Rampant hotel data theft

For the past several years, hotels have been hit hard by data thieves. Experts say that despite an increased awareness within the hospitality industry, data theft is still prevalent.

In the most recent incident, disclosed in late June, remote attackers installed a malicious program into the card processing system of Englewood, Colo.-based hotel chain Destination Hotels & Resorts. Guests at 21 Destination properties may have been subjected to credit card theft.

Cybercriminals last year targeted hotels more than any other industry for credit card theft, according to a recent report by data security company Trustwave. Hotels are being targeted because they have large amounts of credit card data and frequently neglect to implement the most basic security precautions, such as changing default passwords or ensuring programs are up to date, said Nicholas Percoco, senior vice president of Trustwave's SpiderLabs.

As a result, attackers commonly gain entry into a hotel's network by exploiting default passwords on point-of-sale (POS) applications, added Dave Ostertag, manager of investigative response at Verizon Business. From there, customized malware is loaded onto the hotel's transaction server that steals credit card information as a transaction occurs.

In March, the Westin Bonaventure Hotel & Suites in Los Angeles disclosed a possible data breach of its POS systems dating back to 2009. Also, between November 2008 and May 2009, the computer systems of some Radisson hotels in the United States and Canada were illegally accessed. And the computer systems of Wyndham Hotels & Resorts were accessed on two separate occasions by cybercriminals who stole customers' card numbers, expiration dates and other data.

Part of the problem is that many hotels are not compliant with the Payment Card Industry (PCI) Data Security Standards (DSS), said Gary Palgon, vice president of product management at encryption firm nuBridges. While retailers have faced increasing pressure over the past few years to get into compliance with the mandate, few from the hotel industry have been paying attention.

However, some members of the hospitality industry are working to deal with this problem, experts said. The Hotel Technology Next Generation (HTNG), a nonprofit hotel trade association, recently issued a security standard which defines how card data should securely flow between a hotel's various systems. Additionally, large, brand-name organizations are beginning to take data security seriously, experts said. But many others are lagging.
“We are still seeing cases on a weekly basis of hotels getting breached,” Percoco said.


Average number of days it took organizations to discover a breach after the initial attack.

Source: Trustwave Global Security Report 2010

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.