A series of cyber-attacks caused industry-wide concern last fall, when hackers infiltrated hotels’ POS systems using malware designed to remotely collect guests’ payment-card data.
Hilton Worldwide, Hyatt Hotels Corporation, Trump Hotel Collection, Starwood Hotels & Resorts, Mandarin Oriental and White Lodging Corporation were affected and issued warnings to guests to monitor their account statements. Between Hyatt, Starwood and Trump, more than 360 properties, including 13 in Canada, were affected by data breaches (Hilton did not reveal which properties were affected).
As Mark Nunnikhoven, VP of Cloud Research at Ottawa-based IT security company Trend Micro explains, hotels are prime targets for these types of attacks. “The simplest reason for this is the people who pass through hotels,” he explains. “There is a steady stream of new targets coming through the premises, and … these generally tend to be business travellers.” Business travellers make ideal targets because they tend to carry corporate/business credit cards, whose account numbers can be sold for twice the price of consumer cards, he adds.
Handling a breach can result in lengthy investigations involving third-party forensic experts and law enforcement. Containing and removing malware can also be tricky. “Over the last five years, malware has become very good at hiding itself and moving around within networks,” says Nunnikhoven. Cyber security breaches are not only difficult to clean up, but can negatively impact the company’s reputation and guests’ trust in the brand.
To help prevent and identify POS malware infections, it’s important to keep payment systems as isolated from the rest of the network as possible. Nunnikhoven also recommends mapping out and understanding the flow of payment network traffic so abnormalities, such as data going out to an odd source, can be easily identified. “At the end of the day, you want to stop the attacker from infecting the system in the first place, but you want to be just as diligent in making sure that you’re [monitoring] outbound [traffic].” He adds: “The attacker needs to be able to get that information out [of the hotel’s network], otherwise it’s of no use to them.”
Volume 28, Number 2