Travel companies were hit by one data breach after another last year — firms including Marriott, British Airways, Delta Air Lines and travel booking site Orbitz.
Marriott estimates that as a result of its breach — in which the reservation database of Starwood-branded hotels in its portfolio was hacked — 383 million guest records could have been affected and 5.25 million unencrypted passport numbers were possibly compromised. Experts expect breaches in the travel sector will continue.
“Travel companies are a prime target of cyberthefts” because they have “highly sensitive, personally identifiable information,” said Eva Velasquez, chief executive of the Identity Theft Resource Center, a national nonprofit organization that supports victims of identity theft.
Travelers have options to protect their information.
Bruce McIndoe, president of WorldAware, a risk management company, recommends creating a “digital persona” when booking travel or making other online transactions.
This can include setting up a new, disposable phone number using a service like Google Voice and RingCentral to screen any calls based on caller ID, and to forward these to the phone number that you want to protect.
McIndoe suggests creating what he calls a throwaway email address, to be used only when booking online, to protect your personal or work email from theft.
You can rent a post office box from the U.S. Postal Service, though this cannot be used for many online transactions.
There are steps you can take to protect any device you bring on business trips.
If you work for a large company or service provider, like a law or accounting firm, your employer may be able to provide clean devices, even some with special protections appropriate for whatever destination you visit.
Before leaving on a trip, Sam Rubin, a vice president of the Crypsis Group, a cybersecurity consulting firm, advises all travelers, regardless of the size of their employer, to make sure their laptops are encrypted, via software like BitLocker for Windows laptops or Filevault, for Macs.
He suggests backing up data regularly, installing application updates and deleting unneeded and old data from devices.
The Global Business Travel Association, a trade group for corporate travel managers, suggests using a privacy filter on your laptop and tablet screen when you’re traveling.
To prevent theft, lock your devices when you’re not using them, through a PIN, password protection or physical locks and alarms.
The group recommends using a juice-jack protector — attached to the end of your USB cord — to protect against data skimmers when you plug the cord into a public charging station. If you bring your own charging device, you won’t need a public charger.
Experts strongly recommend not connecting to unsecured public Wi-Fi systems anywhere in the world, not only at coffee shops like Starbucks but also in airports and hotels, among other places.
If you must use these, Si-Yeon Kim, chief risk and compliance officer of American Express Global Business Travel, suggests minimizing the number of documents you open, and being careful of whatever information you transmit.
Christel Cao-Delebarre, global privacy officer in London for Carlson Wagonlit Travel, a travel management company, advises being “very careful about speaking with colleagues and possibly sharing confidential information in public places.”
She urges travelers not to leave confidential documents unattended either in conference or guest rooms at hotels and elsewhere.
When it comes to working online, Rubin advises using two-factor authentication on all Internet-accessible accounts.
He suggests locking and password-protecting your mobile phone and configuring it to automatically lock after a period of inactivity, and using secure passwords, with a different password for each device and account.
Password managers like LastPass and Keeper can help you remember and manage these.
As for making purchases online, consider signing up for a credit card to be used only for such transactions.
You can set up a virtual credit card for a one-time purchase whose cost you can limit.
Some of these can also be used to pay for recurring charges; those amounts can also be limited.
Virtual credit cards are issued by companies such as Bank of America, Citi, Capital One, American Express and Privacy.com.
According to Rubin, if the virtual credit card is compromised, it should have no effect on your physical card.
Another payment option, possibly more secure than credit cards, is PayPal, said Robert Austin, president of KoreLogic, a cybersecurity company.
John Reed Stark, former chief of the Securities and Exchange Commission’s Office of Internet Enforcement and author of “The Cybersecurity Due Diligence Handbook,” advises setting up your credit card account to automatically notify you of all transactions via email or its app, which he said will make you aware of every transaction as it occurs.
He suggests setting up a separate email account for these alerts, so you can easily track them and not clog up other accounts.
To further track any suspicious activity, he advises subscribing to a credit and identity monitoring company — such as Experian, TransUnion or Equifax — that can provide alerts relating to your credit rating, credit cards and banking.
For additional protection, Rubin suggests the purchase of an individual cybersecurity insurance policy, offered by companies like Chubb and NAS Insurance.
Although such policies have long existed for businesses, individual policies are a new development.