In Online Travel Agency (OTA) world, data is everything. The foundation of this business is built on managing data through online marketing, excellent product offerings, and detailed analytics
In Online Travel Agency (OTA) world, data is everything. The foundation of this business is built on managing data through online marketing, excellent product offerings, and detailed analytics. Roughly 100,000 flights take off and land every day all over the globe. Say an average length of a flight is two hours; that would mean that six million people fly to their destination every day. Now, the management of this data starts from getting a potential customer on the OTA website for travel booking; to post-booking support ensuring repeat travel. This information traverses from the customer to an OTA and is subsequently shared with Airline or Hotel Partners. It is important to note the interconnected, yet diversified, channels of communication here. OTA companies (like CheapoAir.com, OneTravel.com etc.) deal with thousands of transactions every day ensuring the security of data at each stage of the process. We need to ensure that we protect a customer’s information during its entire lifecycle.
We must first understand that data often has a complex structure where the most important details are Personally Identifiable Information (PII) and electronic payment details of customers. Due to the management of these sensitive details, we observed that Cyber Security is the only function where overall expenditure has increased year-on-year, even though the overall travel industry slowed down drastically in the CoVID years of 2020 and 2021.
Travel companies are becoming prime targets for external threats and fraud attempts, triggering our industry’s dedicated ongoing focus on protecting the customer’s information during its entire lifecycle. In addition to external threats, this industry has recently seen a significant rise in the number of attacks/frauds committed internally. These external, and internal threats evolve with time and hence this requires continuous planning, effort, and collaboration to reduce resulting risk.
Air France-KLM in Dec. 2022 shut down the booking facility on its AgentConnect travel agent portal, citing “a few cases of fraudulent issuances using different methods, including a phishing email” and “various other methods of access codes theft.” Air France confirmed that “several travel agencies on the French market have been affected by this fraud.” Similarly, In Oct 2022, 13 U.S. travel websites were knocked offline after a Russian hacker group attack.
Understanding these threats is just one part of this problem, introducing required Security controls and defense mechanism is another major step that an organization needs to take. In the OTA industry, we are required to implement controls at various levels to Prevent and Detect any suspected Security breach. The key areas to consider in 2023 are:
Protecting Online Customer Frauds - Insider threat is one of the significant concerns keeping leaders up at night. These threats, if materialized have a significant financial impact on any travel agency. To protect customers’ identities and to prevent fraudulent transactions, we must consider both the involvement of human errors and deliberate acts, that lead to sharing critical information with competitors, fraudsters, or other threat actors. In addition to pilferage due to internal threats, external threat actors try and use ambiguities in the security environment to perform online frauds. Although, there are multiple tools to identify pilferage anomalies, online platforms like OTAs should use AI/ML algorithms and enhance use cases to identify pilferage using data science.
Stronger Cyber Defense - The technological space changes frequently, and with the introduction of the cloud environment, it becomes difficult to manage security policies and standards to protect the customer’s data. As we find new ways to protect our sensitive information, attackers find new ways to exploit the vulnerabilities and penetrate an organization’s network that stores ever-precious customer information. Thus, building up a strong cyber defence framework to mitigate this risk is important. Whether we need to focus on the security of the cloud environment, implementation of secure coding practices, real-time vulnerability scans or implementing web application firewalls, the industry needs to find ways to innovate and remain vigilant every day.
Automated and Strong Security Monitoring - Along with the prevention of a cyber-attack, it is of utmost importance to detect any cyber-attack that has penetrated our network. A strong monitoring framework needs to be established to automatically correlate each event and categorize it as a threat to an organization and its information by using a well-established Security Operations Center (SOC) with Security Information and Event Management (SIEM), aggregating data from multiple sources, to identify potential threats. To further reduce any threat to an organization, the majority of these threats (more than 80%) should be remediated through security orchestration, automation, and response (SOAR) to minimize the turnaround time (TAT).
Third, Fourth, Fifth Party Management - In this connected era, integration with external parties is essential to perform basic business operations. Every OTA uses various integration approaches to communicate with the airlines, Global Distribution System (GDS), New Distribution Capability (NDC), and other third parties. These third parties in turn further use fourth or fifth parties for business operations. Risk to these next parties can be controlled using contracting. However, there is a need to build continuous due diligence and risk management frameworks to govern these next parties. Therefore, this is a never-ending process that requires continuous and real-time monitoring.
Implement Security-by-Design - In this fast-paced environment, there is a need to reduce the risk proactively. Along with product evolution, security needs to be incorporated during the design phase. If a threat is identified at the earlier stages of the product lifecycle, it not only significantly reduces risk but also improves the efficiency of the software development lifecycle. This gives that cutting edge to online travel agencies (OTA), which will significantly reduce vulnerabilities in source code and incorporate security within the design of the product.
There is a never-ending list of such controls. Security teams use various tools and controls to maintain the security position of an organization and travel agencies have to remain one step ahead of any attacker
eyeing their transactions. So, the focus should be on prevention rather than a reactive approach.
By Ankur Ahuja
CISO and Vice President of Information Security, Fareportal.