David Jones was the founder of Travelink, before selling the company to Comtec in 2006. He is now back in the travel industry as investor and non-executive at Cardiff-based Tigerbay. He is also a director of Westgate Cyber Security, an information security consultancy.
_w=800_h=600_pjpg.jpg?v=20230522122229)
Travel offers a rich hunting ground for cyber-attackers, but how would you know?
David Jones was the founder of Travelink, before selling the company to Comtec in 2006. He is now back in the travel industry as investor and non-executive at Cardiff-based Tigerbay. He is also a director of Westgate Cyber Security, an information security consultancy.
The UK travel industry is not short of risks and instability.
At the time of writing (early March) the FCO is recommending all Brits leave Ukraine, and while the former Soviet Union countries are not a huge tourist attraction, Egypt – another centre of recent political turbulence – certainly is.
And, like the gift that keeps on giving, Ukraine has increased oil prices by 3% in just two days – and airlines will feel the impact on JET-A1 fuel almost immediately.
In the context of geo-politics, the threat to UK’s travel companies from cyber-attack can seem marginal and inconsequential.
However, for the sophisticated criminal gangs that use cyber-attack as their preferred weapon, the travel industry potentially offers rich pickings.
And the potential scale of such attacks was revealed in January when Northampton-based travel insurer Staysure suffered a theft of customer details.
No two cyber-attacks are the same, and in Staysure’s case the theft included client names, addresses and the three-digit CVV numbers from 100,000 credit-card transactions.
Also stolen, but in an encrypted form, were payment details (credit card numbers, amount and details of what exact insurance products the Staysure clients purchased).
At first glance, this information loss, while embarrassing (it’s actually illegal in the UK to store those 3-digit CVV numbers) does not represent any risk of financial loss, because the credit card numbers and expiry dates (which are required for making a transaction) were encrypted.
But, increasingly, the value of data theft is not in the ability to make a fraudulent transaction – the biggest value can be found in the stored data.
For instance, with the full name and address details of all those 100,000 UK households, what is the risk of a UK premium number 09 scam, where the bad guys may present themselves as Staysure and offer ‘compensation’ which requires the victim to call what they claim is a ‘toll free 09 number’?
The nature of cyber theft is unlike all other loss. In the real world, when something goes missing (often money, sometimes property) the entity that’s stolen has clearly gone.
But in the cyber world, the information that has been stolen is actually just copied, so it is in the nature of these attacks that the criminals often go to great lengths to cover their tracks, making it very difficult for a victim to even know that data has been stolen.
Some in the cyber security world believe that most UK companies fall into two categories – those that have been hacked and suffered a loss, and those that simply don’t know it yet.
So where does this leave the UK travel industry? Potentially, just one incident away from the a front-page headline.
