Airport Insecurity: How to Protect Your Company Data During Holiday Travel

Many workers will pack up for holiday travel in the coming weeks, but they may not realize how their travel decisions could affect their organizations. BIA’s Brian Schrader offers 4 tips for protecting your company’s data while traveling this holiday season.

It’s common for the office to be a little emptier this time of year as coworkers take time off to visit friends and family. One in three Americans (112.5 million people) traveled during the 2018 holiday season, according to a report by AAA, and that number is expected to be at least that high this year.

Most travelers come with at least one connected device. Actually, the average person in North America has eight connected devices, according to Cisco’s Visual Networking Index, so you can almost guarantee anyone boarding a plane, train, or automobile this holiday season is bringing along several devices.

The increased accessibility to gadgets and connectivity around the globe are great advancements for our generation, but they also open up our devices – and consequently any data they hold – to greater risk of cyber attacks.

You’ve seen the headlines – recent breaches such as Capital One’s or Equifax’s were especially harmful, not just because of their size, but also because of the sensitive information that was stolen. Data breaches are costly on many levels. If your company deals with sensitive documents, financial data, personally identifiable information (PII) or protected health information (PHI), you should take special care to avoid data theft, especially when traveling.

You may be thinking, “But I’m only traveling with my personal cell phone this year, so I’m safe.” Think again. Have you ever opened a work email on your phone? Or perhaps exchanged important business-related text messages with a coworker? All it takes is one mistake for that data to be easily accessible to hackers.

Before packing your bags, you should be aware of common tactics used by cyber thieves and how to avoid them. Here are four tips to protect your company’s data during holiday travel:

1. Be cautious with airport charging stations.

Airports are now riddled with stations where travelers can plug in their devices for a last-minute charge prior to boarding their flights (although, like NYC cabs, it seems they are everywhere until you need one). These stations typically offer a few two- or three-pronged outlets as well as some USB ports. Though the latter are certainly handy, they pose great risk to your data. Hackers can use USB ports as a gateway to install malware on or even take data from your device, all without your knowledge.

This type of attack has been labeled “juice jacking,” and the way it works makes sense when you think about it – the USB port provides the ability to simultaneously charge a device and transfer data. Just a few years ago we used to plug our phones into our computers via a USB cord to download new music or install updates, so it’s understandable that data would be passed through the same methods today. This data transference capability is why public USB ports are unsafe, whereas plugging your device into an outlet is relatively harmless since data cannot be transferred in that manner.

However, there’s one caveat: Connecting to a wall outlet is safe unless you’re using an unfamiliar cord. It may seem convenient to use someone else’s cord or to use a cord that was seemingly left behind by a previous traveler, but it can be dangerous. Criminals can hide tools or install malware inside a tiny USB cable, so it’s possible that they intentionally left behind the cord, waiting to see what sensitive information they can steal from unsuspecting travelers.

The best way to keep your data safe is to never trust a public USB port, and to always use your own cords. You can also purchase hardware, such as USB “no-data-transfer” cables, which only allow the transfer of power and not data, or a Juice-Jack Defender, which acts as an intermediary between the charger and the device.

2. Beware of public Wi-Fi.

Public Wi-Fi is hard to avoid when traveling, but such networks can be playgrounds for cyber criminals who use the connection to steal information or install malware on connected devices. Some common tricks used by hackers:

• Sneaky Wi-Fi names: Bad actors often create networks with the same names as a nearby public network. For example, if you’re waiting for your flight at JFK International Airport, you might assume “JFK Guest Wi-Fi” is the airport’s free public Wi-Fi network. Instead, it could be a hacker disguising a separate network with the goal of tricking you into connecting and stealing your data.
• Man-in-the-middle attacks: Criminals can hack into public Wi-Fi and become the “man in the middle” to intercept your data. They insert tools between you and the websites you visit to gather your login credentials, credit card numbers and other sensitive information that you may input.
• Malware distribution: Hackers can easily access unsecure Wi-Fi networks to distribute malware and cause damage to your connected devices.

Luckily, there are steps you can take to prevent these threats:

• Use a virtual private network (VPN): This software encrypts data flowing to and from your computer over a public network. The encryption makes it virtually impossible for a cyberthief to gain access to your files.
• Avoid public networks by using a puck: Personal Wi-Fi hotspots, also called pucks, offer an alternative to risking your data on a public network. You can travel with this small device in your pocket for a quick, private connection.
• Employ multi-factor authentication (MFA) for your company’s network: Make sure your business requires an authentication code, biometric scan or other multi-factor authentication method to access the network. Then, even if a bad actor gains the credentials to log-in, they will not be able to get past the additional level of protection.

3. Turn off your location services.

Smartphones have undoubtedly changed the way we travel. We’re no longer required to print directions from Mapquest or pack the dreaded folding maps, and we can even alter our routes based on real-time traffic updates. But using these luxuries can mean giving away our location to bad actors without even realizing it.

Last year the four largest cell carriers – AT&T, Verizon, T-Mobile and Sprint – admitted to selling their users’ geolocations to third parties. Intermediaries, such as LocationSmart, obtain users’ real-time location from cell towers and sell the information to its customers, who buy users’ locations for various reasons, including to text them when they enter a competitor’s store or to prevent fraudulent bank charges. If any company can purchase this information whenever they want, it’s possible your location is being sold to people with malicious intentions.

If that happens, there are two primary concerns for your business. First, by analyzing the geolocations of employees, thieves may be able to create a map outlining who is in the office when. If all the executives are knowingly out of town for holiday travel, your office becomes more susceptible to someone looking for inside information. This is also true of posting to social media – be careful not to post about vacations until after you’ve returned. Criminals can use this knowledge as an opportunity to break into your home or business – literally or virtually.

Another common tactic of cyber criminals is to analyze your movements to determine the location of important business information. Watching where you go on a daily basis, they can deduce your routines and learn when your devices are most susceptible to data theft.

Feel free to use your device’s map program while navigating during holiday travel, but remember to disable location sharing as soon as you arrive at your destination. The last thing you want is for your location to be sold to people or organizations looking to gain an edge on your company.

4. Be careful of the company data you provide to rewards programs.

Airlines and hotels commonly offer customer loyalty programs, awarding perks to consumers who rack up a certain number of points throughout the year. One benefit of such programs is that all your information is saved in your profile, enabling quick and easy checkout.

But the 2019 IBM X-Force Threat Intelligence Index found that the transportation industry is the second-most attacked industry by cybercriminals. Right behind the finance and insurance industry, transportation service providers (such as airlines) are an attractive target for hackers because of the sensitive customer data they obtain – from credit card information to passport numbers.

Hotels also hold sensitive financial information and PII, making them prime victims of cyberattacks (you may remember Marriott’s 2018 breach, which compromised the private information of more than 500 million customers, including their names, addresses, credit card numbers, and passport numbers).

When traveling this holiday season, be careful of the information you store in your airline and hotel loyalty accounts. If you’ve previously booked a business trip on the company credit card, delete the card from your account to avoid the possibility of theft.

The holidays are a great time to visit family and friends or knock places off your bucket list, but it’s important to be aware of how your personal travel decisions may affect your company. By following these simple tips, you’ll better protect the organization’s data and set your company up for a successful 2020.

Brian Schrader, Esq., is President & CEO of BIA (www.biaprotect.com), a leader in reliable, innovative and cost-effective eDiscovery services. With early career experience in information management, computer technology and the law, Brian co-founded BIA in 2002 and has since developed the firm’s reputation as an industry pioneer and a trusted partner for corporations and law firms around the world. He can be reached at bschrader@biaprotect.com.