3 KEY LEARNINGS: Cyber Attack Against A Business Travel Agency


Author: Teemu M.
Date: 01.09.2015
Read Time: 4 Minutes

Cyber attackers, whether criminals, hacktivists or governmental actors, know that people who travel a lot on business are more likely to be high net worth individuals, often being C-level executives or other similarly important people that are worth targeting.

Of course, targeting those people individually is only one way to go. You could also attack the travel agencies directly. Which in fact, does make a lot of sense (as an attacker that is).

Travel agencies know a lot about you. Your emails addresses, phone numbers, credit card information, passport details, the destination, travel times, hotels you are sleeping in.. you name it. And having that data readily available makes those companies very interesting targets.

In 2015 only, there has been a number of attacks against travel agencies, some of the most notorious one’s being the hack of the China’s largest online travel company Ctrip and an American travel reservations platform provider Sabre. There has even been an attack against a major Australian travel insurance company called Aussie Travel Cover.

Now, admittedly both of the aforementioned agencies are rather large multinational travel agencies, and their hack did get a fair share of the media attention. But smaller organizations are not immune to cyber attacks however, they just don’t make the headlines.


In 2014, a small US-based business travel agency got their CRM and booking system hacked, causing the company almost 2 weeks of complete downtime.

While we do not know the exact financial impact, having your business down for a few weeks is not a thing to scoff at. Plus, cleaning and resetting such systems by experts will easily cost upwards of 25.000$, in addition to the legal fees and financial costs that are bound to incur. After all, somebody will need to reimburse the fraudulent charges.

Despite the rather harsh costs for a small business, the attack itself was not very sophisticated however.

While browsing industry blogs, a travel agent succumbed to an attack via a vulnerable java browser plugin. Once infected, more malware was downloaded, giving cyber attackers full access to the agent’s computer. From there, attackers were able to move laterally to other computers and ultimately to agency booking and CRM systems, where credit card numbers were stored for convenience.

And as with most of these kinds of attacks, those credit card numbers are put to criminal use. In this case, by cheer luck one of the agency’s customers contacted them after just a few days to check some suspicious charges, sparking an investigation.


  1. Get the basics right: Browser-based attacks are one of the most common tools in the arsenal of cyber criminals. Keeping your web surfing secure with browsing protection, script & ad blocking and similar kinds of technologies is an important start.
  2. Keep that software up-to-date: Or alternatively, just get rid of the software not in use and turn off non-essential features. Vast majority of the attacks happen by leveraging existing vulnerabilities in software, and hence, by simply keeping all your software (specially that browser and its plugins!) up-to-date, you can prevent the majority of attacks. Or even better, get rid of vulnerable software like Flash, Java and Silverlight
  3. Secure that CRM system: Generally speaking, taking critical systems off the network, or ‘air gaping it’, is a good idea if you can do it. In the case of the travel agency however, we can easily imagine that the system has to be online as to make the reservations etc. Hence securing such a system is trickier, though there are some good basic steps you should take.
    • Limit the amount of things that an employee can do within the systems. For example, agents might need to update individual credit cards, but never read whole batches of them.
    • In the case of the travel agency, the agent had unlimited capability to browse online, increasing the risk of infection considerably. Hence it makes sense to limit the agents’ access to only necessary sites on computers that are connected to the critical systems.
    • Don’t allow direct access to the backend systems, but rather, have an API in between that limits the actions that can be done from the endpoint, preferably to only those that are absolutely necessary for people to do their work.



This blog post is the second of a series of posts [Part 1], [Part 3], [Part 4],where we look at the real-life attacks against businesses. It is inspired by our upcoming eBook (also part of an ongoing series), called: CYBER SECURITY DEMYSTIFIED: Securing Business Operations. You can get the ebook from here: Read eBook

One thought on “3 KEY LEARNINGS: Cyber Attack Against A Business Travel Agency

  1. Awesome Article. Outside of simply using a spear phishing email to gain access to a network, attackers could use an account to gather intelligence. By watching a group of soldiers posting online, attackers could watch location changes to discern troop movements or engage directly in conversations to try to ferret out military decisions. Thank you for sharing your blog about 3 KEY LEARNINGS: Cyber Attack Against A Business Travel Agency.


Post Comment

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s