Travel companies were hit by one data breach after another last year — firms including Marriott, British Airways, Delta Air Lines and the travel booking site Orbitz.
Marriott estimates that as a result of its breach — in which the reservation database of Starwood-branded hotels in its portfolio was hacked — 383 million guest records could have been affected and 5.25 million unencrypted passport numbers were possibly compromised. And experts expect breaches in the travel sector will continue.
“Travel companies are a prime target of cyberthefts” because they have “highly sensitive, personally identifiable information,” said Eva Velasquez, chief executive of the Identity Theft Resource Center, a national nonprofit organization in San Diego that supports victims of identity theft and seeks to broaden public awareness.
But travelers do have options to protect their information.
Bruce McIndoe, president of WorldAware, a risk management company, recommends creating a “digital persona” when booking travel or making other online transactions. This can include setting up a new, disposable phone number using a service like Google Voice and RingCentral to screen any calls based on caller ID, and to forward these to the phone number that you want to protect.
Mr. McIndoe also suggests creating what he calls a throwaway email address, to be used only when booking online, to protect your actual personal or work email from theft. You can also keep your home and work addresses private with a service like iPostal1.com, PhysicalAddress.com and PostScanMail.com, which can create a new mailing address for you. And you can rent a post office box from the United States Postal Service, though this cannot be used for many online transactions.
There are many steps you can take to protect any device you bring on business trips. If you work for a large company or service provider, like a law or accounting firm, your employer may be able to provide clean devices, even some with special protections appropriate for whatever destination you visit.
Before leaving on a trip, Sam Rubin, a vice president of the Crypsis Group, a cybersecurity consulting firm, advises all travelers, regardless of the size of their employer, to make sure their laptops are encrypted, via software like BitLocker for Windows laptops or Filevault, for Macs. He also suggests backing up data regularly, installing application updates and deleting unneeded and old data from devices.
The Global Business Travel Association, a trade group for corporate travel managers, suggests using a privacy filter on your laptop and tablet screen when you’re traveling. To prevent theft, lock your devices when you’re not using them, through a PIN, password protection or physical locks and alarms. The group also recommends using a juice-jack protector — attached to the end of your USB cord — to protect against data skimmers when you plug the cord into a public charging station. If you bring your own charging device, you won’t need a public charger.
Experts strongly recommend not connecting to unsecured public Wi-Fi systems anywhere in the world, not only at coffee shops like Starbucks but also in airports and hotels, among other places. If you must use these, Si-Yeon Kim, chief risk and compliance officer of American Express Global Business Travel, suggests minimizing the number of documents you open, and being careful of whatever information you transmit.
Christel Cao-Delebarre, the global privacy officer in London for Carlson Wagonlit Travel, a travel management company, advises being “very careful about speaking with colleagues and possibly sharing confidential information in public places.” She also urges travelers not to leave confidential documents unattended either in conference or guest rooms at hotels and elsewhere.
When it comes to working online, Mr. Rubin advises using two-factor authentication on all Internet-accessible accounts. He suggests locking and password-protecting your mobile phone and configuring it to automatically lock after a period of inactivity, and using secure passwords, with a different password for each device and account. Password managers like LastPass and Keeper can help you remember and manage these.
As for making purchases online, consider signing up for a credit card to be used only for such transactions. You also can set up a virtual credit card for a one-time purchase whose cost you can limit. Some of these can also be used to pay for recurring charges; those amounts can also be limited. Virtual credit cards are issued by companies such as Bank of America, Citi, Capital One, American Express and Privacy.com. According to Mr. Rubin, if the virtual credit card is compromised, it should have no impact on your physical card.
Another payment option, possibly more secure than credit cards, is PayPal, said Robert Austin, president of KoreLogic, a cybersecurity company.
BCD Travel, another travel management company, advises against posting pictures online of your itineraries, tickets or boarding passes. It also urges travelers to never leave their boarding passes and tickets on an airplane or in a hotel room, and to shred these once you’ve used them, all steps to keep cyberthieves from obtaining your travel details. Another protective measure is to use digital boarding passes issued by the airline, and apps like BCD’s TripSource, TripLingo, Apple Wallet and Google Pay. This information will be protected by the security code on your mobile phone even if the phone is lost or stolen.
John Reed Stark, former chief of the S.E.C.’s Office of Internet Enforcement and author of “The Cybersecurity Due Diligence Handbook,” advises setting up your credit card account to automatically notify you of all transactions via email or its app, which he said will make you aware of every transaction as it occurs. He also suggests setting up a separate email account for these alerts, so you can easily track them and not clog up other accounts.
To further track any suspicious activity, he advises subscribing to a credit and identity monitoring company — such as Experian, TransUnion or Equifax — that can provide alerts relating to your credit rating, credit cards and banking.
For additional protection, Mr. Rubin suggests the purchase of an individual cybersecurity insurance policy, offered by companies like Chubb and NAS Insurance. Although such policies have long existed for businesses, individual policies are a new development.
Henry Harteveldt, president of Atmosphere Research Group, a travel research company, said his company had found that a growing number of travelers were becoming uncomfortable with sharing their personal information with travel sellers.
“The lesson for travel suppliers here is that no matter how good they think their cybersecurity hardware and software practices are, they may never be good enough,” Mr. Harteveldt said. “Sadly, there will be one hacker a step ahead at some travel company.”