Travelers Beware: Targeting of Travel-Related Organizations and Third Parties

Memorial Day is often referred to as the unofficial start of the summer season, and for many, the upcoming summer means increased reservations or transactions for travelers. Travel-related organizations, such as transportation and lodging, fall under the 16 essential critical infrastructure sectors and may have vital dependencies on other sectors. Travelers create online accounts and share personally identifiable information (PII), financial information, and passport numbers with popular travel-related organizations and their third parties, which are at risk of data breaches. The NJCCIC highlights two major critical infrastructure sectors impacted by travel, recent data breaches, and recommendations to help protect online accounts and data to reduce cyber risk.

The Transportation Systems sector and its subsectors ensure the continuity of operations for people and goods moving quickly and safely throughout the country and internationally by airplane, car, boat, railroad, bus, and more. In 2023, Pilot Credentials, a portal managing applications for various airlines, including American Airlines and Southwest Airlines, was targeted in a cyberattack, resulting in compromised data, including names, dates of birth, Social Security numbers, driver’s license numbers, and passport information. In January, Medusa ransomware operators disrupted the Kansas City Area Transportation Authority (KCATA). They updated its data leak site with allegedly exfiltrated data of KCATA’s registered members and pass holders, including personal and payment information. The US Department of Transportation (DOT) is also investigating the data security and privacy policies of the top 10 US airlines, including American, Delta, Frontier, Southwest, and United. DOT intends to review whether airlines are properly safeguarding customer information and are unfairly monetizing or sharing it with third parties.  

The Commercial Facilities sector and its subsectors include lodging, such as hotels, motels, conference centers, RV parks, and campgrounds. This sector also consists of sites that draw large crowds of people and tourists, including retail centers and districts, shopping malls, movie theaters, casinos, theme and amusement parks, aquariums, zoos, museums, and sporting arenas. In 2023, MGM Resorts International experienced a cyberattack impacting its hotels and casinos. An unauthorized third party obtained customers’ personal information, including names, phone numbers, email addresses, postal addresses, gender, dates of birth, and driver’s license numbers. Social Security numbers or passport numbers were affected for some customers. Additionally, threat actors targeted hotels contracted with the Booking.com platform and executed a sophisticated phishing campaign against hotel guests. Once the hotel’s property management portal account credentials were acquired, the threat actors gained access to guest information accumulated over an extended period.

In March, the Daixin ransomware group stole data in the Omni Hotels & Resorts cyberattack. The impacted information included names, email addresses, mailing addresses, and select guest loyalty program information dating back to 2017. Recently, pcTattletale, a consumer-grade spyware app, was found on the check-in systems of at least three Wyndham Hotels & Resorts. The spyware stealthily and continuously captured screenshots of guest and reservation details from two hotel booking systems, Booking.com and Sabre.

Data security, privacy policies, and security awareness training are of the utmost importance to help safeguard this sensitive information from data breaches. Travelers are advised to proactively identify and counteract the risk of data breaches, potentially resulting in social engineering schemes, account compromise, fraudulent transactions, identity theft, and further malicious cyber activity. The Cyber Safe Travel Tips NJCCIC Product provides more details about the security of devices, accounts, networks, vehicles, and international travel.

Recommendations

  • Participate in security awareness training to provide a strong line of defense and identify red flags in potentially malicious communications.
  • Use strong, unique passwords and enable multi-factor authentication, choosing authentication apps or hardware tokens over SMS text-based codes.
  • Navigate directly to legitimate websites and verify websites before submitting account credentials or providing personal or financial information.
  • Reduce your digital footprint so threat actors cannot easily target you.
  • Keep systems up to date and apply patches after appropriate testing.
  • Employ tools such as haveibeenpwned.com to determine if your PII has been exposed via a public data breach.