Is Your Personal Travel and Financial Data Safe? Do You Care?

Travel providers store our credit card information. Airlines may have our date of birth, passport number, and Known Traveler or Redress number.

They know where we’re going. They know where we’re staying.

There’s identity theft. There’s stalker risk. And there’s corporate espionage.

Following a venture capitalist you might know where they are investing. Following the travels of a lawyer you might discern the confidential and privileged business of a client.

And that doesn’t even touch on the information held by banks we do business with, which are themselves travel providers through their co-brand relationships.

So I was intrigued when jamesb2147 pointed me to Google’s report on use of encrypted e-mail.

My working model has always been that the big banks and financial institutions have high security standards, and companies that have data interfaces working with those banks probably have high security standards as well, or at least that big bank contracts require it.

Encrypted email isn’t the only, or perhaps even most important, factor in security and privacy.

And not all email needs to be encrypted. If there’s no personal information, if it’s just a marketing or promotion email, I don’t worry about it.

I do think though that itineraries should be encrypted. Credit card bill notifications, or payment acknowledgements should be — especially when those messages contain dates and amounts.

That appears to be the exact model followed by Chase — financial institution emails encrypted, marketing emails not:

jamesb2147 points out some things he notices in the Google report:

United hasn’t changed the mail server configuration of the servers inherited from Continental. The emails coming from [Continental] servers are encrypted, and the emails coming from [United] servers are not encrypted in transit.

…Setting up encrypted connections is trivial, and clearly, [Continental] at some point had the requisite knowledge to accomplish this. It uses a small amount more processing power..but is a minimal step that can be taken to significantly protect the privacy of clients.

It appears that emails from americanexpress.com, spiritairlines.com, and barclaycardus.com do not ever enter gmail’s system encrypted. Very little Delta email comes in encrypted.

My itineraries from American appear to come from ‘aa.globalnotifications.com’ and I don’t see a result for that searching Google’s report.

Encryption matters, but if you’re working with a company that collaborates closely with the government I wouldn’t expect it to hide your information from the government. They get all PNR data before you travel anyway, and access to your credit card transactions, so this issue is really about protecting yourself from non-state actors.. and whether the companies you deal with are working in your best interests to do the same.

Do you worry about the security of your personal information? Does your airline, hotel, and financial institution partner information factor high on the list of your privacy concerns?


About Gary Leff

Gary Leff is one of the foremost experts in the field of miles, points, and frequent business travel - a topic he has covered since 2002. Co-founder of frequent flyer community InsideFlyer.com, emcee of the Freddie Awards, and named one of the "World's Top Travel Experts" by Conde' Nast Traveler (2010-Present) Gary has been a guest on most major news media, profiled in several top print publications, and published broadly on the topic of consumer loyalty. More About Gary »

More articles by Gary Leff »

Comments

  1. How exactly are the “dates and amounts” of CC bills sensitive? Time to make your tinfoil hat. lol 😉

  2. Hilton Honors is still VERY insecure in that they have no option to remove the 4-digit PIN access from your account. Doesn’t do a lot of good to have an option for a secure password when there isn’t a way to turn off the insecure access. I’ve sent emails, called the Diamond Desk and even written a letter. No change yet. 🙁

  3. The servers that these companies use to store and send emails may be encrypted, but no email that is sent over the internet is encrypted. It’s my understanding that the protocols that email is based on are fundamentally open. All email should be treated the same as a postcard sent in the mail. It can be read by anyone that desires to.

  4. This is why some banks send their sensitive updates via their internal mail system. Chase, for example, always sends me regular (not secure/encrypted) emails along the lines of “you have an email about your account on our secure server.” You then have to login to your account in order to access them.

  5. Does anyone know if google snoops email in corporate accounts (as opposed to free email accounts)?

  6. @easy victor – They most certainly do. See the part about “What kind of scanning/indexing of user data is done?” https://support.google.com/a/answer/60762?hl=en I did read that they’re considering discontinuing that practice since they ended it for Google Apps for Education accounts.

    @mark – This still reveals the time and sender of emails to third parties, but yes, that’s exactly the reason banks have independent “secure messaging” systems.

    @mason – You are confusing issues, i believe. There’s a critical distinction between messages *in transit* and *on the server.* Google’s report shows that many messages are completely unprotected while *in transit.* Truly, email was designed as part of a trusted system, so once they’re on the server, they’re sometimes left unecrypted (it depends on the server’s configuration). However, there’s PGP software that will let users encrypt messages so that even the email admin cannot read them. I’ve only seen PGP used by banks and lawyers, FWIW.

    @Eddy – The owner of the @N twitter handle was hacked because someone found out the last four digits of his credit card number. We, very fortuitously, have legal protections with credit cards. That won’t save you from a hacker with a creative use for your financial data. http://arstechnica.com/security/2014/01/picking-up-the-pieces-after-the-n-twitter-account-theft/

Comments are closed.