Room service, free tea and biscuits, extensive breakfast buffet, miniature toiletries and a turndown service with a chocolate on the pillow – just a few of the little luxuries offered by hotels to make a guest’s stay that little bit more special.
However, as you eagerly anticipate the complimentary robe and slippers, you may not be aware that you may also be checking-in to data and identity theft fuelled by POS malware.
Some of the major hotel chains from around the world have recently fallen victim to data breaches, with well known names including Hilton, Starwood, Hyatt and Trump among those targeted by cybercriminals.
In March 2015, the Mandarin Oriental chain of hotels was the first big name to admit a data breach, the first in a line of such announcements from hotels in 2015. The hotel confirmed that the credit card systems in a number of hotels in the US and Europe had been breached, with malware infecting the point-of-sale (POS) systems in order to steal customer card data. The hotel was quick to reassure that ‘only’ credit card data had been compromised, but no pin numbers or other guest data.
In October 2015 the Trump Hotel Collection (THC), a chain of hotels owned by Republican presidential candidate Donald Trump, confirmed a similar attack on its POS systems. The near year-long breach once again found malware on POS systems, with THC saying in a statement at the time:
"For those customers that used credit or debit cards to make purchases during this time, we believe that the malware may have affected payment card data including payment card account number, card expiration date and security code."
November 2015 saw yet two more hotel behemoths reporting breaches, with Starwood Hotels & Resorts and Hilton Hotels admitting to data breaches caused by POS malware. Starwood Hotels, the owner of the Westin, Sheraton, and St. Regis brands, saw 54 hotels in North America hit by the malware, while Hilton Hotels detailed a seventeen-week long attack on an undisclosed number of hotels.
This trend of hotel malware attacks has continued into 2016, with Hyatt Hotels confirming in January that POS malware had collected cardholder names, card numbers, expiration dates and verification codes from systems at a total of 250 hotels worldwide.
The old opinion in hospitality that hotels are not targets for hackers is simply not true – as evidenced by the breaches above. In fact, hotels are veritable goldmines for hackers. Firstly there is the fact that hotels process and store vast amounts of personal and financial information from guests, with this data being easily accessed thanks to the multi-location nature of hotel chains.
Guy Bunker, SVP at Clearswift, told CBR: "Why are hotels targeted… probably because they have a very large attack surface. There are lots of people in lots of locations who potentially have access to the critical information. Keeping tracks on all the potential areas is a real problem.
"In addition, a little like the garages / credit card skimming, there are many other ways in which large consumer facing organisations can be attacked. With thousands of customers and millions of transactions, the picking for the cyber-criminal in the hotel business are rich."
The type of clientele at hotels also acts as a lure to hackers seeking financial reward. A hacked credit card is much harder to identify when those who use it, in this case business travellers, make purchases in multiple places and countries.
Trevor Kennedy, Technical Account Director at Tanium UK, said: "Certainly the hackers are aware that the typical cliental of hotels are business people that travel a significant amount and are therefore likely to make a variety of purchases in a variety of locations.
"This makes it more difficult for the credit card companies to identify fraudulent activity on the hacked accounts and also makes it more likely that small transactions will be over looked by the card holder or because of their busy travel schedule, delay the detection of the activity."
However, it is the security strategy and outlook of hotel chains, coupled with legacy infrastructure, which makes the hacking all the more easier. It’s worth noting that that this legacy infrastructure is also linked throughout the hotel’s properties, meaning once the hacker breaks into one system, the whole network is at his or her mercy.
Mark James, Security Specialist at IT Security Firm ESET, told CBR: "I think the allure of the hospitality industry has many factors going for it; the back end systems are often bespoke and rarely updated, once they are integrated and working they will quite often stay that way until they have to be changed. Along with that, so many chains are linked together with each individual endpoint responsible for their own security so finding a "weak link" is relatively easy."
Millard, Technical Director EMEA at Tenable Security, echoes the opinion that hotels are lax towards security, telling CBR:
"Whilst many hotels should be following security best practices like PCI DSS (Payment Card Industry Data Security Standards) for protecting their infrastructures, recent breaches indicate that some are doing the bare minimum to comply rather than what is needed to reduce the risk of data loss."
Looking at the recent data breaches on big name hotel chains, it cannot be ignored that all of them have fallen victim to one particular cyberattack – point-of-sale malware. Point-of-Sale systems have become a favourite of hackers ever since the first POS malware campaign was led by Albert Gonzalez, who managed to steal the data of 170 million cards in 2005.
POS malware works to exploit a security gap in how card data is handled. This security gap is found at the time of processing a payment – when you swipe your card – as the data is not encrypted.
Hotels usually have a simple mag-stripe reader which is attached to the POS system itself, with the data encrypted using software within the POS system after swiping – this is in contrast to payment terminals, as Jose Diaz, Director of Payment Strategy at Thales e-Security, explained to CBR:
"Here is the crucial difference – payment terminals are certified under PCI, and can encrypt the data ‘at point of capture’ (the very first opportunity you have to protect it) rendering it unreadable as it flows through the merchant’s POS and IT Systems to the payment processor. Without this protection ‘from swipe to acquirer’, cleartext payment data is left vulnerable and open to attack."
In the wake of such high profile data breaches, hotels must be waking up to the fact that they are a lucrative target for cybercriminals. Hotels need to focus on, as Tenable Security’s Gavin Millard told CBR, ‘reducing their attack surface, removing easily exploitable security issues, and continually monitor the network for indicators of misuse."
The security challenge facing those in the hospitality industry is only going to get harder, with the number of different devices connecting to internet services and networks multiplying the number of endpoints which can be exploited.
Clearswift’s Guy Bunker advocates the need for constant monitoring, telling CBR: "More should be done to monitor the information as it leaves the databases and to protect the information at source, rather than relying upon the destination to be fully protected."
This preventative approach is also supported by David Emm, Principal Security Researcher at Kaspersky Lab, who said: "To further reduce the risks, it’s important that they implement anti-fraud monitoring technologies to analyse a customer’s behaviour during online transactions and to detect other suspicious activity within their IT infrastructure. This mitigates the risks of a possible lack of security at the customer’s endpoint, over which they have no direct control."
Many in the security industry prescribe to the belief cyberattacks are inevitable – a ‘when’, not ‘if’ situation. Where there is valuable data, there will be those who want to steal it, and hotels must be at the top of the list when it comes to businesses storing data. The amount of data coupled with the legacy infrastructure, vulnerable clientele and large attack surface is the perfect combination for cybercriminals looking for an easy financial win.
Let’s hope that those in the hotel industry take note of the recent breaches and follow the advice of the security experts, otherwise you may be not be wishing for a room upgrade the next time you check in – you’ll want a guarantee that your data is safe.
This article is from the CBROnline archive: some formatting and images may not be present.