Cyber security, systems vulnerability and data protection are not the most festive topics. But recent fraudulent activity on the Booking.com app is a timely reminder of the continuing need for vigilance and good cyber governance.   

Third party booking platforms are commonplace in the hospitality sector. These types of system process a range of data, much of it higher risk to individual customers (a heady combination of passport details and payment information) and business critical to the businesses involved. Legally speaking, platform arrangements often include complex data sharing concepts between platform operator and business partners, which may allow access to data but which often also rely on security and resilience aspects designed into the platform. Whether these protections match the sophistication and resourcefulness of would-be mal actors is a different question, and the Booking.com incident highlights that these threats are ever-evolving. In this particular incident Booking.com stated that its systems themselves were not hacked, however that of itself did not prevent the data from being manipulated, and it is unclear whether there has been any legal recourse behind the scenes. 

As with so many things, prevention is the best cure, and a useful starting point for businesses seeking to use third party platforms or data businesses might be to:

• Undertake the usual impact assessments, including understanding the design features of particular products
• Review policies and procedures and check they are up to date from a legal and regulatory perspective
• Review the adequacy and currency of staff training and consider whether it needs to be refreshed

Businesses may be understandably reluctant to disrupt their busy December trading periods to take these steps. But since time poverty can create fraud risk it may be the best time for businesses to put their data resilience to the test.