The trend appears to continue from last year when the total number of breaches reached 7.9 billion – up 33% year-on-year.

Last month, MGM Resorts became the latest in a long line of businesses to suffer a data breach when it revealed the personal details of more than 10.6 million former guests had been exposed last summer.

Data such as full names, home addresses, phone numbers, emails, and dates of birth were leaked, with government officials and celebrities, including Justin Bieber, said to be among those who were affected.

A growing trend

MGM Resorts is not the only business in the travel industry to be targeted, with other companies in the sector falling foul to cybercriminals.

In 2018, it was revealed that the information of up to 500 million former guests at Marriott hotels had been exposed in a cyberattack. Personal data including credit card details and passport numbers were stolen, and the international hotel group has been issued with a provisional intent to fine an amount of almost £100m by the Information Commissioner’s Office (ICO).

Beyond hotel groups, two airlines – Cathay Pacific and British Airways – have also recently suffered significant data breaches of their own. The latter saw sensitive private and financial information of almost half-a-million customers exposed, leading to the ICO issuing a provisional intention to fine a record £183m and the possibility of a £3bn compensation claim pay-out.

It seems cybercriminals are targeting this industry because of the highly valuable data they can steal.

In particular, passport information, ID documents and financial data are highly prized – the kind of data that could lead to other criminal activities such as fraud and ID theft.

The most concerning aspect of the MGM breach is that the stolen data has reportedly been posted to a hacking forum, which could give cyber criminals around the world the ability to target affected individuals online. Unfortunately, this means the announcement of the MGM breach may just be the tip of the iceberg.

Business and government responsibilities

Businesses in this sector and beyond have an important responsibility to protect sensitive consumer data and they must appreciate the risks involved if they fail to do so. This means ensuring the best defences are in place and that staff are thoroughly educated in terms of data protection and effective cybersecurity.

Experts believe the BA data breach could have been avoided with more proactivity in the form of a bug bounty that may have cost them as little as a few thousand pounds. Similarly, some relatively cheap staff training could have prevented the New Year’s Honours list leak, where a member of staff inadvertently published the addresses of more than 1,000 recipients.

MGM took a gamble by having inadequate security measures in place to keep its customers’ data safe and must now face costs that extend beyond financial penalties and can include severe reputational damage.

In the UK, it falls on the Information Commissioner’s Office to fine companies, with penalties in the GDPR era ranging up to €20 million or 4% of the annual worldwide turnover of the preceding financial year; whichever is greater. Meanwhile, it is the role of the police and National Crime Agency (NCA) to prosecute hackers with punishments including prison sentences.

Consumer rights

Consumers who fall victim to a data breach may be entitled to bring a legal case for compensation against an organisation. The GDPR and the preceding Data Protection Act (DPA) 1998 enshrine the rights of victims in law to claim damages for the distress caused by the loss of control, or misuse, of personal information, as well as covering any financial losses suffered as a direct result of a cyber-attack.

Customers concerned they may have been affected by a data breach should keep a vigilant eye on their bank accounts and speak to their bank about what else they may need to do to secure any potentially compromised accounts.

Consumers can also change any login credentials associated with a breached organisation, and anywhere else where those same credentials have been used (although it is highly recommended to never re-use the same credentials for more than one account). Consumers should also keep a close eye on their credit reports for possible ID theft alerts, which could include an imposter applying for new credit in their name.

The combination of potential financial losses and the emotional and psychological stress suffered from a data breach is enough to ruin anyone’s holiday. It’s down to businesses in the travel industry and beyond to ensure consumers are protected; otherwise, their trip to paradise could turn into a holiday from hell.

Aman Johal is lawyer and director of consumer action law firm Your Lawyers