Invisible Baggage
Behind every trip is a second journey most travellers never see. The moment a booking is confirmed, passports, payment details, allergies, and identities begin moving through airlines, hotels, event platforms, taxi firms, and dozens of unseen third parties. “Invisible Baggage” explores the hidden data chain powering modern travel, and why yesterday’s security models are no longer enough for an AI-driven, globally connected world. It’s a story about trust, responsibility, and the digital baggage that never truly comes home.
EVENTSTECHNOLOGYBLEISUREDATA SECURITY
Yerim Mohamed
5/22/202616 min read
Introduction
When a corporate traveller sets off on a business trip, we tend to worry about the tangible things: travel delays, jet lag, and whether the hotel Wi-Fi will hold up for a morning Teams call. But digitally, that traveller is carrying something much heavier, and far more fragile: invisible baggage.
In broader industry conversations about corporate travel and global mobility, data protection is too often treated as a sub-section, a footnote buried under physical duty-of-care policies or the latest AI booking trends. But as we move deeper into an era defined by decentralised data and automated bookings, security shouldn’t be a footnote. It is the entire foundation.
For decades, “corporate travel security” meant physical safeguarding: knowing exactly where your people were during a geopolitical crisis or a natural disaster. Today, while physical safety remains paramount, the battleground has fundamentally shifted. In 2026, corporate travel security equally means data integrity, supply chain resilience, and identity protection.
Imagine the morning of your child’s first school trip. You sign the permission slip, hand over a packed lunch, and watch them climb onto the coach. The teacher waves; the driver pulls away. You feel that small, familiar pang, not because you don’t trust the school, but because in that moment you’ve handed your child to a chain of strangers. The teacher will pass them to a driver. The driver will stop at a service station, where someone you’ll never meet pours them a drink. At the museum, a tour guide takes over the group. By lunchtime, your eight-year-old has been in the care of five separate organisations, and you signed one piece of paper.
Your duty of care as a parent didn’t shrink because the chain lengthened. Neither did your worry.
Personal data behaves exactly the same way. The difference is that, unlike a school trip, the parent, meaning the employer, under European law, typically has no idea how long the chain actually is.
Tracing these flows is part of my job. The map doesn’t get shorter the more carefully you look at it. It gets longer.
Yet most modern travel programmes have not made the shift their data flows require. We are trying to secure 2026 threats using 2015 workflows. To understand why this is a systemic risk, and a compliance liability, we have to look at what actually happens to a traveller’s identity the moment a trip is booked.
In 2026, corporate travel security equally means data integrity, supply chain resilience, and identity protection.
The Data Itinerary: Where Does Your Passport Actually Go?
To understand the scale of this vulnerability, we have to look at the lifecycle of a modern corporate booking.
Take a standard business trip: an executive is travelling from London to Paris for a three-day conference. When they physically pack their suitcase, it stays with them for the duration of the trip. Their digital suitcase behaves entirely differently. The moment an event manager clicks “Confirm Booking,” that digital suitcase explodes, fragmenting and copying its contents across a sprawling, unregulated global network.
Here is what that data itinerary actually looks like:
Stop 1: The Origin.
The traveller inputs their most sensitive Personally Identifiable Information (PII), passport number, date of birth, corporate credit card, and a severe peanut allergy, into their corporate booking platform.
Stop 2: The Infrastructure.
The platform transmits this data to the operating airline. But the airline does not keep it siloed. The booking is routed through a Global Distribution System (GDS) like Amadeus, a single platform that handles the bookings of more than 770,000 travel agencies and 400-plus airlines worldwide. If you’ve ever flown, your data has almost certainly passed through it. From there, the Passenger Name Record (PNR), essentially the airline’s master record of who is on the plane and how to reach them, is transmitted to international border control agencies.
Stop 3: The Cross-Sell Ecosystem.
Modern travel runs on automated data sharing between platforms. Almost instantly, the airline’s systems share fragments of that traveller’s data with third-party partners to facilitate cross-selling. Suddenly, global hotel aggregators, regional car rental companies, and local taxi dispatchers have access to the traveller’s name, destination, and arrival time.
Stop 4: The Ground Reality.
The traveller arrives at their destination. The local hotel property management system records their passport upon check-in. At the conference venue, an event organiser has a printed, unencrypted Excel spreadsheet sitting on a welcome desk, in full view of the public, containing the traveller’s name, company, and dietary requirements.
Three days later, the trip ends. The executive travels home and unpacks their physical suitcase.
But their invisible baggage never comes home. Months after the conference has ended, that executive’s highly sensitive data is still sitting permanently in a regional taxi database, an airline’s marketing server, and an event manager’s forgotten email thread.
Under the GDPR’s Article 5 (Storage Limitation) and Article 17 (Right to Erasure), an enterprise is legally responsible for this data. But how can a company delete an employee’s data when it is scattered across fifty different sub-processors, the vendors that the travel platforms themselves rely on, and unencrypted spreadsheets? The simple answer is: they can’t.
By the Numbers — One Corporate Booking
15–25
Typical number of distinct organisations that process the data behind a single corporate trip, once analytics, payments, and ad-tech embedded in the booking journey are counted.100+
Partner companies listed in a major hotel-booking site’s public privacy notice as authorised recipients of customer data.500 million
Guest records exposed in the 2018 Marriott / Starwood breach. Roughly 5 million of those included unencrypted passport numbers.£20 million
The fine issued by the UK Information Commissioner’s Office to British Airways for a 2018 breach traced to a third-party script embedded in their booking page.Zero
Number of times the average traveller is shown the full sub-processor list before they hand over their passport.
The Stakeholder Collision: Speed vs. Security
Trace any data leak in corporate travel back to its source and you rarely find a villain. You find a collision.
The Traveller wants the trip to be easy.
They are not trying to evade security; they have a meeting at nine, they need a hotel near the venue, and the friction tolerance of a tired adult on a Sunday night is approximately zero. Every authentication step they cannot understand is a step they will work around. This is rational.
The Event Manager wants speed.
They are coordinating a hundred and twenty delegates with dietary requirements, accessibility needs, room allocations, and last-minute changes, and the tools they have been given to do it with were largely designed before GDPR was written. The shared Excel spreadsheet on the welcome desk is not the result of carelessness. It is the result of an industry that handed them a 2010 toolkit and a 2026 problem. This is also rational.
The CISO and the Compliance Lead want accountability.
They are responsible for every byte of personal data the company processes, including the bytes that left the company’s perimeter the moment travel was outsourced to a third-party platform. They typically learn what their travel programme is actually doing the day a regulator asks. By then, the chain is already in motion.
Three roles, three rational incentives, three different definitions of “the job done.” None is wrong. But the system that contains them is broken, because nothing in the standard corporate travel stack reconciles them. The Traveller chooses the easy path. The Event Manager chooses the fast path. The CISO chooses the safe path.
This is not a permanent state. The same industry that handed everyone a 2010 toolkit is, slowly, unevenly, but visibly, building the 2026 one. We’ll get to what that looks like in a moment.
The 2026 Shift: Why This Has to Change Now
The collision above has existed for at least a decade. What is new, and what makes 2026 a forcing function rather than a slow-burn problem, is that two trends are simultaneously making the chain longer and the consequences sharper.
The first is AI. There is a healthy industry debate about whether AI is ready to act as the autopilot for corporate travel; on a strict reading of the evidence, it is not. But here is what often gets missed: whether or not AI agents are ready to replace human travel managers, they are already being inserted into the process. Each “intelligent assistant,” each booking copilot, and each itinerary optimiser is, from a data-protection perspective, another processor in the chain. They do not shorten the data itinerary. They lengthen it.
The second is the maturing of sub-processor regulation. Regulators are getting sharper. In 2023, Meta was fined €1.2 billion by Ireland’s Data Protection Commission for how it handled EU-to-US data transfers, the largest GDPR fine on record. And since the EU court’s 2020 ruling in the Schrems II case, sending personal data outside Europe has become significantly harder to justify. Together, these shifts have put the original controller, the employer, on the hook for the chain’s behaviour, not just the platform’s. GDPR Article 28, the rule that requires a written contract with every sub-processor, is no longer something a procurement team handles in a one-off contract review. It is a daily operational risk.
The architectural answer to a longer chain with sharper consequences is a principle the security industry has been refining for ten years: Zero-Trust. In plain language, Zero-Trust is the assumption that any system in a chain, including your own, can be compromised, and that every request, every time, must prove it has the right to be there. It replaces the old model of trusted networks, where once inside the perimeter you were assumed to be friendly, with one of continuous verification.
The encouraging part is that this is no longer a niche idea. Banking, healthcare, and major SaaS platforms have spent the last five years adopting Zero-Trust as the new normal. Travel is the next domain in line, and some platforms are already there. The gap is closing.
What’s Already Working
It’s easy to read all of this as bad news. It isn’t. The reason the chain looks longer today is partly because regulators, security teams, and informed buyers are finally able to see it. GDPR, for all its complexity, has done more to improve corporate data hygiene in five years than the previous two decades combined.
The British Airways fine I mentioned above changed boardroom conversations across the industry. Encryption of personal data at rest is now table stakes for any serious platform; in 2018, it wasn’t. The IATA New Distribution Capability initiative is starting to shorten the airline-side of the chain by giving carriers direct relationships with corporate buyers. Multi-factor authentication adoption among business travellers has risen sharply since 2020. And a new generation of travel platforms, including, full disclosure, the one publishing this article, is building automated deletion, encrypted vaults for travel documents, and verifiable sub-processor lists from the foundation up.
None of this is finished. But it’s progress, and it’s faster than people on the outside tend to assume. The work this article describes is being done — not everywhere, and not yet by everyone, but it is being done.
The Road Ahead
If you run, buy, or use a corporate travel programme, here are three questions you should ask before the next renewal:
What is the full, operational sub-processor list of your travel platform?
Not the public privacy-notice version, but the one their engineering team uses. If the platform cannot produce one, that is your answer.Where does the data cross jurisdictions?
Which mechanism, EU Standard Contractual Clauses, the UK International Data Transfer Addendum, covers the transfer? Schrems II made this real. It is no longer a footnote.What gets deleted, when, and who confirms it?
Storage limitation under GDPR Article 5(1)(e) is the part of the regulation most platforms quietly fail. If “deleted” really means “soft-flagged in a database we never purge,” it is not deletion in the legal sense.
In the next article in this series, I’ll look at the people in the chain, not the platforms, but the travellers themselves. Different travellers face different risks, and the legal duties owed to them are not uniform. After that, I’ll walk through what ‘good’ looks like, end-to-end, at every link in the data itinerary described here.
The data leaves with the traveller. The least a good travel programme can do is know who is carrying it home, and the best are already finding out.
Introduction
When a corporate traveller sets off on a business trip, we tend to worry about the tangible things: travel delays, jet lag, and whether the hotel Wi-Fi will hold up for a morning Teams call. But digitally, that traveller is carrying something much heavier, and far more fragile: invisible baggage.
In broader industry conversations about corporate travel and global mobility, data protection is too often treated as a sub-section, a footnote buried under physical duty-of-care policies or the latest AI booking trends. But as we move deeper into an era defined by decentralised data and automated bookings, security shouldn’t be a footnote. It is the entire foundation.
For decades, “corporate travel security” meant physical safeguarding: knowing exactly where your people were during a geopolitical crisis or a natural disaster. Today, while physical safety remains paramount, the battleground has fundamentally shifted. In 2026, corporate travel security equally means data integrity, supply chain resilience, and identity protection.
Imagine the morning of your child’s first school trip. You sign the permission slip, hand over a packed lunch, and watch them climb onto the coach. The teacher waves; the driver pulls away. You feel that small, familiar pang, not because you don’t trust the school, but because in that moment you’ve handed your child to a chain of strangers. The teacher will pass them to a driver. The driver will stop at a service station, where someone you’ll never meet pours them a drink. At the museum, a tour guide takes over the group. By lunchtime, your eight-year-old has been in the care of five separate organisations, and you signed one piece of paper.
Your duty of care as a parent didn’t shrink because the chain lengthened. Neither did your worry.
Personal data behaves exactly the same way. The difference is that, unlike a school trip, the parent, meaning the employer, under European law, typically has no idea how long the chain actually is.
Tracing these flows is part of my job. The map doesn’t get shorter the more carefully you look at it. It gets longer.
Yet most modern travel programmes have not made the shift their data flows require. We are trying to secure 2026 threats using 2015 workflows. To understand why this is a systemic risk, and a compliance liability, we have to look at what actually happens to a traveller’s identity the moment a trip is booked.
In 2026, corporate travel security equally means data integrity, supply chain resilience, and identity protection.
The Data Itinerary: Where Does Your Passport Actually Go?
To understand the scale of this vulnerability, we have to look at the lifecycle of a modern corporate booking.
Take a standard business trip: an executive is travelling from London to Paris for a three-day conference. When they physically pack their suitcase, it stays with them for the duration of the trip. Their digital suitcase behaves entirely differently. The moment an event manager clicks “Confirm Booking,” that digital suitcase explodes, fragmenting and copying its contents across a sprawling, unregulated global network.
Here is what that data itinerary actually looks like:
Stop 1: The Origin.
The traveller inputs their most sensitive Personally Identifiable Information (PII), passport number, date of birth, corporate credit card, and a severe peanut allergy, into their corporate booking platform.
Stop 2: The Infrastructure.
The platform transmits this data to the operating airline. But the airline does not keep it siloed. The booking is routed through a Global Distribution System (GDS) like Amadeus, a single platform that handles the bookings of more than 770,000 travel agencies and 400-plus airlines worldwide. If you’ve ever flown, your data has almost certainly passed through it. From there, the Passenger Name Record (PNR), essentially the airline’s master record of who is on the plane and how to reach them, is transmitted to international border control agencies.
Stop 3: The Cross-Sell Ecosystem.
Modern travel runs on automated data sharing between platforms. Almost instantly, the airline’s systems share fragments of that traveller’s data with third-party partners to facilitate cross-selling. Suddenly, global hotel aggregators, regional car rental companies, and local taxi dispatchers have access to the traveller’s name, destination, and arrival time.
Stop 4: The Ground Reality.
The traveller arrives at their destination. The local hotel property management system records their passport upon check-in. At the conference venue, an event organiser has a printed, unencrypted Excel spreadsheet sitting on a welcome desk, in full view of the public, containing the traveller’s name, company, and dietary requirements.
Three days later, the trip ends. The executive travels home and unpacks their physical suitcase.
But their invisible baggage never comes home. Months after the conference has ended, that executive’s highly sensitive data is still sitting permanently in a regional taxi database, an airline’s marketing server, and an event manager’s forgotten email thread.
Under the GDPR’s Article 5 (Storage Limitation) and Article 17 (Right to Erasure), an enterprise is legally responsible for this data. But how can a company delete an employee’s data when it is scattered across fifty different sub-processors, the vendors that the travel platforms themselves rely on, and unencrypted spreadsheets? The simple answer is: they can’t.
By the Numbers — One Corporate Booking
15–25
Typical number of distinct organisations that process the data behind a single corporate trip, once analytics, payments, and ad-tech embedded in the booking journey are counted.100+
Partner companies listed in a major hotel-booking site’s public privacy notice as authorised recipients of customer data.500 million
Guest records exposed in the 2018 Marriott / Starwood breach. Roughly 5 million of those included unencrypted passport numbers.£20 million
The fine issued by the UK Information Commissioner’s Office to British Airways for a 2018 breach traced to a third-party script embedded in their booking page.Zero
Number of times the average traveller is shown the full sub-processor list before they hand over their passport.
The Stakeholder Collision: Speed vs. Security
Trace any data leak in corporate travel back to its source and you rarely find a villain. You find a collision.
The Traveller wants the trip to be easy.
They are not trying to evade security; they have a meeting at nine, they need a hotel near the venue, and the friction tolerance of a tired adult on a Sunday night is approximately zero. Every authentication step they cannot understand is a step they will work around. This is rational.
The Event Manager wants speed.
They are coordinating a hundred and twenty delegates with dietary requirements, accessibility needs, room allocations, and last-minute changes, and the tools they have been given to do it with were largely designed before GDPR was written. The shared Excel spreadsheet on the welcome desk is not the result of carelessness. It is the result of an industry that handed them a 2010 toolkit and a 2026 problem. This is also rational.
The CISO and the Compliance Lead want accountability.
They are responsible for every byte of personal data the company processes, including the bytes that left the company’s perimeter the moment travel was outsourced to a third-party platform. They typically learn what their travel programme is actually doing the day a regulator asks. By then, the chain is already in motion.
Three roles, three rational incentives, three different definitions of “the job done.” None is wrong. But the system that contains them is broken, because nothing in the standard corporate travel stack reconciles them. The Traveller chooses the easy path. The Event Manager chooses the fast path. The CISO chooses the safe path.
This is not a permanent state. The same industry that handed everyone a 2010 toolkit is, slowly, unevenly, but visibly, building the 2026 one. We’ll get to what that looks like in a moment.
The 2026 Shift: Why This Has to Change Now
The collision above has existed for at least a decade. What is new, and what makes 2026 a forcing function rather than a slow-burn problem, is that two trends are simultaneously making the chain longer and the consequences sharper.
The first is AI. There is a healthy industry debate about whether AI is ready to act as the autopilot for corporate travel; on a strict reading of the evidence, it is not. But here is what often gets missed: whether or not AI agents are ready to replace human travel managers, they are already being inserted into the process. Each “intelligent assistant,” each booking copilot, and each itinerary optimiser is, from a data-protection perspective, another processor in the chain. They do not shorten the data itinerary. They lengthen it.
The second is the maturing of sub-processor regulation. Regulators are getting sharper. In 2023, Meta was fined €1.2 billion by Ireland’s Data Protection Commission for how it handled EU-to-US data transfers, the largest GDPR fine on record. And since the EU court’s 2020 ruling in the Schrems II case, sending personal data outside Europe has become significantly harder to justify. Together, these shifts have put the original controller, the employer, on the hook for the chain’s behaviour, not just the platform’s. GDPR Article 28, the rule that requires a written contract with every sub-processor, is no longer something a procurement team handles in a one-off contract review. It is a daily operational risk.
The architectural answer to a longer chain with sharper consequences is a principle the security industry has been refining for ten years: Zero-Trust. In plain language, Zero-Trust is the assumption that any system in a chain, including your own, can be compromised, and that every request, every time, must prove it has the right to be there. It replaces the old model of trusted networks, where once inside the perimeter you were assumed to be friendly, with one of continuous verification.
The encouraging part is that this is no longer a niche idea. Banking, healthcare, and major SaaS platforms have spent the last five years adopting Zero-Trust as the new normal. Travel is the next domain in line, and some platforms are already there. The gap is closing.
What’s Already Working
It’s easy to read all of this as bad news. It isn’t. The reason the chain looks longer today is partly because regulators, security teams, and informed buyers are finally able to see it. GDPR, for all its complexity, has done more to improve corporate data hygiene in five years than the previous two decades combined.
The British Airways fine I mentioned above changed boardroom conversations across the industry. Encryption of personal data at rest is now table stakes for any serious platform; in 2018, it wasn’t. The IATA New Distribution Capability initiative is starting to shorten the airline-side of the chain by giving carriers direct relationships with corporate buyers. Multi-factor authentication adoption among business travellers has risen sharply since 2020. And a new generation of travel platforms, including, full disclosure, the one publishing this article, is building automated deletion, encrypted vaults for travel documents, and verifiable sub-processor lists from the foundation up.
None of this is finished. But it’s progress, and it’s faster than people on the outside tend to assume. The work this article describes is being done — not everywhere, and not yet by everyone, but it is being done.
The Road Ahead
If you run, buy, or use a corporate travel programme, here are three questions you should ask before the next renewal:
What is the full, operational sub-processor list of your travel platform?
Not the public privacy-notice version, but the one their engineering team uses. If the platform cannot produce one, that is your answer.Where does the data cross jurisdictions?
Which mechanism, EU Standard Contractual Clauses, the UK International Data Transfer Addendum, covers the transfer? Schrems II made this real. It is no longer a footnote.What gets deleted, when, and who confirms it?
Storage limitation under GDPR Article 5(1)(e) is the part of the regulation most platforms quietly fail. If “deleted” really means “soft-flagged in a database we never purge,” it is not deletion in the legal sense.
In the next article in this series, I’ll look at the people in the chain, not the platforms, but the travellers themselves. Different travellers face different risks, and the legal duties owed to them are not uniform. After that, I’ll walk through what ‘good’ looks like, end-to-end, at every link in the data itinerary described here.
