News & resources

Are aggregators putting your corporate travel data at risk?

Back to blog

An age of global mobility

In an age of global mobility, the safety of travelling employees and remote personnel is paramount and the need to track, locate and be able to instantly communicate with individuals, wherever they may be, is an essential component of any business resilience programme. As a result, itinerary tracking is now becoming viewed as an absolute necessity by many organisations. But in implementing such systems to help keep their personnel safe, are organisations opening themselves up to potential data security risks?

How is Anvil helping clients?

Peter Davies, Anvil’s Head of Research and Technical Development, outlines some key areas for concern, particularly around the use of aggregators by many in the itinerary tracking field, and explains how Anvil is helping its clients to overcome these issues.

Following a number of high profile data hacks over the last 12 months and even ABTA itself falling foul of a cyber-attack in March this year, the issues of data security and the individual’s human right to privacy are now even higher on travel management agendas, and rightly so. There’s already been much talk in the business travel industry about the role of the individual traveller in protecting both their personal and corporate data. Whilst this certainly shouldn’t be underestimated, organisations and their suppliers must also look much closer to home when it comes to ensuring data security, the right to privacy, and CIA (Confidentiality, Integrity and Availability)[1] adherence. 

In order to help to keep their people safe, organisations obviously need to be able to obtain and track the travel itineraries of their personnel. But they also need to ensure that the ways in which these tracking systems are implemented and operated do not add any unnecessary privacy or security risks to the data supply chain.

When considering the implementation of any device that’s going to be collecting data from different sources, one of the things that needs to be top of the agenda in the vendor selection process is understanding the data supply chain resilience and any potential vulnerabilities that could threaten data security or impact the CIA model.

When reviewing itinerary tracking systems, some of the important areas to consider are:

  • Where the PNR (Passenger Named Record) data is coming from?
  • Who owns this data and could it be used for other purposes?
  • Is the data transferring through other third parties or countries?
  • What legal jurisdictions apply?

And should there be a data breach:

  • How and when would you be notified?
  • Who would take ownership of the resolution?

Being confident in the answers to these questions is fundamental to an organisation’s understanding of its own risk potential.

So how does the use of an aggregator potentially impact?

Vendors that supply itinerary tracking systems can collect their clients’ PNR data via two routes – either by setting up direct connections with the Global Distribution Systems (GDSs) or by using the services of an aggregator. As the aggregators can benefit from greater economies of scale, the aggregator route will work out cheaper for the vendor (although these cost savings may not be passed on to the client). This, therefore, is often the preferred option for vendors who may not be willing to invest in setting up their own direct GDS connections. But with this cost saving ‘aggregator route’ comes additional risk:

1. It’s a numbers game

The first risk is really all about the numbers. Bringing an aggregator into the equation, rather than the itinerary tracking vendor connecting directing with the GDSs, adds an additional link to the data supply chain. The longer the chain, the weaker it becomes. Removing any unnecessary third party from the supply chain ensures that there’s one less attack surface (the fewer attack surfaces you have, the more robust data security you have) and fewer potential data privacy issues.

2. Data residency and legal jurisdiction – who’s in control?

Very much related to the above, is the issue of control. By including an aggregator in the supply chain, you now have that third party receiving personal identifiable data, potentially storing it on servers in various locations, introducing data residency and legal jurisdiction issues. Although official ownership of the data always sits with the original organisation (as does the ultimate liability), with every additional party introduced to the supply chain, the direct control any organisation has over its data naturally becomes reduced.

3. Data segregation – maintaining integrity

Data segregation is a critical requirement for security within the social technical system. Even if an itinerary tracking vendor can provide assurances that they themselves provide each of their clients with their own dedicated database in order to enable true data segregation and prevent possible data leakage between clients, can they provide the same assurances about the aggregators they may be using?

4. Recovery - dealing with the unforeseeable

How quickly an aggregator can recover from a disaster in comparison to a GDS is another key issue. When you consider that GDSs are used by government surveillance agencies to help protect our borders, allowing them to identify suspects, enforce no-fly policies and establish travel patterns by the use of metadata contained within the PNRs, the GDS systems are understandably very secure. Should the unlikely happen, they have extremely robust processes in place to ensure ‘Confidentiality, Integrity and Availability’ far surpassing anything that an aggregator could provide.

5. An additional issue – speed of implementation

Aside from the data security considerations, using aggregators can be notoriously slow as they deal with numerous vendors and clients on a daily basis. Bottle necks in the implementation process are common as requests are queued and dealt with alongside multiple requests from others. Although this does not pose specific security issues and may not be a concern for some, it’s something to be aware of when reviewing the options available.

At Anvil, we take all of these security and integrity issues seriously. Not only do we provide every client with their own dedicated database in order to ensure data segregation but we also connect directly with both ends of the supply chain (the GDSs and the TMCs). We’re therefore able to provide our clients with supply chain custody that they can be confident in, providing a process that’s more streamlined, more secure and more robust.

As we’re all too aware in the world of risk, unforeseeable does not mean impossible. At Anvil, we’ve also invested a significant amount of time and resource in developing and building data availability alerts into our importing tools in order to cover all potential eventualities and provide our clients with the additional reassurances that they need. In the extremely unlikely event of a GDS failure, we’ll be alerted instantly, allowing us to go directly to the GDS to deal with any issue rather than having to wait for, and rely on, a third party.

In conclusion

With an ever more mobile workforce, organisations need to be able to provide the tools and assistance required to track, alert and protect their personnel in the face of increasing risks. However, in doing so, they also need to ensure that they’re not exposing themselves unnecessarily to potential data privacy, data residency and CIA issues which could threaten the resilience of their entire organisation.

Key to this is ensuring a greater understanding of the data supply chain and any weaknesses and vulnerabilities potentially introduced. Whilst it would be remiss of us to claim that the role of the aggregator is totally redundant, we openly encourage organisations looking to implement an itinerary tracking system to carefully review their individual risk appetite and to ask any potential (or current) supplier some serious questions about their use of aggregators, their processes and the data supply chain risk mitigation measures that they have in place.


[1] Confidentiality, Integrity and Availability (CIA) is a model designed to guide policies for information security within an organisation. The model is also sometimes referred to as AIC (Availability, Integrity and Confidentiality) to avoid confusion with the Central Intelligence Agency.