NAFCU, and cybersecurity experts, reacted to news of a databreach at properties operated by HEI Hotels & Resorts that mayhave disclosed credit card payment data from about 8,000transactions.

HEI Hotels and Resorts reported the breach affected 20 hotels,including 12 Starwood hotels, six Marriott Internationalproperties, one Hyatt hotel and one InterContinental hotel.HEI posted a full listonline. HEI indicated on its website that the malware wasactive from March 1, 2015 to June 21, 2016, with 14 of the hotelsaffected after Dec. 2, 2015.

HEI apologized for the incident, stating, “Unfortunately, likemany other organizations, we recently became aware that several ofour properties may have been the victim of a security incident thatcould have affected the payment card information of certainindividuals who used payment cards at point-of-sale terminals, suchas food and beverage outlets, at some of our properties. We takevery seriously our responsibility to keep our customers'information secure, and have mounted a thorough response toinvestigate and resolve this incident, bolster our data security,and support our customers.”

The breach followed similar attacks at Hyatt Hotels and StarwoodHotels & Resorts, and other hotel chains, over the past few years.

HEI said outside experts investigated the breach and determinedthat hackers might have stolen customer names, account numbers, payment card expirationdates and verification codes. The hackers did not appear tohave gained PIN codes, since those are not collected.

NAFCU President and CEO Dan Berger issued the followingstatement regarding the data breach:

“These hotel data breaches, many of which are repeat offenses,as well as the latest data breach to Oracle's point-of-salesystems, affirm the urgency with which Congress needs to passstrong national data security standards for retailers, suchas the Data Security Act of 2015 (H.R. 2205/S.961),” Berger said.“Cybercriminals' attacks are growing more pernicious and continueto take advantage of the vulnerabilities in retailers' paymentssystems to seize consumers' sensitive personal financialinformation.”

Many cybersecurity experts agree about the need for moreprotection.

“Another day, another major hotel chain being breached by whatis suspected to be malware on the POS system; hospitality companiesmust understand that they are in a digital war with cybercriminalsthat are after payment card data,” John Christly, CISO at FortLauderdale, Fla.-based Netsurion, said. “Any business, regardlessof size or vertical specialty, that processes payment data oroffers free Wi-Fi to guests, is a lucrative breach target.”

Christy explained large chains like HEI have bull's-eyes ontheir backs, enticing hackers with large quantities of valuableinformation such as credit card data for patrons, sensitiveemployee data for staff, and sometimes even medical data used byin-house care facilities. “New defensive approaches, advancedcybersecurity tools and increased cyber intelligence need to bedeployed.”

J. Paul Haynes, CEO of Cambridge, Ontario, Canada-basedeSentire, said, “In breach cases like these, sadly the situationoften gets worse before it gets better, as narrowing down impactedcustomers can be an arduous task.” Haynes added, personallyIdentifiable Information, like names, credit card, and accountinformation is lucrative and can live on the black market for sometime. “Leveraging early detection and containment technology orservices can make the difference between a micro incident versus amajor breach event like this.”

Stu Sjouwerman, founder and CEO of Tampa Bay, Fla.-basedKnowBe4, said this type of breach shows many retailers have not putthe infrastructure in place to protect against this. “This isnothing different from earlier breaches like Home Depot and Targetfrom a few years ago. HEI should have learned their lesson fromthese other high profile breaches,”

“What should be done is defense-in-depth. It looks at your ITinfrastructure security in layers, the outer layer being policy,procedure and awareness,” Sjouwerman explained. In this way, theorganization determines the correct procedures and the type oftraining employees need. “The human layer — human firewall if youwill — is a layer that is essential as that is how the bad guys aregetting in.”