Hotels, the bad guys have their beady eyes on you.
“The more credit cards you have, the more interesting you are to someone,” says Suzanne Widup, senior analyst with Verizon’s RISK team. “You have data that they want.”
The hotel industry has a big target on its back, agrees Chris Pogue, director at Trustwave, an information security technology and services company, specifically because property management systems, food and beverage, and retail all reside under one roof and a central integration server consolidates all this customer data.
Coupled with the glut of info in a single place is the fact that hotel staffers don’t generally double as cybersecurity experts, Pogue says. “If it’s not a focus, it becomes an afterthought.”
The topic of hotel data security came top of mind for many people earlier this year when officials at White Lodging Services Corp., an independent hotel management company, announced the breach of point-of-sale (POS) systems at food and beverage outlets at 14 properties across the country. The unlawfully accessed data may have included names printed on customers’ credit or debit cards, credit or debit card numbers, security codes, and card expiration dates.
White Lodging isn’t alone with such a breach, and in fact, POS intrusion makes up the largest risk for the hotel industry. Verizon’s 2014 Data Breach Investigations Report found 75 percent of the approximate 200 security incidents involving the accommodation industry in 2013 were POS attacks from external parties (often criminals from Eastern Europe), Widup says. By comparison, insider misuse only accounted for 8 percent of 2013 security incidents.
For data breaches of all kinds, properties should make the creation of an incident response plan a top priority, Pogue urges. “I can say without hesitation and reservation that the impact to an organization that has an incident response plan in place is exponentially smaller than the impact to an organization that doesn’t.”
As part of the plan, properties should be aware of laws pertaining to data breach disclosure, educate staff on protocols, contact law enforcement to see who would have jurisdiction in the case of a breach, and put outside data monitoring and incident response teams on retainer, he says.
Another plus to putting a plan in place ahead of time is that a property can get bids from multiple companies and negotiate a contract to get the best price on data monitoring, Widup notes. “This way you’re not in panic mode.”
Unfortunately, even if properties have such services, cybercriminals have the upper hand, according to the Verizon report, which compares time to compromise vs. time to discovery. “Attackers are getting better/faster at what they do at a higher rate than defenders are improving their trade,” the report states.
To stem the tide, Pogue says properties must continue to stay proactive. “There are only three types of organizations: those that have been breached, those that are being breached and don’t know it, and those that are about to be breached,” he says. “It’s coming. Don’t put your head in the sand. Assume and prepare for the worst, and then hope for the best.”