Several years ago, a former FBI director Robert Mueller once said that there are two types of companies: “Those that have been hacked and those that will be.”
His statement still holds true today in Kenya, even as Kenyan companies experience an increase in cyber-attacks from sophisticated hackers.
In the last 3 months of 2020 for instance, Communication Authority of Kenya (CA) reported that cyber-attacks on Kenyan organisations rose by nearly 50 percent compared to a similar period the previous year. This was necessitated by the fact that many organisations were switching to and adopting remote working systems as well as ecommerce platforms amid Covid-19 lockdown measures.
CA data shows that more than 56 million cyber threats were detected nationwide in comparison to 37.1 million in 2019 in the period under review. “A majority of the threats were malware attacks, web application attacks, Distributed Denial of Service (DDos) threats among others,” said CA in a statement.
The rise in cyber threats have seen businesses lose billions of shillings and sensitive information to hackers. Travel companies, including travel agencies, are not immune. In fact, some experts warn that travel agencies are more vulnerable than other businesses.
In 2020, Independent reported that a data breach on Expedia and Booking.com could have potentially exposed data for millions of customers who made reservations using these platforms since 2013, after a software company was found to have improperly stored sensitive data.
In 2017, ZDNet reported that hackers used a flaw in the web server running the website of Association of British Travel Agents (ABTA), the UK’s largest holiday and travel association, to access the data of as many as 43,000 people. Around 1,000 of the accessed files may include personal identity information fronting a risk of potential identity theft and fraud.
You will not imagine how absurdly easy it is for attackers to target the travel and hospitality industry. Many cybersecurity experts say the amount of personal client information that the travel industry collects make it a particularly alluring target for hackers. In fact, the 2018 Global Payments Insight Survey by ACI Worldwide and Ovum, they found that the travel and hospitality sector had been the most heavily affected, with 29% of respondents having experienced a breach.
Why are travel agents such a prime target?
Other than just the amount of information collected, part of the problem for the travel industry is the high uptake of new technologies without proper installation or maintenance by security experts, enabling breaches to go undetected. The lax investment in information security and end-user training among travel agencies have made them a target of interest.
According to an article published in Travel Market Report, in June 2016, JTB Corp, one of Japan’s largest travel agencies, announced that data from more than 7.9 million customers was compromised when an employee opened an infected e-mail attachment. The hacked information included customer names, addresses, e-mail addresses and about 4,300 valid passport numbers.
Experts have termed the JTB attack a form of “spear-phishing,” using an e-mail that appears to come from a trusted party.
These prominent breaches were evidence that the travel industry is highly susceptible to cyber security breaches, and agents are especially vulnerable because they cannot afford technology solutions to detect things like credit card fraud.
Because agencies are generally short-staffed and have less money to spend on sophisticated, software-based technology tools, their ability to detect data breaches becomes severely impacted.
What should you do when you have been attacked?
It’s smart to develop strong cyber safety habits to help prepare for a cyberattack or data breach. It’s also important to secure your personal information and networks.
- Secure systems and ensure business continuity
Following a breach, the first key step will be to secure the IT systems in order to contain the breach and ensure it is not on going. It is also necessary to consider how and when the breach was detected, and whether any other systems have been compromised. Ensure to have in place suitable measures to ensure that any network or other intrusions are detected immediately.
- Notify the Airlines to suspend the ticket coupons
Attackers may target your booking system, and often will issue tickets using your system driving you into major losses and standoff with the airlines. It is important to suspend all ticket issuance immediately and notify all airlines in your database to invalidate all impacted tickets.
- Report the incident to the GDS company
Always reach out to your GDS and immediately inform them that you have been breached. This is important because the GDS systems are highly sophisticated and reinforced with strong cyber security measures, and they can assist in investigating the breach.
Report the incident to the national Computer Incident Response Team (CIRT)
Cybercrime is one of the most prolific forms of international crime, with damages set to cost the global economy USD10.5 trillion annually by 2025, according to Cybersecurity Ventures. Thus, CIRT takes such incidences with a lot of seriousness. Reporting will help CIRT take regular pulse checks on cybercrime in Kenya and to publish annual threat landscape assessments that underpin operational activities.
- Report the matter to the police and obtain an occurrence book (O/B) reference
Cybercrimes are offences punishable by law and the police will help in tracking down the cybercriminals.
- Conduct an information security audit through a registered Information Security company and obtain an official report
A cyber security audit is designed to be a comprehensive review and analysis of your business’s IT infrastructure. It identifies threats and vulnerabilities, exposing weaknesses and high-risk practices. It is vital to manage the risk of cyber threats, preventing revenue loss and reputational damage.
- Address legal and regulatory requirements
Cyber-attacks and data breaches come with legal implications. You might face legal suits from disgruntled customers or stakeholders whose information might have been compromised. It is important to reflect on what your legal options are and ensure compliance.