Ransomware in Travel - Cribb Cyber Security

In last week’s blog we looked at the current rules on cookies*. We did this in response to an announcement by Profit about a potential phishing scam against travel companies. Today we look more closely at Profit themselves and at this scam, as well as ransomware in travel.

*Cookies are changing and we will update you on the changes in due course.

Who are Profit?

PROFiT is a not for profit organisation that offers advice on fraud. PROFiT stands for ‘Prevention of fraud in trade’ and was established in 2000 to initially tackle fraud in the travel industry. An official launch at New Scotland Yard took place in 2009 and was followed up by a 9-month trade awareness campaign through Travel Weekly to enable PROFiT to be more effective.

What is this possible scam against travel companies?

Reports have recently been received by PROFiT about travel companies breaching cookie laws. It seems that a 5-page letter has been sent to some suggesting that they are in breach of the PECR requirements on cookies. The letter goes on to give them 21 days in which to pay a £750 penalty, in yet another example of a ransomware attempt. The £750 sum seeks compensation for:

  • Losses in the form of distress
  • A loss of control of personal data
  • The loss of availability of rights over the data

Our sources at PROFiT reveal that the letter is sent by someone who has recently learnt how to check for cookies. This development has led to her discovering cookies belonging to the recipient of the letter on her computer. She then claims to have videoed herself revisiting the travel website in question only to discover that 30 cookies had been placed on her system without her consent. These include Facebook and Google analytics cookies, with the lady then stating that her activity is being monitored and the data passed to the US without her consent or knowledge.

She offers to send a copy of the video as proof, claiming that the breach is against the UK GDPR and PECR requirements, placing her data under the FISA (US) controls. It is important to note that no opt out attempts have been made by the correspondent. Nor has she tried to contact any data controllers.

The lady sending the letter has been an IT and GDPR consultant since 2005. She has held a senior position for numerous companies that are now dissolved, training and lecturing on IT and Data Protection. The latest company she runs was formed in 2013 with her solicitor husband, providing training for IT and GDPR professionals.

What can you do to help?

PROFiT are seeking to identify the full nature of this issue and will be better positioned to do so with help and feedback. If you or anyone you know of has received this or a similar letter, please leave your comments below. If you know who the letter came from or have a copy of it, please contact us.

Ransomware in travel

Earlier this year, Travel Weekly Asia ran this story on a new cyber security report about ransomware. Participants from around the globe took part and the findings were if huge concern:

  • 42% of organisations in the UAE were forced to close following a ransomware attack
  • 34% of UK organisations were similarly affected
  • In the US, this number fell slightly to 31%
  • 50% of organisations in the legal sector lay off employees after a ransomware attack
  • In retail, this number fell a tad to 48%

Ransomware and other cyber-attacks are on the up and you must ensure you embrace cyber awareness. You must be proactive with cyber defence and promote its importance within your organisation. CRIBB Cyber Security is part of theICEway ecosystem of companies. We power their security by design approach to IT solutions for sectors including healthcare, insurance, maritime, cruise and travel.