Q: Last Saturday night, some hacker remotely broke into our GDS and issued $50,000 worth of airline tickets. These were all cash (ie, non-credit card) tickets, and the journey originated at points in West Africa beginning Sunday morning. You have previously written about this fraud scheme, and I know that ARC periodically warns about it, but what should we do now? By the way, we don’t happen to have an extra $50,000 laying around!
THE: You have to notify ARC and file a report with the local police. You should also void the tickets if it’s not too late and refund the rest so they cannot be used for return trips, and you should notify the airlines involved and tell them not to honor the tickets.
The steps above are just the beginning of your nightmare, which many agencies have experienced this year. The airlines will send you debit memos for any unpaid tickets. When you don’t pay the debit memos, the airlines will cancel your appointments, which, depending on the airlines that your agency uses, may or may not mean much to you.
The airlines will threaten to sue you, but, in my experience, this is a threat you can probably ignore. While I cannot guarantee that you won’t get sued, I have not known of any actual lawsuits against agencies that were victimized this way, and you would certainly have good defenses to a suit.
However, your real problem is ARC, which takes the position that your agency is legally responsible for paying for all tickets it issues. Specifically, the ARC agreement states, “Agent acknowledges and agrees that it remains financially liable and responsible for all Transactions issued by Agent during each Sales Report Period including those not submitted in Agent’s Sales Report.”
It won’t do you any good to argue that these tickets were not actually “issued by the Agent” but instead by a hacker. What will actually help you is to show that, when the tickets were issued, you were “exercising reasonable care” in safeguarding your GDS against hackers.
ARC further takes the position that, if your employee or independent contractor inadvertently gave out his or her GDS login in a reply to a phishing email that pretended to be from your GDS vendor, then your agency was not exercising reasonable care. So, the foundation of an adequate defense is to make sure that neither you nor anyone at the agency admits to ARC that you fell for such a phishing email.
If you make this admission, there is probably no way to escape legal responsibility, and you have to pay or settle with ARC. Conversely, if you avoid this admission, and if you can prove that you had instructed your staff not to fall for phishing emails and had taken other steps to avoid hackers, then there is a chance that ARC may relieve you of liability.
If ARC declines to do so, you can file a complaint with the Travel Agent Arbiter, asking him to order ARC to issue a letter relieving you of liability.