This presentation covers topical issues in cybersecurity impacting brands operating within the travel and hospitality industry. I talk about recent data breaches including Point-of-Sale terminal compromises which are a significant issue affecting that industry. I also shared some GDPR action points for brands and bloggers/ digital media /content creators serving those industries. This was presented at the 2018 Travel Blog Exchange (TBEX) Ostrava, Czech Republic #TBEXOstrava2018

2. Digital Security and Data
Protection considerations for
Hospitality Brands and Bloggers
…and the GDPR stuff you need to know
Presented by: Omo Osagiede (@borderless_i)

3. Security & Privacy
• Why is this important?
• Top security concerns
• The industry response
• The blogger response
• Staying GDPR compliant

4. WHY IS THIS IMPORTANT?

5. DATA SECURITY DATA PRIVACY
CYBER CRIME
Bloggers
Brands
The context…

6. Hilton (2014) Hyatt (2016) IHG/Sabre (2017)
Threat
Stolen
Compromised
Malware
Card holder names,
numbers, security
codes, experts dates
Social engineering Unstated
Card holder names,
numbers, security
codes, experts dates
Point of Sale Point of Sale
Card holder info
+ customer
personal data
Reservations system
providing services to
over 30,000 hotels,
airlines and OTAs

7. Still some
way to go…
“81% of travel sites did
not provide users with
password strength
assessment tools during
the account creation
process.”
Source: dashlane.com - Travel Password
Power Rankings 2018
Airbnb
Momondo, Priceline,
Kayak, Avis
Trivago, Trip Advisor,
American Airlines,
Norwegian Cruise Line ZERO

8. TOP INDUSTRY &
BLOGGER
CONCERNS

9. Where are travel/
hospitality brands
coming unstuck?

10. What are the
main cyber
security & privacy
threats impacting
industry?
90%
3%
3%
3%
Source: 2018 Verizon Data Breach Incident Report (DBIR)

11. Top security concerns for bloggers
You could end up…
• Spreading malware to visitors
• Losing readership and trust
• Getting penalised by Google
• Losing revenue (if monetised)

12. THE INDUSTRY RESPONSE

13. Challenge
your
brand’s
approach!
Payment Card Industry
Data Security Standards
(PCI DSS)

14. Good practice security tips (for industry)
Identify all your data
assets
Secure your IT/non-
IT supply chain
Protect your PoS
systems from malware
Educate your staff
and customers
Harden your websites,
apps, entry points
Have an incident
response plan

15. THE BLOGGER RESPONSE

16. Good practice security tips (for bloggers)
1. Do not use generic
admin accounts
2. Control access to
your admin panel
3. Set strong passwords
+ use multi-factor
authentication
4. Leverage hosting
provider + WP resources
5. Always update to the
latest version
6. Be careful with plugins!
7. Backup, backup, backup!

17. THE GDPR STUFF
YOU NEED TO KNOW

18. What types of personal data processing do you do?
#1. Website
data processing
(comments,
subscriptions,
tracking)
#4. Mailing lists/
Newsletters#2. Social Media
(inc promotions, DMs)
#3. Marketing
Campaigns

19. • Email sign up and contact forms (names,
physical addresses, email)
• Blog comments (name, IP address, email)
• Social media including social groups
• Third party plugins
• Profiling and tracking cookies
• Campaigns and promotions
• Mobile apps
Sources of
personal
data…

20. 6 key
questions to
ask about
personal
data
1. What are you collecting?
2. Why are you collecting it?
3. How are you protecting it?
4. Where is it located?
5. How long are you keeping it for?
6. Who are you sharing it with?

21. GDPR THINGS TO DO
*Applies to bloggers and brand BUT large organisations need a broader approach

22. Privacy on your website
• Update and publish privacy policies
• Make them visible!
• Audit and declare cookies
• Audit your plugins (update/remove)
• Move to https (if you haven’t already)
• Only use sanitised themes
• Review affiliate marketing

23. Word Press Google Analytics
• Install the GDPR
Compliance plugin
• Cookie consent plugin
• Secure your backend/
admin panel
Developer tools
• Implement data retention
options (14 months)
• User deletion API
• Google Fonts

24. Email subscription lists
“Respect the right
to object to
processing (i.e.,
direct marketing,
profiling,
tracking)”
Dont’sDo’s
Affirmative opt-in only
Remove data if unsure
Communicate privacy
policies
Contact opt-outs
Buy or sell data lists

25. MailChimp (or other)
• Switch to GDPR-friendly/customisable
forms (lists, landing pages, pop-ups).
• Explore tools that help you better
manage data subject rights e.g. right to
access, erasure, rectification.
• Consider enabling double opt-in

26. • Review your use of automation
• Review social media plugins
• Do you collect personal data in
your DMs?
• Review group membership/
groups (e.g., Facebook)
What about social media?

27. • Clarify requests from PRs/brands for data.
• Don’t transfer follower data without
consent.
• Don’t automatically sign-up campaign
participants to email marketing lists.
• Use compliant third party campaign
management tools.
• Publish your privacy policy to users.
When running campaigns…

28. Three takeaways
1. PROTECT your brand
against online threats.
2. KNOW what personal
data you process.
3. ASSUME nothing! @borderless_i