Two in three travel programs impacted by data breaches

A sad reality is that any data point a consumer shares with a company in all likelihood eventually will be hacked, lost, leaked, stolen or sold—and it seems that this is happening with travel companies more than ever. 

Nearly 70 percent of travel buyers say their travelers have been affected by a payment-related data breach from an outside vendor such as a hotel, airline or retailer in the past year, according to new research from the Global Business Travel Association in partnership with AirPlus International. 

The survey of 144 U.S. travel buyers also revealed that they believe the risk of fraud is growing, with two-thirds (68 percent) saying travel programs face a greater threat today than they did two or three years ago.

Nearly half of all travel departments are involved with various payment security functions. Most departments are involved in responding to payment fraud by an external party, educating travelers about payment security and setting policies related to payment security. Surprisingly, involvement does not vary much by travel spend or travel program reach (i.e., national vs. global).

“This research highlights a significant contrast between what travel buyers are saying versus what buyers are actually doing,” GBTA Executive Director/COO Michael McCormick said in a statement. “However, it is encouraging to see an uptick in the usage of virtual cards, which can be an effective weapon against fraud.”

Most travel buyers (79 percent) view single-use virtual credit card numbers as effective at preventing fraud but only one-fifth of travel programs (20 percent) report current usage of this payment method.

Similarly, travel buyers believe payment controls can prevent fraud and misuse, but many never or rarely use them. Payment controls include limiting the amount allotted in a single transaction, restricting payment within a certain country and setting daily or weekly spending limits. Nearly 40 percent never or rarely limit the amount allowed in a single transaction, despite having access to this technological solution.

“We have seen the need to educate around virtual card benefits not just to travel managers but to corporate finance and procurement departments as well,” said Diane Laschet, president/CEO of AirPlus International. “This method of payment has the strongest level of security controls available on a payment tool, which is critical in the age of data breaches. When you couple that with the comprehensive data associated with each transaction, it is easy to see why this is the future of business-travel payment. The benefits really touch all areas of the company from the back office to the traveler.”

Marriott International disclosed last year a massive data breach exposing the personal and financial information on as many as a half billion customers who made reservations at hotels the company acquired from Starwood Hotels & Resorts Worldwide properties. A statement from Marriott said investigators also found an unauthorized party had “copied and encrypted information, and took steps toward removing it.” The breach lasted for four years.

For as many as 327 million guests, compromised information could include passport information, telephone numbers and email addresses. In addition, some other guests' credit card information was within the hackers' reach, according to the company.

Earlier in 2018, Orbitz disclosed a security breach that may have exposed the data of thousands of customers, including information on 880,000 payment cards. The Expedia-owned travel website operator said the breach affected an older website and the platform of an unnamed business partner. The hackers “likely accessed” people’s names, dates of birth, email addresses, street addresses and genders, Orbitz said.

In 2017, Sabre disclosed a breach of its SynXis central-reservations system that may have exposed consumers' payment card data and personally identifiable information. Four Seasons Hotels and Resorts, Trump Hotels, Hard Rock Hotels & Casinos and Loews Hotels all announced that they were affected by the SynXis breach.