Travel hub Hong Kong is on the hit list of cyber criminals, as Cathay data breach shows. It’s time it started defending itself
- The data breach suffered by Cathay Pacific last year was just one of a growing number of attacks on a pillar of the Hong Kong economy, which highlight the vulnerability of an industry where a large amount of personal information is stored and used
To make travel more efficient and remain competitive, the industry generates and absorbs enormous amounts of data from and about customers. This may include the amount of time spent on travel websites, choices made, number of travellers, trips taken, destinations visited, and more.
While this information may seem innocuous, the travel agent, airline, hotel and other travel vendors will also collect much more sensitive information once a booking is made. Often, this includes passport and ID numbers, credit card information, home address, date of birth and more; information which is, in the main, unique and, in some cases, irreplaceable. It is this sensitive information that is especially attractive to cyberattackers, who will use any means they can to steal data to sell on the dark web or leverage for other scams.
These attacks happen so often because, like the health care and banking industries, the travel sector is a huge collector of sensitive data, and thus a prime target for cyberattackers. In 2016, the European Aviation Safety Agency said cyberattacks on aviation systems were occurring at a rate of 1,000 per month, demonstrating then that whatever security strategies were in place were no longer effective.
In many cases, there is inadequate visibility, control and protection of user and application traffic transiting the network and an outdated assumption that everything on the inside of an organisation’s network can be trusted; in fact, threats can come from both inside and outside.
All airlines produce, store, share and analyse data in a similar manner over multiple networks, access points and with authorised third parties to maintain business operations. This, of course, means cyberattackers can leverage vulnerabilities across multiple access points to try to gain unauthorised entry.
Adversaries look for vulnerabilities or weaknesses in software to exploit. There have been instances where developers and software engineers fail to integrate security measures in designing web apps, allowing organised cybercriminals to exploit these vulnerabilities. Any organisation should always look at and vet any third-party web application provider to ensure their products have the right security measures in place. This should include continuously scanning their sites to detect unauthorised code.
Therefore, it is a priority to understand the flow of this information and to ensure comprehensive checks and approval processes are in place. Passwords – highly sought after by cybercriminals – remain the weakest links in computer security. It is perhaps for this reason that information stealers now make up the biggest proportion of cyberattacks in Hong Kong.
Too often, people choose simple passwords to secure highly sensitive information and then use the same passwords to protect other systems. In light of this and gaining in popularity are two-factor or multi-factor authentication and biometrics that help prevent breaches and protect data.
In general, and despite the well-publicised breaches, it is uncommon to find strong IT security teams within the travel and hospitality companies or even a security operations centre. But as the industry continues to innovate, with technologies from mobile applications to data analytics, and collaborate with business partners, all this will increase the risk of an attack.
The travel industry is an important pillar of Hong Kong’s economy. In the face of such damaging cyberattacks, the industry as a whole has a fiduciary duty to protect data and prevent breaches. Perhaps now is the time for the industry to take a stance and introduce a code of practice and place “cyber hygiene” at the heart of everything the sector does. In this way, the industry will be able to self-regulate, ensure sensitive data is protected and win back customer trust.
Wickie Fung is general manager, Hong Kong and Macau, at Palo Alto Networks, a cybersecurity company headquartered in California, US