Legal, Regulatory, and Privacy Issues

How to protect your personal information when booking travel

Cyber thieves increasingly target travelers’ data, including passport numbers


Cybercriminals are using data breaches to access the private information of customers who have used travel booking sites, airlines, hotels, restaurants and gas stations. Here’s how to protect your data when booking your next trip.

The content on this page is accurate as of the posting date; however, some of our partner offers may have expired. Please review our list of best credit cards, or use our CardMatch™ tool to find cards matched to your needs.

Maybe you’re planning a relaxing ski vacation in the mountains or spring break lounging on a beach. But your travel plans could put your personal and payment information in peril.

Cybercriminals are using data breaches to access the private information of customers who have used travel booking sites, airlines, hotels, restaurants and gas stations.

“Thieves don’t take a vacation,” says Eva Velasquez, president and CEO of the Identity Theft Resource Center (ITRC).

As of early December, there had been more than 1,100 data breaches reported to the ITRC, exposing 561 million records.

The vast majority of those records came from Marriott International, which disclosed in late November it had been the victim of one of the largest data breaches in history, second only to the 2013 Yahoo data breach, which disclosed information of 3 billion people.

The Marriott incident was one of several data breaches that hit the travel industry in 2018. Here’s an overview of how cyberthieves are targeting travelers and how to protect your information when planning your next vacation.

See related: Should you buy identity theft coverage from your home insurer?

A cyberthief’s grand prize: Your passport number

Personal information of up to 383 million guests was stolen from Marriott’s Starwood reservations system over a four-year period starting in 2014. The Starwood system covers almost a dozen brands, including Sheraton Hotels & Resorts, Westin Hotels & Resorts and W Hotels.

Cyberthieves stole credit card numbers and the card expiration dates from some guests, along with names, addresses, phone numbers, email addresses, Starwood Preferred Guest information and passport numbers.

Investigators believe the hackers were working for the Chinese government, as Marriott hotels are frequently used by military and government officials. But even those who don’t work for the U.S. government are worried about the impact of the data breach, and class-action lawsuits have been filed.

Cyberthieves often will sell stolen personal and credit card information on the dark web, which can then be used to set up fake accounts in your name.

Particularly troubling is the theft of passport numbers, says Yair Levy, professor of information systems and cybersecurity at Nova Southeastern University in Fort Lauderdale, Fla. Marriott said on Jan. 4 about 5 million of the 25 million passport numbers that were involved in the data breach were not encrypted.

“You’re starting to deal with a higher level of identity theft.”

Cyberthieves look for as much personal information as they can get about a consumer, such as name, address, date of birth and Social Security number in order to open up credit card accounts or bank accounts in your name, Levy says.

Cybersecurity experts typically warn consumers to protect their Social Security numbers, but those can sell for as little as $2 a piece on the dark web, says Mike O’Malley, vice president of strategy for the cybersecurity firm Radware.

“On the other side of the spectrum, passports can fetch $1,000. For under $1,500 a nefarious actor can take over an entire identity.”

See related: Main lesson after Equifax breach: Protect yourself

Data leaks also hit major airlines, restaurant chains

While the Marriott data breach is one for the records, it was not the only security incident reported by the travel industry last year.

  • Travel booking site Orbitz said in March a data breach may have exposed the payment card information of 880,000 customers.
  • Delta Air Lines announced in April the third-party online chat service it uses was hit by a data breach and a “small subset” of its customers’ information may have been exposed.
  • British Airways initially said in August that payment information from 380,000 customers may have been breached, and then said in October 180,000 more customers might have been affected.
  • Panera Bread said in April that information on its loyalty club members may have been exposed. While Panera said only 10,000 customers may have been affected, security expert Brian Krebs said the breach could have hit 37 million people, exposing names, addresses and the last four digits of credit card numbers.
  • Chili’s Grill & Bar announced in May that payment card information for an undisclosed number of customers may have been compromised.

In its 2018 global security report, the cybersecurity firm Trustwave revealed the retail sector accounted for 17 percent of global data breaches, followed by the finance and insurance industry with 13 percent of breaches and the hospitality industry with 12 percent.

In 40 percent of the cases Trustwave investigated across all industries, cybercriminals were specifically targeting payment card information.

If you learn you may have been the victim of a data breach, Velasquez says you should “react, but don’t panic.” Many businesses that have been hit by a data breach will offer to cover the costs of credit monitoring for a year.

If that’s not enough to make you want to stay home, reports of skimmers at gas stations and ATMs seem to make the news weekly. The number of compromised ATM and point-of-sale devices jumped 8 percent in 2017, according to FICO, while the number of compromised cards rose by 10 percent.

As technology becomes more sophisticated, the newest tools thieves use to steal your information may be almost impossible to detect. When you use an ATM or gas pump, you run the risk that your credit or debit card data can be stolen – often done by crooks sitting in a nearby vehicle using Bluetooth technology.

“The technology of the bad guys is getting faster, smaller and better,” says Matt Wilson, chief information security adviser at BTB Security.

Using an ATM inside a bank, rather than outside, or paying for your gas inside the gas station rather than at the pump can provide some security, Velasquez says.

See related: As data breaches increase, here’s how to cut your identity fraud risk

How to protect yourself when booking travel online

While you can’t prevent data breaches, you can take steps to try to protect yourself from the fallout.

Whether you’re worried about skimmers or data breaches, Velasquez recommends using a credit card rather than a debit card for such transactions so the thieves can’t steal your information and then drain your bank account. (Most major credit cards have zero fraud liability.)

Because so many travel bookings are made online, Levy recommends using a separate credit card for your online transactions, making it easier for you to monitor those purchases. He also recommends signing up to receive text or email alerts from your bank whenever a purchase is made.

Wilson recommends putting a free credit freeze on your credit report. You can lift the freeze temporarily if you want to do something such as get a new credit card or buy a car.

“It’s one of the best tools consumers have at their disposal if they’re worried about identity theft,” Wilson said.

Another option is to get a virtual credit card number for online transactions. Banks that offer this service will provide you with a randomly generated number that links to your actual credit card account. If a cyberthief gets his hands on it, he can only access that number – not your credit card account.

The key to staying safe, Levy says, is being proactive and thinking: “I’m in charge of my credit and my identity, not some cybercriminal.”

Editorial Disclaimer

The editorial content on this page is based solely on the objective assessment of our writers and is not driven by advertising dollars. It has not been provided or commissioned by the credit card issuers. However, we may receive compensation when you click on links to products from our partners.

What’s up next?

In Legal, Regulatory, and Privacy Issues

My club instated a card-only payment policy, including processing fees; is it legal?

If an organization you belong to instates a credit card-only policy and wants you to pay processing fees, you might want to ask them to reconsider. Depending on the state where you live, this could be against the law.

See more stories
Credit Card Rate Report
Cash Back

Questions or comments?

Contact us

Editorial corrections policies

Learn more