Being Breach Ready: A Guide to Prep and Respond
The chances of a company being affected by a data breach are higher today than ever before, with any merchant who accepts credit cards being susceptible. The 2016 Data Breach Incident Report (DBIR) from Verizon (www.verizon.com) reveals that 89% of all attacks in 2015 involved financial or espionage motivations. The hospitality industry is no exception, and candidly, is often considered to be at even greater risk.
Beyond a Google search using the keywords “data breach,” which will populate numerous stories on recent hotel and restaurant security incidents, the DBIR reveals that accommodation and retail businesses account for a more significant percentage of breaches. The report’s writers ascertain that this is not surprising, due to the fact that businesses falling into these categories (encompassing hotels and restaurants) process large quantities of information that is highly desirable to financially motivated criminals.
In August, Kimpton Hotels and Restaurants (www.kimptonhotels.com) announced the detection of malware on payment terminals in more than 60 of its hotels and restaurants, and The Hutton Hotel, a luxury hotel chain in Nashville, TN, alerted the public that it had become aware that hackers installed a program into its payment processing system which had been at work for three years. In the restaurant industry, Cicis Pizza (www.cicis.com), a Coppell, TX-based fast-casual restaurant, reported a credit card breach in July 2016 at more than 135 locations via the point-of-sale, with some locations being compromised as early as 2015.
Johnny Lee, principal of forensic, investigative and dispute services at Grant Thornton (www.grantthornton.com), an independent audit, tax and advisory firm based in Chicago, says it is no longer a matter of if you will be compromised, but rather when you will be compromised.
“The nature of attacks are so sophisticated and commoditized that it will happen,” he warns. “The question is, how resilient are you to recover from it.”
The key to data breach recovery is preparing a plan of action before the breach occurs, and PCI standards actually require some type of response plan. This can help operators move quickly when notified of a breach and avoid mistakes affecting both the bottom line and the brand’s reputation, according to Reg Harnish, CEO of Grey Castle Security (www.greycastlesecurity.com) who consults with companies to build a response plan.
“Statistics show and data proves the more prepared you are, the less impactful an incident is on the merchant, and the less time it takes to resume normal business operations,” he explains.
Harnish advises that proactive planning can often pay dividends in the end. One consideration is consulting a lawyer to put a plan together and establish a relationship before legal advice is needed if a breach should occur. A lawyer should be one of the first calls made by the operator because a knowledgeable attorney can help comb through the laws around forensic audit results and data breach notification, as 47 states have different requirements.
“The smartest thing to do is to have a lawyer draft and go over an incidence response plan and then hope that it never has to be used,” notes Charles Hoff, a hospitality industry attorney at Atlanta-based Hoff Hospitality (www.hoffhospitality.com).
Should the Worst Happen: Immediate Action Steps
The majority of companies are made aware of a breach on their network by their credit card processor, their banks or even the government. By the time they are notified of the breach, it could be months or even years after the initial breach occurred.
“We have a lot of people say the secret service showed up with a hard drive of my customer transactions, or my bank told me I was compromised, and they generally find out long after the intrusion occurred,” Harnish says.
According to Verizon, more than 50 percent of data breaches remain undiscovered for months. Because breaches can often go undetected, responses must be swift and purposeful in order to regain customer trust. Following are three steps to incorporate into an effective breach response strategy.
1. Protect the Area
When a data breach occurs, companies should take steps similar to the way police rope off a crime scene to protect evidence.
“Try to do the same thing with the computer or data you think was compromised,” Harnish advises. “You can disconnect it from the Internet, but beyond that don’t do anything. Don’t run anything, like an anti-virus, or shut it down, or even move the mouse because it could get rid of evidence.”
Companies are usually required to do a forensic audit, and outside experts can be called in to uncover the source of the breach and gather evidence. The cost of this could be up to $10,000 per location, Hoff states. These investigators are looking for a number of clues, such as unauthorized login attempts, outbound traffic to a known bad IP address, encrypted zip files sent to the network overnight, brute force attempts for passwords on accounts, administrative logins at 2 a.m. or at an abnormal time.
“There are about 12 we look for, and they are called indicators of compromise,” Harnish notes. “As soon as possible, you want to get into the investigation piece and contain it. If hackers are still in it, we want to stop them and kick them out of the network.”
2. Consult Legal
This step could help a company manage the litigation risk, understand the laws regarding customer notification and more. During the forensic audit, an auditor is looking for infractions, and if there is in fact a data breach, what caused it. Many times infractions will be found that are not even related to the breach in question.
“As an attorney, I want to talk to the forensic auditor and be on the call when the report is finished and provided to the credit card processors so I can do whatever I can to make sure the client is not exploited,” Hoff says. “This is the point where penalties and fines are passed to the operator, and a knowledgeable attorney can be influential here.”
Also, there are 47 states that have data breach notification laws, requiring notice to customers about the breach and what a company is doing to remediate. This can be confusing, and a lawyer can help distill the information and demystify the process.
3. Notification
If a company doesn’t hear about the data breach from law enforcement or their merchant processor, it must notify both of them immediately. After the breach has been investigated and the evidence uncovered, the company must enact a plan to notify customers and the public if necessary.
“It’s about crisis management and what you are going to say to the public, if anything. What script you will read, who will author it — and this must be very well managed,” Lee explains. “If you look at some of the more sizable retail breaches, you see those with a well-managed process come and go within a month or so in the news and those who stay in the news for months because of contradicting press releases, etc.”
As mentioned before, 47 states have their own legal requirements when it comes to customer notification, and because hotels and restaurants often have customers who live in a variety of states, notifying customers across those locations can prove difficult.
“They have to report in all states of residency, not where the hotel or restaurant is located, and operators need to know the legal requirements for each state,” Harnish says. “A company can blow it in terms of their reputation on what they do and don’t communicate to customers. Target’s breach initially reported only six million customers affected, and ultimately it ended up being 60 million. This can compound reputational damage.”
A lawyer can be very helpful with this process as they can provide templates ahead of time for hotels or restaurants that can then be immediately sent out to customers, Harnish adds.
Offering to provide a credit monitoring service to customers possibly affected by a breach is another helpful tool for hospitality companies to help in damage control. A company such as AllClear ID (www.allclearid.com) offers this type of service, and Hoff explains that it can help from a “goodwill standpoint to show that a company cares and they want to preserve their reputation.” HT
Beyond a Google search using the keywords “data breach,” which will populate numerous stories on recent hotel and restaurant security incidents, the DBIR reveals that accommodation and retail businesses account for a more significant percentage of breaches. The report’s writers ascertain that this is not surprising, due to the fact that businesses falling into these categories (encompassing hotels and restaurants) process large quantities of information that is highly desirable to financially motivated criminals.
In August, Kimpton Hotels and Restaurants (www.kimptonhotels.com) announced the detection of malware on payment terminals in more than 60 of its hotels and restaurants, and The Hutton Hotel, a luxury hotel chain in Nashville, TN, alerted the public that it had become aware that hackers installed a program into its payment processing system which had been at work for three years. In the restaurant industry, Cicis Pizza (www.cicis.com), a Coppell, TX-based fast-casual restaurant, reported a credit card breach in July 2016 at more than 135 locations via the point-of-sale, with some locations being compromised as early as 2015.
Johnny Lee, principal of forensic, investigative and dispute services at Grant Thornton (www.grantthornton.com), an independent audit, tax and advisory firm based in Chicago, says it is no longer a matter of if you will be compromised, but rather when you will be compromised.
“The nature of attacks are so sophisticated and commoditized that it will happen,” he warns. “The question is, how resilient are you to recover from it.”
The key to data breach recovery is preparing a plan of action before the breach occurs, and PCI standards actually require some type of response plan. This can help operators move quickly when notified of a breach and avoid mistakes affecting both the bottom line and the brand’s reputation, according to Reg Harnish, CEO of Grey Castle Security (www.greycastlesecurity.com) who consults with companies to build a response plan.
“Statistics show and data proves the more prepared you are, the less impactful an incident is on the merchant, and the less time it takes to resume normal business operations,” he explains.
Harnish advises that proactive planning can often pay dividends in the end. One consideration is consulting a lawyer to put a plan together and establish a relationship before legal advice is needed if a breach should occur. A lawyer should be one of the first calls made by the operator because a knowledgeable attorney can help comb through the laws around forensic audit results and data breach notification, as 47 states have different requirements.
“The smartest thing to do is to have a lawyer draft and go over an incidence response plan and then hope that it never has to be used,” notes Charles Hoff, a hospitality industry attorney at Atlanta-based Hoff Hospitality (www.hoffhospitality.com).
Should the Worst Happen: Immediate Action Steps
The majority of companies are made aware of a breach on their network by their credit card processor, their banks or even the government. By the time they are notified of the breach, it could be months or even years after the initial breach occurred.
“We have a lot of people say the secret service showed up with a hard drive of my customer transactions, or my bank told me I was compromised, and they generally find out long after the intrusion occurred,” Harnish says.
According to Verizon, more than 50 percent of data breaches remain undiscovered for months. Because breaches can often go undetected, responses must be swift and purposeful in order to regain customer trust. Following are three steps to incorporate into an effective breach response strategy.
1. Protect the Area
When a data breach occurs, companies should take steps similar to the way police rope off a crime scene to protect evidence.
“Try to do the same thing with the computer or data you think was compromised,” Harnish advises. “You can disconnect it from the Internet, but beyond that don’t do anything. Don’t run anything, like an anti-virus, or shut it down, or even move the mouse because it could get rid of evidence.”
Companies are usually required to do a forensic audit, and outside experts can be called in to uncover the source of the breach and gather evidence. The cost of this could be up to $10,000 per location, Hoff states. These investigators are looking for a number of clues, such as unauthorized login attempts, outbound traffic to a known bad IP address, encrypted zip files sent to the network overnight, brute force attempts for passwords on accounts, administrative logins at 2 a.m. or at an abnormal time.
“There are about 12 we look for, and they are called indicators of compromise,” Harnish notes. “As soon as possible, you want to get into the investigation piece and contain it. If hackers are still in it, we want to stop them and kick them out of the network.”
2. Consult Legal
This step could help a company manage the litigation risk, understand the laws regarding customer notification and more. During the forensic audit, an auditor is looking for infractions, and if there is in fact a data breach, what caused it. Many times infractions will be found that are not even related to the breach in question.
“As an attorney, I want to talk to the forensic auditor and be on the call when the report is finished and provided to the credit card processors so I can do whatever I can to make sure the client is not exploited,” Hoff says. “This is the point where penalties and fines are passed to the operator, and a knowledgeable attorney can be influential here.”
Also, there are 47 states that have data breach notification laws, requiring notice to customers about the breach and what a company is doing to remediate. This can be confusing, and a lawyer can help distill the information and demystify the process.
3. Notification
If a company doesn’t hear about the data breach from law enforcement or their merchant processor, it must notify both of them immediately. After the breach has been investigated and the evidence uncovered, the company must enact a plan to notify customers and the public if necessary.
“It’s about crisis management and what you are going to say to the public, if anything. What script you will read, who will author it — and this must be very well managed,” Lee explains. “If you look at some of the more sizable retail breaches, you see those with a well-managed process come and go within a month or so in the news and those who stay in the news for months because of contradicting press releases, etc.”
As mentioned before, 47 states have their own legal requirements when it comes to customer notification, and because hotels and restaurants often have customers who live in a variety of states, notifying customers across those locations can prove difficult.
“They have to report in all states of residency, not where the hotel or restaurant is located, and operators need to know the legal requirements for each state,” Harnish says. “A company can blow it in terms of their reputation on what they do and don’t communicate to customers. Target’s breach initially reported only six million customers affected, and ultimately it ended up being 60 million. This can compound reputational damage.”
A lawyer can be very helpful with this process as they can provide templates ahead of time for hotels or restaurants that can then be immediately sent out to customers, Harnish adds.
Offering to provide a credit monitoring service to customers possibly affected by a breach is another helpful tool for hospitality companies to help in damage control. A company such as AllClear ID (www.allclearid.com) offers this type of service, and Hoff explains that it can help from a “goodwill standpoint to show that a company cares and they want to preserve their reputation.” HT