Ten travel-related data breaches

British Airways

British Airways has released details of the recent theft of customer data from its website and mobile app.

The carrier said that the breach took place over 15 days between 2258 on August 21 and 2145 on September 5, with around 380,000 financial transactions believed to have been compromised.

The theft included personal and financial details of customers making bookings on ba.com and the airline’s app during this time, although travel and passport details were not affected.

Uber

Last year Uber admitted it suffered a data breach in October 2016, with names, email addresses and mobile phone numbers of both drivers and riders around the world compromised.

More than 57 million users and 600,000 drivers around the world were affected by the breach, which CEO Dara Khosrowshahi says the company knew about in 2016 but he has only learned about since taking over the role from Travis Kalanick in September 2017.

In a statement, Khosrowshahi said: “We have to be honest and transparent as we work to repair our past mistakes.” Uber hired an outside cyber security firm to investigate the incident and help the company decide the best course of action moving forward.

Intercontinental Hotels Group

In 2016 hackers stole data from at least 1,200 IHG hotels in the Americas.

The data breach occurred between September and December of 2016. IHG said that cardholder names, numbers, expiration dates, and internal verification codes were obtained by hackers using credit-card stealing malware. The malware wasn’t eliminated until March 2017.

IHG learned of the security breach when guest credit cards were used without authorization after stays at the group’s hotels.

Hyatt

In 2015 Hyatt Hotels discovered malware in its payment systems.

The company said it made the discovery in November 2015, though it took until December 23 for it to alert the public.

Reports suggested that 318 hotels were affected, almost half of Hyatt’s then 627 hotels.

In a statement released at the time the group said:

“We recently identified malware on computers that operate the payment processing systems for Hyatt-managed locations. As soon as we discovered the activity, we launched an investigation and engaged leading third-party cyber security experts.

“The investigation is ongoing, and updates will be posted here at www.hyatt.com/protectingourcustomers.

“We have taken steps to strengthen the security of our systems, and customers can feel confident using payment cards at Hyatt hotels worldwide.”

Hilton

Also in 2015 Hilton urged customers to check their credit card statements after confirming the theft of cardholder payment details.

The hotel chain said it has taken action to “eradicate” unauthorised malware that targeted payment information in some point-of-sale systems.

As a precautionary measure, Hilton advised customers to review and monitor their statements if they used a payment card at a Hilton Worldwide hotel over a seventeen-week period, from November 18 to December 5, 2014 and April 21 to July 27, 2015.

Hilton said malware had managed to access names, card numbers, security codes and expiration dates, but no addresses or PIN numbers were obtained.

Starwood

Customer payment information including cardholder names, payment card number, security codes and expiration dates were hacked in 2015.

A total of 54 Starwood hotels and resorts across the Americas were hit by malware, for periods ranging from one day to several months between November 2014 and Octobter 2015.

These included brands such as Sheraton, St Regis, W Hotels and Westin Hotels, in locations ranging from Seattle and Los Angeles to Florida and New York.

In a statement, Starwood said: “Promptly after discovering the issue, [it] engaged third-party forensic experts to conduct an extensive investigation”.

As a result of this investigation, it “discovered that the point of sale systems at certain Starwood hotels were infected with malware, enabling unauthorised parties to access payment card data of some of our customers…

“The malware was designed to collect certain payment card information, including cardholder name, payment card number, security code and expiration date. There is no evidence that other customer information, such as contact information, social security numbers or PINs, were affected by this issue.”

Mandarin Oriental

In 2015 Mandarin Oriental confirmed the security breach at ten of its hotels.

In a statement the luxury hotel chain said “it appears that a hacker used malware to obtain access to certain credit card systems in a number of Mandarin Oriental hotels”.

The hotels affected were:

• Mandarin Oriental, Boston between June 18, 2014 and March 12, 2015
• Mandarin Oriental, Geneva between June 18, 2014 and March 3, 2015
• Mandarin Oriental, Hong Kong between June 18, 2014 and February 10, 2015
• Mandarin Oriental Hyde Park, London between June 18, 2014 and March 5, 2015
• Mandarin Oriental, Las Vegas between June 18, 2014 and October 16, 2014
• Mandarin Oriental, Miami between June 18, 2014 and March 3, 2015
• Mandarin Oriental, New York between June 18, 2014 and January 18, 2015
• Mandarin Oriental, San Francisco between June 18, 2014 and February 14, 2015
• Mandarin Oriental, Washington DC between June 18, 2014 and January 20, 2015
• The Landmark Mandarin Oriental, Hong Kong between June 18, 2014 and February 3, 2015

Mandarin Oriental said that it believed the hacker “may have used the malware to acquire the names and credit card numbers of guests who used a credit card for dining, beverage, spa, guest rooms, or other products and services” at these properties during those time periods.

It added that it has not found “any evidence of acquisition or misuse of credit card pin numbers or security codes, or any other personal guest data”.

Hyatt (again)

In April 2015 Hyatt confirmed that an estimated 200 Gold Passport members’ accounts were hacked.

According to a spokesperson, the company first noticed unauthorised logins on the affected accounts during a routine monitoring session. Apparently, the perpetrators were using the proper names and passwords but not the correct account credentials.

Hyatt stated that it had looke into each of the hacked accounts, to check if any reward points were deducted during this period. All Gold Passport members were prompted to change their passwords when they logged into their accounts.

British Airways (again)

In March 2015 British Airways confirmed that a small proportion of its Executive Club frequent flyer customers had their accounts hacked on March 29.

The airline reassured its customers that no names, addresses, bank details or personal information had been accessed, and said that it had also taken steps to lock down accounts that have been compromised.

In a statement, a BA spokesperson said: “British Airways has become aware of some unauthorised activity in relation to a small number of frequent-flyer executive club accounts. This appears to have been the result of a third party using information obtained elsewhere on the internet, via an automated process, to try to gain access to some accounts”.

Malaysia Airlines

In January 2015 customers looking to book or manage their flights on the Malaysia Airlines (MAS) website were temporarily unable to do so due to a hack.

A group named Cyber Caliphate claimed responsibility for the attack.

According to reports, Cyber Caliphate was a hacker group that claimed association with the terrorist group ISIS. The group had previously been responsible for cyber attacks of the @CENTCOM Twitter and Youtube accounts of the US central military command.