The massive fine over Amadeus internally reusing private data from a traveller profiling pilot is likely to accelerate investment in what is known as “zero trust” security architecture across the travel sector, where every system connection and data request must be continuously verified.
Travel technology providers are increasingly adopting end-to-end encryption, tokenisation of payment information and stricter access controls to reduce the amount of customer data exposed in the event of a breach.
Amadeus, a Spanish-owned multinational company, provides software solutions for global travel and tourism and the chances are that most Australian advisors have interacted with Amadeus software on multiple occasions when they have booked travel for clients. The company employs approximately 19,000 people across 190 countries.
What makes the Amadeus case particularly significant for the travel sector is that regulators were not responding to a conventional cyberattack, but to allegations around how traveller data was reused internally to build predictive profiling tools.
According to Spain’s data protection authority – which fined Amadeus €14.4 million (around AU$23.41 million) for the breach – the pilot project analysed historical passenger booking records from Amadeus’ global distribution system (GDS), including archived Passenger Name Record (PNR) data, to identify behavioural patterns and support the development of new products for airlines, hotels and travel sellers. The regulator alleged the program lacked sufficient transparency and lawful processing grounds under Europe’s GDPR privacy laws.
“We respectfully disagree with the AEPD’s application of data protection laws and its decision to impose a fine.” Amadeus said in a statement.
“At the same time, we believe that the fine placed on Amadeus does not comply with the principle of proportionality, and we will seek to contest it before the courts. Amadeus will be making no further comment on this issue at this time.”
Expanding AI tools
In addition to “zero trust” security architecture is data minimisation, or limiting how much personal information is collected and how long it is retained, particularly as airlines and agencies expand AI-driven retailing and personalisation tools.
Suppliers are also moving towards segmented cloud environments designed to isolate booking, payment and operational systems from one another, reducing the risk of a single breach spreading across entire networks.
Last year Qantas was one of a number of companies globally that had data released by cyber criminals following a cyber incident in July 2026, where customer data was stolen via a third-party platform.
The majority of the compromised records included names, email addresses and Frequent Flyer details. A smaller portion of customers also had their business or home address, date of birth, phone number, gender or meal preferences exposed.
No credit card details, personal financial information or passport details were impacted. Qantas stressed there has been no impact to Frequent Flyer accounts, and that passwords, PINs and login details were not accessed or compromised. The stolen data alone was not sufficient enough to access customer accounts.
Qantas hackers release stolen data on nearly 6 million customers
Shared data risks through third-party platforms
Multi-factor authentication, biometric logins and real-time threat monitoring are now becoming standard across many airline and travel management platforms, while regulators are demanding clearer audit trails showing exactly who accessed traveller data and when.
Cybersecurity specialists say one of the biggest vulnerabilities remains the highly interconnected nature of global travel systems, where airlines, hotels, airports, online travel agencies and corporate booking tools often share information across multiple third-party platforms.
As a result, many travel companies are tightening supplier oversight requirements, conducting more frequent security audits and demanding stronger contractual guarantees around privacy compliance from technology partners.
The shift reflects a broader industry reality that cybersecurity is no longer viewed purely as an operational issue, but increasingly as a core part of brand trust and customer loyalty in the global travel market.
