel agencies minimise the risk of data breaches.
First and foremost – McGowan recommends encrypting office hardware and software – computers, social networks and chat functions.
Encryption is simply the process of encoding a message or information in a way that only authorised users can access it.
“Using a pin, passcode or fingerprint to unlock your smartphone is sufficient, as most phones have built-in end-to-end encryption,” he says.
“It’s the same for a Windows PC or laptop, and encryption is turned on by default. But it can be undermined if you have no passcode when you boot up. Apple products are all fully encrypted, as are Android phones.”
Ensuring passwords are regularly updated is just as important, he says.
“Agents should change passwords regularly and never recycle any for a pin, safe or security box.”
Adequate antivirus software is critical too, McGowan warns, adding: “Make sure whatever software package you choose is patched and up to date. I use Avast Pro on my PC and other devices. It has everything you need, including a virtual private network (VPN) and some very useful tools to monitor your footprint.”
He advises agents to avoid using shared computers if they can, which may prove difficult in an agency with a limited number of machines.
“If you must use a communal computer, avoid sharing any information – do not save passwords, and employ two-factor authentication when logging into accounts.”
Two-factor authentication is an extra layer of security that requires not only a password and username but also a security token, like a code.
“For example, in online banking, you often need a pin that’s sent by text message to complete the transaction,” he adds.
Using Google may be a quick and easy way of searching for information.
However, browsing the web isn’t without its pitfalls.
“Always use a secure connection,” says McGowan. “Simply having ‘https:’ at the beginning of the browser’s URL bar can protect you from a large variety of potential threats.”
These include “drive-by attacks”: cybercriminals looking for insecure websites to plant malicious code on one of the pages. When agents visit the site, malware is installed on their device. Such instances are called drive-by attacks because they require no action on the part of the victim. Locking the windows and doors of your agency doesn’t mean it’s safe from attacks either, says McGowan.
“At the end of the day, shut down, or at the very least, switch off wireless and Bluetooth on all devices. This prevents hackers from accessing devices if they are connected to an open network or any other connection.”
Feherty Travel in Bangor, Northern Ireland, has recognised the importance of keeping data secure. Company director and part owner Scott Parker has ensured his business is protected through education and implementing practical measures.
“I attended a course on general data protection regulation (GDPR), which I then wrote up and trained our staff on. We have also installed new filing cabinets with locks to keep data secure, purchased shredders and replaced door locks on our archive room,” he explains.
McGowan says agents should warn clients about using public Wi-Fi in airports, hotels and cafes.
“Because information that’s transmitted is generally unencrypted. It’s not just the hotspot that’s public – it’s your data too. You might as well shout out your details. A compromised router can vacuum up a lot of personal material relatively simply.
"Just getting into your emails, for instance, gives hackers access to your usernames, passwords, and private messages. It’s fairly easy to set up a fake access point (AP), and it’s well worth the effort for cybercriminals.”
Using a VPN in this instance will provide a level of encryption between the user and a website, says McGowan. It makes intercepted data unreadable by a hacker without the correct decryption key.
“‘Packet sniffing’ is another method used by hackers to acquire airborne information then analyse it at their leisure. A device transmits a data packet across an unencrypted network, which can then be read by free software like Wireshark. The bottom line is, never turn your Wi-Fi or Bluetooth on in public places unless you are in a trusted area.”
Finally, for agents embarking on fam trips, McGowan recommends taking a loaner device to deter cybercriminals.
“This is when the IT department would lend an agent a clean laptop or smartphone for their trip. This ‘loaner’ would be better protected if it were misplaced or stolen, as they would be able to guard the data more effectively. For a small business, buying one laptop for travel and making someone responsible for keeping its security systems updated and patched would also work.”
Farina Azam, partner at Travlaw, offers legal advice to consider when handling customer data
What are the implications for travel agencies if they misplace or misuse client data?
Under GDPR, travel businesses are under obligation to have appropriate technical and organisational measures in place to ensure the personal data they hold and process is kept secure. What would be considered appropriate measures will depend on the type of personal data being processed (i.e. the volume of data being processed, why and how sensitive it is), as well as the travel business in question, its size, employees and activities. If a travel business doesn’t have appropriate technical and organisational measures in place, and personal data is misplaced or misused, this would be a breach of GDPR, as well as being a data breach, which needs reporting. As we all know, fines under GDPR are hefty – up to £17 million or 4% of global turnover.
What happens when data is stolen despite the best possible efforts having been made to keep it secure?
If possible, the agent will need to assess who has stolen what data and what the potential risk is to the client whose data has been taken. If there’s a risk to rights and freedoms, the agent will have to report the breach to the Information Commissioner’s Office (ICO). If there’s a high risk to a customer’s rights and freedoms, for example if passport details have been stolen, then the agent will also have to report the data breach to the affected customers. The obligation to report a data breach applies regardless of the circumstances of the breach, including where the agent has done everything they could to keep the data secure.
Where can agents look for more advice?
The ICO (ico.org.uk) has advice and information on complying with GDPR and data security, especially for small businesses.
What’s your view? Email firstname.lastname@example.org and let us know your thoughts or leave a comment below.