After the recent British Airways data breach,
travel managers received a flurry of enquiries from anxious travelers wanting to
know how their company would handle it. If you're asking yourself the same question,
here's what to do.
Do not panic: My first words to every client
dealing with the fallout from the BA incident was, "No good decision is ever
made in a panic." Experiencing a data breach is almost inevitable in today's
business travel world, as hackers are targeting the travel and hospitality industries
at an alarming rate. Since 2016, we also have seen large-scale data breaches at
Hyatt Hotels Corp., Sabre Hospitality Solutions, Orbitz, Air Canada, Uber and Great
Western Railways, to name a few. Hackers are not our only concern, either. As we
rely on multiple data exchanges and transactions to complete a single booking—think
travel management companies, online booking tools, global distribution systems,
airlines, hotels, car and rail companies—the travel industry is ripe for accidental
data losses or exposures. It will happen. Don't panic.
Communicate with your supplier: Ideally,
your supplier will send you a notification informing you of the data breach. Often,
however, you will hear of the incident in the press or along the travel buyer grapevine.
Aim to speak with the supplier immediately to get answers to the following questions:
- What
happened and why?
- What
and whose data was compromised?
- How
many records have been affected in total?
- Over
what window of time?
- Has
the supplier isolated the breach?
- Where
has the data gone?
- What
is the supplier's remediation plan?
- What
comfort can the supplier offer your company and
your travelers?
If you are a smaller customer, you may not
land a one-on-one phone call with the supplier. Seek to communicate via email with
a senior representative and ask questions via that channel, or request a group informational
call with a number of other affected customers.
Do not make decisions alone: Assemble your
team of subject matter experts from your company's security, privacy, legal, communications
and HR departments and liaise regularly until you are sure the incident is under
control. Responding to a breach requires people with various skill sets. IT security
will understand the technical details causing the breach and the supplier's proposed
mitigation plan. Privacy specialists can assess the need to make any formal notifications
to the authorities and/or affected travelers. Commercial lawyers will seek to understand
if there have been any contractual violations by your supplier. HR will make sure
you are meeting your employer's duty to protect staff. Communications will help
to communicate clear and transparent messages to affected travelers. For large-scale
breaches, update executive leadership at critical points in the investigation, especially
if you plan to notify authorities.
Communicate with your travelers: News of
a data breach can cause travelers to worry about their travel plans, travel documentation
and banking information. An initial note informing travelers that you are aware
of the incident and that you are in touch with the supplier to understand more will
help to put their minds at ease.
Using BA's recent data
breach as an example, travelers may say, "I just booked a ticket with BA. What
do I do?" Information you gather from your conversation with the supplier will
help you produce detailed FAQs to place on your company intranet, alongside a dedicated
channel like an email address to which travelers can send questions. Remember to
find a communication channel for those travelers who sit outside your company or
those who do not have access to IT equipment, such as field- or manufacturing plant-based
teams. Depending on the severity of the breach, you may wish to advise travelers
to:
- Change
passwords and not use the same password on multiple sites.
- Check
bank statements for suspicious activity.
- Look
out for phishing attempts.
- Check
their email addresses on www.haveibeenpwned.com.
- Sign
up to a credit monitoring and/or ID theft service.
Review your suppliers' privacy & security
controls: After the incident, you and your security and privacy teams should continue
to monitor the supplier to ensure it has followed through on the agreed-upon mitigation
plan. Your supplier may have changed the plan or had difficulty making the security
improvements it originally planned.
To be prepared is to be forearmed. Often corporation's data breach plans focus on what to do when your company is targeted.
If the next supplier breach serves as a wakeup call, conduct a post-incident debrief
and then regroup with your team of internal subject matter experts to produce document
templates, such as communications with travelers, and plans to use for supplier
breaches.
Tech
innovations in travel mean increased data breach risk: Business travel is headed
toward increased connectivity, personalization and richer data analytics. Supplier
due diligence and ongoing assessments are an excellent way to work with your suppliers
to make improvements to their privacy and security frameworks. After all, working
together can only make travel data safer.