Is Hotel Cyber Security Sleeping on the Job?
By Arie Fred, VP of Product, SecBI
When we think of burglars breaking into a house, our minds conjure up images of knitted hat-covered criminals grabbing the goods and running out of a house, never returning to the scene of the crime.
On the other hand, cyber criminals might not ever leave. They’ll spend time in a network assessing the virtual property, so that they can attack at the right time, and maybe never flee, if they remain undetected.
While the hospitality industry is not the only field targeted by cyber criminals, recently it has been among the favored targets over the past few years — and the battle’s not over.
Cyber criminals and hotels: more than a one-night stand
The hospitality industry represents a lucrative target for hackers’ cyberattacks: Hotels, restaurants and casinos are attractive to cyber criminals as they often handle huge numbers of financial transactions containing valuable customer data. In contrast to banks and insurance companies that handle similar data, hotels and restaurants are not bound by regulations to uphold the highest security standards, and neither do not they enjoy extensive resources to build the optimal cyber defenses. Therefore, it is not surprising that the hospitality sector ranks highly in the “Data Breach” list
Cyber attacks hitting hospitality operations such as hotels, restaurants and casinos are not new. In the past few years, these enterprises suffered enormous attacks including phishing attacks, hacktivism, malware, and identity theft, to name a few:
2016: Kimpton Hotels and Restaurants
Type of Cyber Attack: Malware (Point of Sale)
Part of the Intercontinental Hotels Group (IHG), Kimpton hotel and restaurant guests may have had their credit card information compromised. Kimpton Hotels stated that their payment terminals had been infected with malware. The company found and removed the malicious software that stole credit and debit card details.
2017: 1,200 hotels of the InterContinental Hotel Group
Type of Cyber Attack: Remote installation of malware on point-of-sale software
Global hotel chain InterContinental Hotels Group Plc (IHG.L) said 1,200 of its franchised hotels in the United States, including Holiday Inn and Crowne Plaza, were victims of a three-month cyber attack that sought to steal customer payment card data. An outside cyber team discovered that attackers were able to install malware on the servers that the hotels’ payment card processing systems relied upon, which in turn slurped up information contained in credit card tracks such as cardholder names, card numbers, and internal verification codes — all of which could be used to clone cards and make fraudulent payments.
2018: Marriott International Hotel Chain
Type of Cyber Attack: Eavesdropping/Identity Theft
The Marriott International Hotel chain experienced a huge security breach when sensitive data of approximately 500 million hotel guests worldwide was exposed. This compromised information included details regarding credit cards, passports and birthdays. At the time, it was one of the largest data breaches reported in the media. Unique to this story was the length of time that the cyber criminals were lingering (allegedly four years). Analysts have attributed one of the vulnerabilities in this case to the weakness regarding the merging of the Starwood reservation system with that of the Marriott chain.
2019: RevengeHotels and ProCC campaign
Type of Cyber Attack: Malware/Phishing/Social Engineering
As the decade came to a close, more than twenty hotels have fallen victim to a targeted cybercrime malware campaign against the hospitality industry, coined by the global security company, Kapersky, as RevengeHotels . Although most of the affected businesses are in Brazil, other countries have also been targeted by the cyber criminal group. The objective of the campaign is to get ahold of credit card credentials stored in hotel systems, in addition to payment card data from booking agencies (OTAs) such as Booking.com. ProCC is a similar group that uses a more sophisticated method of infiltration. The methods include highly customized phishing campaigns, using detailed emails, cyber/typo squatting, attempting to impersonate legitimate businesses.
Lessons learned from hospitality cyber attacks
As we can learn from the incidents described above, most cyber attacks against this industry follow a similar pattern: Delivery via email (usually using a weaponized document), infection, stealthy operation and exfiltration of sensitive data over time (and hopefully…eventually — detection).
This APT-like methods of operations (MOs) could be countered by utilizing a proactive approach and dedicated technology such as SecBI’s Autonomous InvestigationTM technology.
The Marriott Hotel breach took years to detect: What if machine algorithms had analyzed and alerted on years of log data? The hotel chain may have been alerted to unusual access activity, even before the Starwood merger. Using automated investigation tools, organizations could determine if the source of the attacks were internal or external. Suspicious links that are hard to detect with human intervention would have prevented malicious malware in the Kimpton hotel cases. Smaller hospitality businesses with limited human resources must invest in highly-automated, artificial intelligence and machine learning solutions that can imitate expert analysts and work around the clock to limit unauthorized remote access, improve network protection and prevent infiltration of IoT devices and systems.
And then of course, remains the question of regulations… given the massive level of financial transactions and their vulnerabilities due to the myriad of travel and hospitality websites, perhaps it’s time for this industry to be regulated to the same extent of the financial industry?
Email us by clicking below to tell us what you think.