After two years of intermittent lockdowns caused by the pandemic, we have all seen how technology can empower us to continually connect with friends, communities, and the wider world. Technology has also enabled Trip.com Group to ensure we meet the needs of our users and business partners over the last two years.
In this article series #TripTechSolutions, we look at how our technology has helped us overcome the challenges posed by the pandemic.
I’m sure you’ve had a similar experience - you’re at home, enjoying a relaxing start to the day checking the company emails on your smart device. In the afternoon, you take your laptop to your favourite coffee shop and prepare for a client meeting. While you wait, you access your company’s remote network, and maybe you come across some potentially sensitive or protected information.
Mobile-working scenarios, like this, have become the new normal for many modern-day businesses around the world. Yet, taking corporate and customer information outside the office intranet can be a risk to users and businesses.
In order to meet the challenges of a modern day workforce and protect users' personal information, Trip.com Group has recently introduced the internationally recognized "Zero Trust" technology to protect users' information.
The technology minimizes the trust given to any one person, device, or system inside or outside the network, repeatedly and strictly verifying all permissions. This not only ensures that mobile and home office employees can work remotely without affecting the business, but also ensures the platforms and users' data remain in a trusted, safe environment.
The introduction of the Zero Trust technology is only a small aspect of the many investments we have made in maintaining information security. With expanding digitalization and the importance of privacy, safeguarding user information security is a top priority for us.
Setting-up the “Shield”: Encrypting user data across all platforms
Starting from the moment a new user registers an account, private data circulation and storage begins across a variety of digital platforms. When it comes to information security and privacy protection, naturally users have questions and concerns - how is my personal information being stored? Who can view my personal information? Could my personal information be leaked?
On Trip.com Group’s sub-brand platforms, such as Trip.com, Ctrip, and Qunar, when a new user inputs their email and phone number to register an account, their data is immediately encrypted. As users purchase products, share ID card numbers, payment and credits card details, and other information, we ensure their data is safe and secure through encryption, in order to avoid any potential data breaches at the source.
Trip.com Group has ensured the protection and encryption of users’ personal information long before it was mandatory under legislation and an industry requirement.
Ling Yun, Head of Trip.com Group’s Information Security department, said, "A single instance of personal information such as email addresses, ID card numbers, and credit card numbers leaking, can cause severe damage to user confidence. We realized this and encrypt not only user passwords but all types of private information." Internally, the Information Security team call this project "Shield". Ling said the project was named this after the popular Marvel TV series Agents of S.H.I.E.L.D.. The team hoped to create an indestructible “shield” to protect the personal information of all users across all platforms and brands.
The process of forging the Shield security system was not easy. Trip.com Group was established 22 years ago, and it was a complex task to encrypt historical information across all platforms, as well as encrypt all the new information generated on the apps and sites. The Information Security team worked closely with all of the Group’s business units and IT departments to reform and upgrade the entire backend algorithm. This process took over a year to achieve.
Once the encryption was completed, the decryption channel required strict governance too. The Information Security department invested a lot of effort to narrow down the decryption channel and strictly monitor the decryption process, leaving only a few necessary interfaces for business exchanges and to serve users.
In what scenarios does data need to be decrypted? For example, an airline needs to verify an ID number before a traveller boards a plane. Or a purchase confirmation SMS message needs to be sent to a user. In each scenario, the platform will start a strict risk assessment protocol, and only with sufficient reason will the information be transmitted to a third party. As for any requests with insufficient reason, Trip.com Group’s platforms will refuse to provide any personal information to the third party.
Some users may ask, “With so much personal information, is my information analyzed and used for business needs?” Well, the Shield system protects against this too. The only analysis that takes place is based on non-personal, annonymised data, meaning that this data cannot be tracked back to any one individual, with only trends to be seen from among a group of anonymous users.
Protecting personal information from the inside out
Trip.com Group has also developed a strict internal information security system to manage and regulate data access by:
Building access management platforms with limited authorization and tracking all authorized behavior and activity;
To prevent information from being captured whilst accessed, pages containing sensitive data have both visible watermarks of the viewer ID and also invisible watermarks; the backend system stores complete records of the viewer’s operations and screenshots, and other behavior that could be a potential data breach risk is logged and recorded;
Increasing awareness of information security through regular internal training, quizzes, and activities like “Information Security Week.”
Building a high-standard system within a healthy ecosystem
Going back as early as 2016, Trip.com Group has invested in the people, processes and technology to protect organizational data and obtained the international standard ISO 27001 certification. Trip.com Group has also received the Payment Card Industry Data Security Standard (PCI DSS) certification, a standard for businesses that handle branded credit cards from all major card holders.
Instead of building the information security system behind closed doors, Trip.com Group has developed free tools for the whole industry. For example, cooperate information breach regularly occurs on Github, a popular coding sharing platform, and the information security team of Trip.com Group has developed a scan tool to cope with this challenge. They have also turned this tool into a free SaaS service, helping other companies to mitigate the risk. Today, many well-known internet companies make use of this platform.
"Maintaining information security needs to be collaborative and efforts need to be maintained by the whole industry. We are always willing to share some of our technology with the outside world, to support the security ecosystem and further protect our users," said Yun Ling.
Digital information security is an important pillar of Trip.com Group’s offering. Data security technology and information systems make sure our users’ privacy is always fully protected and that we are maintaining standards exceeding legal requirements. Looking to the future, information security technology will remain a focus of the Group; and we will continue to invest in new technologies to meet the requirements of our users and our industry.
Check out other blogs in the #TripTechSolutions series:
Driving Efficient Customer Service
Inspiring and Informing Travellers