Marks & Spencer's lengthy battle to bring its systems back online following a cyber-attack thrust the issue into the media and public spotlight earlier this year.
However, the list of cyber-attack victims this year also features travel brands like British Airways, LNER, Vietnam Airways and the Co-op, while the Jaguar Land Rover hack is thought to be the costliest in UK history.
So far, it’s been high-profile names that have gone public, and while no agent or operator has yet admitted to being hacked, it has happened – and will happen again.
Travel has many attractions to hackers: it is characterised by frequent, high-value transactions, often from affluent clients who readily share their passport details with firms.
Then there's pipeline monies, and the bonus that a successful hack could allow perpetrators to learn when someone's home may be empty for a fortnight.
'It could put businesses under'
The issue came up at last month's Abta Travel Convention, which was held just a few weeks after a cyber-attack on Collins Aerospace brought down systems at several major European airports, including Heathrow.
There was also the attack on the UK's Kido nursery chain, which saw the assailants make threatening phone calls to parents and post profiles of their children online. Two 17-year-olds since have been arrested in connection with the incident.
So could travel's major players like Jet2 and Tui be taken down – even temporarily – by teenagers? And what are the risks for travel agents who frequently handle sensitive customer data?
Jet2.com and Jet2holidays chief executive Steve Heapy told the convention cyber-attacks were a “huge risk to businesses” and urged them to seek advice. “You can't under-estimate the impact of a significant cyber-attack – it could put businesses under,” he said.
Jet2 chief Steve Heapy and Tui MD Neil Swanson tackled the issue at the recent Abta Travel Convention (Credit: Arif Gardner / AG Studios / Abta)
"If you cannot trade for a couple of weeks and then you get a massive fine and then a class action off customers for their details being released into the public, that can take you under. So it's very important companies take this seriously. We spend a lot of money, and I'm sure our competitors do as well, on protecting ourselves.
"But any business, however big you are, needs to do the same. If you are attacked, customer details are released and you can't operate as expected, it can have a catastrophic effect.”
Tui UK and Ireland managing director Neil Swanson added: “I think you've just got to make yourself more difficult [to attack] than some other companies, which maybe isn't a nice thing to say, but these people are going to go where they can get in most easily.
"You've got to make sure you're not one of those businesses.”
'Brought to their knees'
Jon Pickles, chair of the Travel Technology Initiative and founder of Sygnifiq consultancy, isn't aware of any agents that have been hacked but disclosed there were “a couple” of operator victims that were “keeping schtum”.
“Their booking systems were brought to their knees,” he said. Worryingly Pickles believes hackers are yet to fully appreciate the opportunities travel presents, apart from the obvious ransom demands.
"If you hold information about when people are on holiday and hackers sell that, that’s huge,” he said. In the case of celebrity clients, booking using a pseudonym can only work so far - not on ticketing, for example. “Knowing when someone is away can be rich pickings," Pickles added.
David Moon is the Advantage Travel Partnership's head of business development (Credit: Advantage Travel Partnership)
Abta told TTG it was unaware of any agent member being hacked, as did the Advantage Travel Partnership, although head of business development David Moon said: "We continue to see ongoing general scam activities being reported, including card fraud, phishing emails, and in some cases, website cloning.
"We advise members to follow good cyber hygiene practices: use multi-factor authentication, train teams to identify suspicious messages, and keep all software up to date. When members have experienced problems in the past, it has often been due to not having these basics in place.
"If an agent does find themselves affected, our advice is to act quickly. Disconnect affected systems, notify your IT provider and report the incident to Action Fraud, which companies are often reluctant to do. And if a data breach is identified, it must also be reported to the Information Commissioner’s Office.”
Agents – stop sharing passwords
Individual agents are potentially as much a target as bigger travel names. Airlines are vulnerable because they use legacy systems invented before hacking, but day-to-day office software is also susceptible.
Pickles believes agents are more vulnerable than they realise. “What I notice about travel agents is they all seem to share the same password," he said. "They often have only one login for a tour operator or cruise line, and they throw it around the office when the public are in there. There needs to be a clamp down on that.”
He recommends multi-faceted authentication, which entails a secondary code, often sent by text. “People don’t like it, but it’s the best security we have. Systems that log out after a period of inactivity are also key.”
He warned of another peril, Artificial Intelligence, which some now use to prepare itineraries. He is also sceptical of chatbots like ChatGPT which retain information: “A lot [of travel staff] use it for research; they don’t realise what they’re putting out there. It’s a risk area coming up.”
Pickles has other concerns. “AI is making phishing, deep fakes, etc, a lot easier. Using AI, it’s very easy to sound like a travel agent or a chief executive."
WiFI, hybrid working and VPNs
There is enough evidence to be worried. The government’s 2025 Cyber Security Breaches Survey found 42% of cyber-crimes were on medium-sized businesses and 25% on small businesses. Similarly, 43% of SMEs had identified cyber breaches and attacks. Among these, nearly half (46%) became victims of cybercrime.
The Information Commissioner’s Office, which oversees IT issues and data protection, estimates there were 7.7 million UK cyber-crimes in the year to September.
Its advice for businesses is to:
- Ensure back-ups work and are not connected to a live data source so they can’t be corrupted;
- Use at least two forms of ID for access;
- Ensure WiFi is secure, and if using a public network, consider using a secure VPN (Virtual Private Network);
- Limit access to those who need it; and
- Don’t keep data longer than is necessary need
The advice on VPNs is important for agents on the move, particularly when using WiFi at airports, which are usually unsecured networks. Likewise, hybrid working may increase risks if staff use their own IP address.
"WiFi is a big one," said Pickles. "You have no idea who is listening in a cafe or airport and yet people do their banking on it."
Back to pen and paper?
Advantage recommends the National Cyber Security Centre website as an “excellent resource”. The NCSC advice is simple – if you're attacked, never pay up, because there is no guarantee hackers will relent, plus a repeat attack becomes more likely.
Some breaches will inevitably attract media attention, and the NCSC advises managing fears personal data has been leaked. It warns: “A cyber incident can resemble an earthquake in its impact. When it first happens, there is often an immediate shockwave.”
Recovering from that shockwave means having a plan, and one final piece of advice again comes from the government, which recently wrote to chief executives spelling out something many businesses don’t do.
This was to write an emergency plan on paper so when a cyber-attack comes, help and advice is in the filing cabinet, not buried in a hard drive you can’t access.
Sometimes, the old ways are best.
