SUMMARY
The Travelers’ Registry information, which came into force this December 2, not without problems, can end up being a gold mine for cybercriminals. As implemented by the Ministry of the Interior, the rule that requires up to 42 pieces of information, including financial data, to be provided for a reservation or check-in at a hotel. Everything is justified on the grounds of security and the fight against mafias, but won’t it end up making cybercriminals’ job easier?
Antonio M. Figueras / Escudo Digital
There is no turning back. The complaints of hotel associations, the reproaches of consumers and the warnings issued by cybersecurity experts have not helped the Government to give its arm to twist on the Travelers Registry proposed by Royal Decree 933/2021. This Monday, December 2, coinciding with Cyber Monday, it comes into force.
Mandatory for tourist organizations such as travel agencies, hoteliers, car rental companies and cottage managers, the regulation requires the collection and communication of detailed data to the Ministry of the Interior headed by Fernando Grande-Marlaska. The information required goes far beyond that contained in an identity document, as was the case until now. Now 42 data will be required (previously it was 14). In the case of car rental, 60 will be required.
Apart from a significant bureaucratic burden, the rule entails privacy risks for individuals, because additional, perhaps invasive or unnecessary, data will have to be added to the personal information. And as for financial information, payment data opens a window for intrusion by cyber attackers. Failure to comply with the obligations of the new Travelers’ Registry can result in up to 30,000 euros in fines for establishments.
Cybersecurity
The standard affects administrative and security investment, a handicap for small organizations that cannot afford certain outlays. Without this implementation of appropriate technologies, the playing field for cybercriminals is widening. “The user must be assured of the data he is giving up, especially financial data. When accessing a payment gateway, data in transit and data at rest must be protected. The tokenization of sensitive data and controlled access to this information must be secure,” warns Ramón Rico Gómez, Senior Cybersecurity Engineer & Presales Specialist at Logicalis.
The purpose of the legislation is to provide the State Security Forces and Corps, but also the population, with a higher level of security. According to the Interior, more than 18,000 people under judicial or police investigation have been located in Spain thanks to the data provided by the tourism sector through the Travelers Registry.
Its objective is a contradiction in terms of what this implementation entails for cybersecurity, says Rico: “Not only small cybercriminals will be able to launch attacks. Larger organizations, which may be financed by states, can also take advantage of this new gold mine that will involve so many people handing over data”.
Police sources in the cybersecurity environment qualify to this newspaper that “the more data the police have, the fewer obstacles there will be for an investigation”, although they recognize that a greater traffic of data “entails danger”.
“This increase in information will have value above all for terrorism matters. Having a greater amount of data will speed up procedures and processes,” they argue.
Increased capacity for extortion
The massive processing of data facilitates the emergence of a new fishing ground for cybercriminals. There are no guarantees whatsoever in the event of a data breach, warns the expert: “Personal data can be exploited, for example, to set up a phishing scam targeting an individual or a specific organization. Thanks to the collection of information, cybercriminals will have a greater capacity for extortion if they manage to infiltrate the network of hotel companies or rural houses”.
In comparison with our environment, the new regulations are much stricter, says Rico: “EU legislation is much more lax in terms of data collection. Here there will be slower in the management of reservations, it will be a much more invasive process. And in terms of privacy, there is not total transparency of the guarantees offered for the data transferred, as established by the General Data Protection Regulation (GDPR)”.
The sector, on the warpath
It is not a minor problem to legislate against travelers from here and abroad. Spain is a reference as a world tourist destination. This is endorsed by the more than 85 million tourists who visited our country in 2023. The climate, the gastronomy, the way of life complete an ideal panorama. The sector is key to our economy (it represents 12% of Spanish GDP).
The United Kingdom is one of the nations that brings more foreign tourists to Spain. The planned measures prompted an angry reaction from the public, echoed by the Daily Mail. Under the headline Fury over Big Brother law, the newspaper reflected the obligation to hand over sensitive information, while warning that its tourists could decide to travel elsewhere because they do not want to hand over their data to the police.
According to Rico, “the total invasion of the privacy of visitors, the impact on large companies that organize trips, especially in peak periods, the obstacles in the management of tourist reservations, can have a negative influence”. “To deny freedom to people who come from outside Spain to enjoy tourist accommodations is detrimental to the sector,” he adds.
The Registry, to the courts?
The Spanish Confederation of Hotels and Tourist Accommodations (CEHAT) is considering taking legal action against the Travelers Registry, for several reasons: the lack of dialogue by the Government on the matter and the negative impact that this regulation is expected to have on the hotel sector and the travelers themselves.
For CEHAT, “the new regulation not only negatively affects international tourists, but also Spanish citizens who make use of hotels and accommodation when traveling within the country”. “These will have to face more complex and tedious administrative procedures, compromising their accommodation experience,” he notes.
Hoteliers believe that they will be forced “to comply with a confusing and disproportionate regulation that violates several European directives related to data protection and payment systems”.
The hotel and tourism business association of the Valencian Community, Hosbec, is also considering taking the regulation to court. But they are not the only organizations in the sector upset by the changes. To cite a few examples, UNAV (Unión de Agencias de Viajes), Acave (Asociación Corporativa de Agencias de Viajes Especializadas), and Fetave (Federación Empresarial de Asociaciones Territoriales de Agencias de Viajes Españolas), also lament the imposition of the new obligations.
Previous delays
The Royal Decree, 933/2021, of October 26, establishes the data that the entities must collect and regulates the system of communication of the information to the Ministry of the Interior, which thus sought to prevent criminals from using this type of services in their modus operandi to commit their crimes.
It came into force at the beginning of 2022, but a caveat was made with the reporting of data to the Interior, which postponed to January 2, 2023 the obligation for accommodation and car rental providers to forward their clients’ information to the police within 24 hours of a reservation or check-in.
There was so much criticism and complaints from the affected sectors that the implementation of the rule has been delayed on several occasions with the excuse of technical problems in the data communication platform. But now it seems that it will come into force on December 2.
On the possibilities of preventing cyber-attacks arising from the implementation of the new Travelers Regulation, Rico advocates “user awareness and training to know what they can do to improve the management of their data.” “This training corresponds to the different administrations, which must prepare the citizen to know how to react to a security breach, what is the most agile procedure,” he points out.
ANTONIO M. FIGUERAS
Journalist and writer
He has a degree in Hispanic Philology and Journalism. He has worked as a journalist at ABC newspaper (1985-2013), where he worked in the Culture and Entertainment, Television and Continuity sections. He was coordinator of Weekend of Vozpópuli (2015-2016). He has also been dedicated to corporate communication in different areas. Since 2022 he has been collaborating with Escudo Digital, where he writes about Interior and Defense issues. He has published the novel ‘La coleta de Disney’ (2018).
