Beware: Risk of Data Breaches Rises When you Travel

Booking your hotel room online, buying souvenirs at a little shop or using your credit card to pay for lunch. When you're traveling, almost anything you do can make you vulnerable to a data breach and possibly pave the way for identity theft.

"Nothing is impenetrable," says Jerry Irvine, chief information officer at the IT outsourcer Prescient Solutions, and a member of the National Cyber Security Partnership. "If someone is going to hack into you, they can hack into you."

Your risk of exposing yourself to cyberthieves is greater when you travel for a simple reason: You're going where they like to hang out. The places most often targeted by data crooks are retail stores, bars and restaurants, and hotels, according to the 2013 Trustwave Global Security Report. The three industries alone were targets in 78% of all breaches.

They are vulnerable, the report says, because of the number of credit and debit cards used for purchases, and "the main focus of organizations operating in these spaces is customer service, not data security," says Irvine.

Targets large and small

It matters little whether you're sipping a beverage at a charming little cafe or staying at the presidential suite of a massive chain hotel. Regardless of size, the company you're dealing with can be a target.

Last summer, the Federal Trade Commission sued Wyndham Worldwide Corp. for lax data security measures that resulted in three data breaches at the company's hotels in less than two years through an Internet domain address registered in Russia. The suit says those failures led to millions of dollars in fraudulent charges on consumers' credit and debit cards.

Small- and medium-size businesses can be just as vulnerable, if not more so.

"It used to be only large organizations had to worry about security," Irvine says. Now, "just like an animal in the wild, they target the weakest in the herd," and that's often smaller businesses that may not realize they're at risk for having their customers' personal information stolen and fail to use secure connections for online transactions.

"A bed-and-breakfast or boutique hotel might be really great at what they do, but they may have gone into the online world and not thought about the ramifications," says Eva Velasquez, CEO and president of the nonprofit Identity Theft Resource Center.

Trustwave's investigations found cardholder information was quickly sold on the underground market, where it was used to make fraudulent transactions. Nearly three-quarters of the victims were in the United States, and the attacks originated in 29 different countries, with Romania the point of origin for a third of the attacks.

Michael Bruemmer, vice president for data breach resolution at credit bureau Experian, says part of the risk with the travel industry is that there are "multiple entry points," so if you book a room, flight or car online through a third-party travel website, that information then must be sent to the hotel, airline or car rental company.

The danger could linger long after your trip: A hotel, for example, might keep your information on hand for years in order to market to you, Bruemmer says.

Do the basics to lessen crime odds

Often, there's nothing you can do to prevent the data breaches. The thieves most often target weaknesses in the businesses' data systems, not individuals.

But do keep your guard up and follow the usual basic credit card safety rules:

  • Watch your card closely. Even low-tech activity such as handing over your credit card or passport at a hotel can make you vulnerable. A front desk clerk might record your credit card number, expiration date and security code, and then use it for nefarious purposes. Or someone can steal your personal information from your passport.
  • Don't use public Wi-Fi. Simply going online using public Wi-Fi, anywhere, including your hotel room, airport lounge or a coffee shop, can put you at risk from cybercriminals, experts warn. "You're opening yourself up to all sorts of ill-intentioned individuals also on the network," says Christopher Dore, an attorney with Edelson, which has handled many consumer technology-related, class-action lawsuits. Dore returned from his honeymoon to find $1,000 in fraudulent charges on his credit card. He suspects the information was stolen when they were staying at a small hotel in Turkey. Instead of using public Wi-Fi, you should use a virtual private network (VPN) or encrypted connection, Bruemmer says.
  • Check your statement carefully. The snapshots may be more fun to look at, but carefully inspect your credit card statement for anything out of place, as soon as you receive it.

The risks can be greater when you're traveling in many locations abroad, where there are often fewer regulations and government agencies to protect you, Dore says.

What happens after a breach

While there's no federal law requiring you to be notified of a data breach, 46 states have such requirements. The exceptions are Alabama, Kentucky, New Mexico and South Dakota.

Generally, if a certain number of people have been affected by a data breach, the company or organization will have to send you a notification letter, although there's no set time frame dictating when the letter must go out.

If you're traveling and your information is breached, you won't receive notification overnight, Velasquez says. It's more likely to take weeks, and you'll probably be back home by that time. If you're going to be gone for an extended period, she suggests having someone at home check your mail regularly.

The company also must notify the bank card associations, such as Visa and MasterCard, which in turn notify your bank.

That doesn't mean you'll automatically receive a new credit or debit card, says Tom Shaw, vice president of financial crimes management at USAA. Your card issuer will consider the type of information stolen, look at how often fraud has occurred with other cards that have been part of the same data breach, and calculate the odds of your card being compromised.

If the odds are low, the bank will monitor your account rather than issue a new card. But if fraudulent activity is spotted, your card will immediately be deactivated.

That could put you in a major bind while you're traveling. If that occurs, immediately contact your credit or debit card issuer to find out what has happened.

Bruemmer says major providers such as Visa, MasterCard and American Express can usually cancel your card, reissue it and have it delivered to you within 24 hours.

"It may be an inconvenience at the time, but it really is to protect you," Velasquez says.

See related: 6 ways to protect your identity in a data breach, What to do after a data breach