Credit card fraud and identity theft should remain high on the hotel and lodging industry’s radar. Just ask Starwood Hotels & Resorts Worldwide (including their Westin, Sheraton and W Hotel brands), Hilton, Hyatt and the Trump Hotel Collection, all of which were victims of highly publicized, major breaches in the hospitality industry last year. In addition to airlines and banks, hotels maintain a rich database of personally identifiable and financial data on file.
In the breaches mentioned above, point-of-sale (POS) systems were attacked and malware launched to acquire cardholder names, credit card numbers and expiration dates. According to EventTracker, POS systems are a weak security point for many networks because they are constantly in use — and aren’t always patched, updated or protected from vulnerabilities as frequently as required. As a result, they can be exploited for the credit card data held on the POS terminals.
Furthermore, personal details for hotel guests are frequently stored in a variety of locations, including billing, facilities, restaurants, etc. so hackers have more widespread access to that information. Franchisees frequently have access to regional, national and global data systems from the world’s best known brands. So breaches can affect all or many of the individual franchisees, as well as corporate systems if even one system is breached. In addition, hotels are made even more vulnerable thanks to POS system provider breaches, like the recent one at Oracle that affected 330,000 merchants.
Reputational damage and revenue loss from a breach headline not only impact individual edge locations, but the corporate brand as well. Recent major breaches at Fortune 500 companies and household names across the retail, restaurant and hotel sectors demonstrate that anti-virus, anti-malware and firewalls alone are not enough to secure businesses from the ever-evolving threat landscape. Clearly, more needs to be done to secure each and every location under a brand umbrella.
Phishing remains a particularly popular tactic used by hackers everywhere, including those that are targeting the hotel industry to trick both prospective guests, who give up credit card and personal details, and insiders, who then give up valuable login credentials. Smaller hotels should be concerned not just about their security posture to meet compliance requirements (PCI), but also by ransomware, an increasingly favored tactic to extort hoteliers by hackers who encrypt, rather than steal, the hotel’s data, making it unusable and inaccessible until a ransom is paid.
Hotels need a ‘toolbelt’ of various security technologies that can be used to prevent malicious attacks. A managed firewall is essential, blocking dangerous traffic from coming onto the network and preventing sensitive data from being exfiltrated, or sent, to the hackers. File Integrity Monitoring (FIM), Unified Threat Management (UTM), and Security Information and Event Management (SIEM) should also be considered. FIM is a process that validates the integrity of an operating system, or any software, by constantly monitoring the current state of the file and comparing it with a baseline file that hasn’t been compromised. UTM, on the other hand, is a process in which a live administrator can monitor and manage security-related infrastructure through a single dashboard.
SIEM is a key technology in a company’s security stack that should be considered an essential, but is often difficult for smaller hotels or branch locations to manage effectively. Summed up, it is responsible for ingesting the logs generated by all the systems and devices in the infrastructure, and then sorting through them. Anything from a firewall, to a server, to a POS system that creates log data is analyzed by the SIEM. The log data is fed into the SIEM and then evaluated against a previously created ruleset in order to determine if there any anomalies – unusual activity that can indicate an attack – and then generates red flags for those that need to be brought to the IT staff’s attention. The SIEM can prioritize these anomalies, categorize them, and finally generate alerts for the future based on their findings.
It can be difficult and expensive to hire and retain an IT security team that has the bandwidth and capability needed to monitor and analyze the alerts and reports produced by SIEM technology. Further complicating this task is that teams must be able to recognize the real threats from the data and know the appropriate remediation steps required to mitigate them. The failure of organizations to achieve the desired outcome of a SIEM system due to the lack of qualified analysts is widespread, leading some industry analysts to name SIEM as the technology most likely to become “shelfware.”
One way to implement these advanced toolsets includes outsourcing to a managed security firm specializing in this type of service — which includes expert threat researchers that constantly look for new activity that could point to a hacker trying to steal data from your systems. If used correctly, hotels could see anomalies that could lead to breaches prior to any damage being done — allowing them to halt hackers in their tracks.