What happens to your personal data when you go on vacation?
The travel and hospitality industry is loved by all, customers and businesses alike. In the past few months, we’ve seen tech giants make curious moves that demonstrate their growing interest in this lucrative vertical, believing that if you want to rule the world, you might as well focus on those busy exploring it.
In May last year, Amazon announced an intriguing collaboration with Indian domestic flight booking company Cleartrip, which many analysts believe to be a telling sign regarding the company’s travel tech strategy. Google, which already offers several travel-related tools, added new and exciting features to its Google Travel platform that are meant to encourage users to book their trips via the company.
When two of the Big Four tech companies pay attention to something, we pay attention as well. There are a few good reasons for data-hungry tech giants to focus on the travel and hospitality sector. First, it is very lucrative. The value of the global online travel market reached more than $629 billion in 2017, and is expected to reach approximately $818 billion this year. Moreover, travel data enables us to learn a great deal about a user’s status and preferences, leading to a number of solid business opportunities within and outside the travel world. In other words, those who know how you choose to travel, know who you are, which for companies like Google and Amazon is the core of the business.
Unfortunately, the travel sector is also known for suffering some of the biggest data breaches in history, with almost 70% of travel buyers stating that their travelers were affected by a payment-related data breach from an outside vendor such as a hotel, airline or retailer in 2019. Just a few months ago, British Airways faced the largest data breach fine ever and was asked to pay more than £183 million following a 2018 hack that revealed the personal data of around half a million passengers. A year earlier, Cathay Pacific Airways suffered the world’s biggest airline data breach that included the credit card, passport and personal information of around 9.4 million customers. Hotel chains face a similar issue, with Marriott International losing $126 million in 2019 following a massive security breach that leaked around 383 million guest records, including passport details and credit card information. And the list goes on.
Why is this happening? There are a few rationales behind hackers’ motivation to focus on your travel data:
- Hackers know what we know, which is that you can learn a whole lot about users by getting a hold of their travel information. Many travel websites include online purchase options, and online booking forces users to enter detailed, correct personal information. This gives hackers easy access to identity theft opportunities and credit card details. Even sites that do not include payment options can tell hackers a lot about the dates in which users plan to be away from home, which might lead to break-ins.
- Many travel companies, such as airlines, are traditional businesses that have made the transition to digital without taking into consideration the appropriate security measures. These are not digital-first businesses, and so some of the complexities related to online security were left out, which obviously increases the risk of being breached.
- On the other hand, some of the many new platforms and technologies that aim to provide travel solutions may need more time to adjust to the required security standards. Certain young startups want their product to meet the market as soon as possible, and make the mistake of going live without meeting the highest security standards.
- Users are becoming price-focused and are hunting for deals all over the web. This means that many will compromise on the quality and credibility level of a travel site if it offers the best price. We witness small websites and travel aggregators rising to traffic greatness without offering the proper security support, which is alarming.
We already step out of our comfort zone when booking a trip to a different location, and so the feeling of “this isn’t familiar/right” may seem like an anxiety we need to brush off instead of addressing.
A recent study conducted by Mine found that the average user’s digital footprint includes 19 travel companies, which make up 6% of their total digital footprint and includes mostly companies that were only used once by the user. Out of the companies that found their way to users’ footprint, on average, 2-3 were breached in the past. Mine also found that the top 10 travel companies to be present in users’ footprint are: Airbnb, Booking, Tripadvisor, Expedia, Easyjet, Hotels.com, Kayak, Delta, United, Ryanair, Lufthansa, Tripit, Wizzair, Rentalcars.
As always, our advice is not to refrain from traveling (god forbid!) or stop using tech tools that help improve our trip. Instead, we need to manage our data and create a healthy debate around it. Just because we can’t wait to go on vacation, doesn’t mean we should put our data ownership standards on hold.
It’s interesting to note that important regulation happens in the travel tech industry regarding a different type of problematic behavior by companies. The EU now closely regulates how travel websites suggest offers to users and companies like Booking.com were already put on the spot for encouraging shoppers to close a deal using means that might be considered manipulative. We hope that a rise in awareness and discussions around the topic of travel tech security will encourage regulators to add another aspect to their new rules.
The current regulation of GDPR and CCPA allows us to know what data different travel companies hold and manage it so that anything we feel less comfortable with is deleted immediately. There’s no reason for our personal information to remain in the hands of businesses long after we're back from our trip. At the end of the day, hackers never really take a break and so our data ownership efforts must remain strong and consistent all year round.