How Secure Is Your Personal Data When Making an Airline Reservation?
In the age of global terrorism, high-tech hackings, and ransomware attacks, can the airline industry protect your privacy? Carriers are being asked to gather more and more personal passenger information without a corresponding increase in data security measures. Is the system ripe for large-scale exploitation? Read what one expert has to say.
Post-9/11, the nexus between air travel security and global terrorism became tragically clear. Almost immediately, the airline industry began implementing changes in the pre-boarding, ticketing, and passenger identification processes—all in the name of safety.
Unfortunately, these safety measures can lead to additional vulnerabilities. Chargebacks911 COO, Monica Eaton-Cardone warns that the data we provide to enhance our security could be “weaponized” by hackers, criminals, or even terrorists.
“Think of all the personal data we share with the airlines,” says Eaton-Cardone, “They know our names, addresses, passport details, travel history—all kinds of private, individualized information.”
This is all information that could be used against us if it were to fall into the wrong hands. She compares it to the credit card industry, where all data collection is regulated by the Payment Card Industry Data Security Standard (PCI DSS). But the airline industry has no PCI DSS-type regulations that govern data gathering.
“Their data collecting procedures don’t follow a standardized rule set. Different airline reservation systems have vastly different policies and practices.” Clearly, some sort of governance needs to be put in place.
Updating Cyber Safety
To be fair, airlines are required to comply with PCI DSS regulations for all credit card transactions. This series of specific rules safeguards the financial information of passengers and is very effective in terms of securing credit card information.
Here’s the catch: although the customer’s financial information may be protected, the other data that the airlines collect is exempted. Without some type of regulation, airlines are not required to put extra protections in place.
There’s another issue here as well: aging airlines reservation systems are stymied by technological limitations.
“It’s long been known that the travel industry suffers from complex legacy architecture,” said Eaton-Cardone. “The IT was built to serve a very different world.” Rapid advances of cybertechnology have forced changes on the industry, and these IT systems have struggled to keep pace.
Of course, airlines are not being deliberately careless with customer data. Still, most security precautions for passengers’ non-financial information remain strictly voluntary and vary from carrier to carrier.
More Data, Fewer Safeguards
There are no security precautions at all for certain data-points. Even critical personal information may go unprotected as a result.
“In 2004, the federal government mandated PCI DSS compliance for all credit card data,” says Eaton-Cardone. “But as valuable as our financial information is, it’s no longer our most vital data index.
"Hackers are now targeting other forms of personal information, like spending patterns, background info, travel history, family names, places of residency—anything they can get. And that data is not being adequately protected. Not even close.”
New Rules Aren’t Enough
Additional government regulations have only exacerbated the problem so far. Due to security measures enacted post-9/11, for example, airlines are now responsible for requesting, tracking, and collecting an increasing amount of highly-sensitive data.
The objective is to protect passengers through diligent screening. However, while these new security standards were adopted, congress failed to address one critical question: What should happen after all this data is mined?
“We trust the airlines with the names of our children,” notes Eaton-Cardone. “If you travel often enough, all kinds of sensitive, personal data can be collected. It needs to be protected.”
It’s not just fraudsters who want this information, either. “If a terrorist wanted to board a flight under a false name,” Monica continued, “learning the identities and data-points of the other passengers would be a good place to start.”
The Dark Cloud…
The problem isn’t just the amount or type of data; it’s a matter of vulnerability.
Airlines are demonstrably susceptible to hackings. It’s become almost routine for computer glitches to wreak havoc on air travel. A massive IT failure recently forced British Airways to cancel flights out of London, for example, and Southwest Airlines, Delta, and Lufthansa have all faced similar problems.
When that happens, hackers have much more data on each individual than would normally be available from a breach at a department store.
Can airlines upgrade data protection without completely overhauling—or even replacing—their current systems? Eaton-Cardone believes that either way, the problem is becoming too big to ignore. “In an age of increased terrorism, this is a vulnerability that must be addressed—now, before it’s too late.”
…and the Silver Lining
Attacks on airlines often foreshadow attempts on other industries. Eaton-Cardone offers the following advice to consumers and businesses concerned about data breaches:
“As a general rule, if vendors aren’t PCI-compliant, avoid doing business with them,” she warns. “It’s not worth it.
“Don’t share your customers’ data with outside vendors. For example, if you do business with a chargeback management vendor who is also a merchant competing in your space, you need to be extra careful; there’s an inherent conflict.”
Eaton-Cardone also recommends being ultra-vigilant about protecting all data. “‘Data is king’ has replaced ‘Cash is king’ – because cash might come and go, but today, data has longevity,” she adds. “In many ways, it’s your company’s single most valuable commodity. Treat it as such.”
Is your chargeback management vendor PCI-1 compliant? Are you sure?
Don’t take chances with customers’ credit card data. Click here for more information about the most secure ways to handle chargebacks.