The organisation confirmed that more than 40,000 people’s personal data could have been stolen.
It follows a number of high-profile data hacks in the past 12 months, including large retail firms and hotel operators such as Starwood, Marriott and Intercontinental.
The chief information security officer at American Express Global Business Travel, Allen Allison, has provided tips to better protect your data:
1. Control Your Data – A TMC must have a firm understanding of where the sensitive data is stored, where it is processed, and through what system it flows. First, only receive, store, or process the least amount of sensitive data needed. Often, a TMC may have access to more data than is needed to manage transactions. This data should be removed from the environment. Second, data that is necessary for processing transactions should be encrypted or tokenised. The fewer places sensitive data resides, the easier it is to protect the data. And, third, restrict access to data to only those people or applications with a requirement for use.
2. Manage Your Vendors, Partners and Other Third Parties – Perform proper due diligence on all third parties. A TMC may be leveraging partners for travel management, credit card processing, or any number of activities that require access to sensitive data. Managing vendors appropriately includes performing recurring audits according to a well-established third-party risk management programme, implementing restrictive access controls maintained to least privilege, and establishing regular information security metrics conversations with all third parties. Most importantly, maintain a positive constructive working relationship with your third parties; if an event occurs, a well-established rapport can mean the difference in identifying and resolving security incidents quickly.
3. Implement Cyber Security Controls Consistent with Risk and Exposure – A well-developed programme that protects against unauthorised, insecure interaction between systems and that can provide notification of anomalous activities can provide insight into suspicious activities. Furthermore, ensuring that monitoring security infrastructure is correlated with events from the network, systems, and applications can assist in detecting nefarious activity.
4. Establish Robust Authentication and Authorization Controls – A common concern to any organisation, not only for TMCs, is insider threats. Establish a robust identity and access management programme to ensure user access maintained to least privilege. Also, ensure the use of any privileged access is performed using a privileged access management system with password vaulting, break-glass, and multi-factor authentication solutions. Monitor all access and attempted access, and ensure information is correlated with system activities throughout the environment.
5. Implement Advanced Service Management Controls and Audit Frequently – Change control, patch management, incident management and vulnerability management programmes can help ensure data remains secure. These programmes should be consistent with industry standards, and be tested often. A robust vulnerability management programme should include vulnerability assessments, penetration testing, dynamic application security testing, and static application security testing. These processes can provide insight into vulnerabilities that could significantly increase risk a; managing these vulnerabilities could provide assurance that you are performing due care of the data you manage.