Hotel Breach Sparks Call for Data Standards
NAFCU, and cybersecurity experts, reacted to news of a data breach at properties operated by HEI Hotels & Resorts that may have disclosed credit card payment data from about 8,000 transactions.
HEI Hotels and Resorts reported the breach affected 20 hotels, including 12 Starwood hotels, six Marriott International properties, one Hyatt hotel and one InterContinental hotel. HEI posted a full list online. HEI indicated on its website that the malware was active from March 1, 2015 to June 21, 2016, with 14 of the hotels affected after Dec. 2, 2015.
HEI apologized for the incident, stating, “Unfortunately, like many other organizations, we recently became aware that several of our properties may have been the victim of a security incident that could have affected the payment card information of certain individuals who used payment cards at point-of-sale terminals, such as food and beverage outlets, at some of our properties. We take very seriously our responsibility to keep our customers’ information secure, and have mounted a thorough response to investigate and resolve this incident, bolster our data security, and support our customers.”
The breach followed similar attacks at Hyatt Hotels and Starwood Hotels & Resorts, and other hotel chains, over the past few years.
HEI said outside experts investigated the breach and determined that hackers might have stolen customer names, account numbers, payment card expiration dates and verification codes. The hackers did not appear to have gained PIN codes, since those are not collected.
NAFCU President and CEO Dan Berger issued the following statement regarding the data breach:
“These hotel data breaches, many of which are repeat offenses, as well as the latest data breach to Oracle’s point-of-sale systems, affirm the urgency with which Congress needs to pass strong national data security standards for retailers, such as the Data Security Act of 2015 (H.R. 2205/S.961),” Berger said. “Cybercriminals’ attacks are growing more pernicious and continue to take advantage of the vulnerabilities in retailers’ payments systems to seize consumers’ sensitive personal financial information.”
Many cybersecurity experts agree about the need for more protection.
“Another day, another major hotel chain being breached by what is suspected to be malware on the POS system; hospitality companies must understand that they are in a digital war with cybercriminals that are after payment card data,” John Christly, CISO at Fort Lauderdale, Fla.-based Netsurion, said. “Any business, regardless of size or vertical specialty, that processes payment data or offers free Wi-Fi to guests, is a lucrative breach target.”
Christy explained large chains like HEI have bull’s-eyes on their backs, enticing hackers with large quantities of valuable information such as credit card data for patrons, sensitive employee data for staff, and sometimes even medical data used by in-house care facilities. “New defensive approaches, advanced cybersecurity tools and increased cyber intelligence need to be deployed.”
J. Paul Haynes, CEO of Cambridge, Ontario, Canada-based eSentire, said, “In breach cases like these, sadly the situation often gets worse before it gets better, as narrowing down impacted customers can be an arduous task.” Haynes added, personally Identifiable Information, like names, credit card, and account information is lucrative and can live on the black market for some time. “Leveraging early detection and containment technology or services can make the difference between a micro incident versus a major breach event like this.”
Stu Sjouwerman, founder and CEO of Tampa Bay, Fla.-based KnowBe4, said this type of breach shows many retailers have not put the infrastructure in place to protect against this. “This is nothing different from earlier breaches like Home Depot and Target from a few years ago. HEI should have learned their lesson from these other high profile breaches,”
“What should be done is defense-in-depth. It looks at your IT infrastructure security in layers, the outer layer being policy, procedure and awareness,” Sjouwerman explained. In this way, the organization determines the correct procedures and the type of training employees need. “The human layer — human firewall if you will — is a layer that is essential as that is how the bad guys are getting in."