Accommodation providers have been brutalised over the past year by a tidal wave of point-of-sale system breaches that have exposed hundreds of thousands of guests’ credit card accounts.
Accommodation providers represent rich and easy pickings for cyber criminals. There’s the potential to steal information from large numbers of customers with massive potential financial gains. Attacks on accommodation chains in the past year include Hard Rock Hotels & Casinos, Hilton Worldwide, Starwood Hotels & Resorts, Trump Hotel Collection – twice this year, Hyatt Hotels, Mandarin Oriental and White Lodging – and these are just the big boys.
Information stolen by malicious code that infected systems included credit card holders’ names along with card numbers, security codes and expiration dates. Through the use of malware, POS systems not only became the easiest way to steal customers’ credit card data, but they have also served as a point of access for cybercriminals to penetrate deeper into the networks for even more valuable data. At risk are:
- Business reputations and credibility;
- Client credit/debit card numbers;
- Dates clients are away on trips;
- Identity information on clients/employees;
- Business’ own sensitive data/intellectual property such as client lists, marketing and business plans that can then fall in the hands of competitors;
- Shut-down from a denial-of-service attack, resulting in loss of business;
- Extortion demands;
- Privacy issues including litigation and possible criminal charges.
Why are POS devices so easy to hack? Many of them use the Windows XP Embedded operating system that Microsoft barely supports. Although the support of Windows Embedded POSReady 2009 has been extended till 2019, it doesn’t receive regular security updates, nor is it compatible with many modern anti-malware solutions. As long as companies have these legacy POS systems in place, they will remain wide open for attack.
Cracking a simple password is one of the easiest and quickest methods of a cyber attack. For this reason it’s vital for organisations to enforce a strong password policy that would include requirements for two-factor authentication and regular password changes, especially for the administrator accounts on operating systems and POS applications.
Businesses should never forget to monitor POS systems for suspicious activity, such as multiple failed user logons; this could mean that someone is trying to gain control over the POS operating system.
As you can imagine, the impact of a data breach can be devastating to both the individual as well as your business. Specifically, if your company suffers a data breach, you are then liable for a long series of investigations, notifications and restitutions that can run into the millions of dollars, not including the impact to your brand image. Cyber security is a topic that cannot be brushed aside.
Look for security best practices, evaluate the weak points in your security posture, and test them in order to keep everything under control. Regularly train your employees and keep them informed about recent security threats. Finally, remember that you are not alone. Stay connected with the community, educate yourself about new threat patterns and discovered vulnerabilities, and share your knowledge. All of this might minimise the chance of a data breach and hundreds of credit card holders from being victimised.
“These types of attacks,” Luis Corrons, technical director of PandaLabs disclosed, “are the work of gangs that have specialised in stealing credit card data from point-of-sale systems. Hotels are a gold mine for credit card theft. And while they have lots of other data, including customer personal information, that might be valuable, the network breaches pulled off by the attackers who hit accommodation providers focused entirely on credit card transaction data – the data most easily monetised.
“To protect your guests, employees and business, you must have a fully detailed plan describing how to securely manage all information that your accommodation business processes as well as how it will address any breach. Equally critical, your employees all need to be trained on these policies – it’s a practice that must permeate every department.”
From a paper standpoint, accommodation providers should never take or retain paper copies of credit cards or other personal data. Take information over the phone and enter it directly into a secured PMS or POS.
Technology innovation director Zach Forsyth with cyber-security company Comodo maintains cyber-criminals found hospitality organisations the best attack points since they dealt with extremely precious financial and other personal data.
Mr Forsyth suggested that organisations should think more about protection from e-threats instead of their detection, while expend on latest secured online gateways as well as sophisticated endpoint safeguard mechanisms that would block cyber-assaults and malware.
Additionally Mr Forsyth said that disturbingly, a lot of these accommodation providers ran outdated IT security measures that hackers easily circumvented. In fact, the security measures many organisations employed currently was similarly scaled as home security installations that alerted about break-ins only when thieves had already robbed all valuables, and left.
Researchers at Panda Security recently issued a report showing the major attacks targeted against hotel chains in 2015. “These attacks are against chains of all sizes and have resulted in the theft of credit card data from thousands of customers. In many cases this has been carried out using malware-infected POS terminals. In a recent instance spear phishing has been used to target one of Panda’s Adaptive Defense 360 luxury hotel clients.
“We know that, in most cases, these types of attacks are initiated through an email with an attached file that compromises the victim’s computer or a link to a page that uses vulnerabilities to achieve the attacker’s objective,” says Luis Corrons, technical director of PandaLabs. “In our client’s case, the attack began with an email message addressed to a hotel employee stating the attachment provided all the information needed to pay for a hotel stay at the end of May 2016.
“This type of attack is hard to detect as the threats are created specifically for a victim and they always ensure that the malware is not detected by signatures or the proactive technologies of current anti-malware solutions. Having successfully snared a victim the criminals then move laterally to reach their ultimate goal, the point-of-sale terminals that process credit card payments,” Mr Corrons said.