6 min read
To streamline operations, improve service and remain competitive, many hotels use computers to handle numerous tasks, including payment transactions, accounting, guest booking, and key-card access to rooms. Computers are also utilized to automate many functions from turning on and off lights to controlling temperatures and so on.
While automation facilitates hotel operations and often makes a better stay for guests, it also opens hotels to digital threats perpetrated by malicious actors. Consequently, hotel operators should be aware of the types of cyber attacks, which can significantly hurt their brand reputation and bottom line, not to mention the safety and welfare of employees and guests.
Aside from disrupting the hotels’ networks, cyber attacks may impact guests by preventing them from using hotel facilities. In January, for example, cyber criminals took over a luxurious Austrian hotel’s computer-controlled key-card system, locking 180 guests out of their rooms until hotel managers paid a nominal ransom. Nonetheless, the incident caused a major disruption to the hotel and its high-paying guests.
A ransomware attack may disable or alter performance of hotels’ computer-driven systems such as air conditioning and lighting, putting guests’ comfort and, worse yet, safety at risk. In addition, booking systems are extremely vulnerable to ransomware attacks because they process information belonging to the hotels, third-party applications and their customers.
Beyond this, many hotel chains rely on a centralized or outside service to handle IT problems, so individual properties may be ill-equipped to quickly identify and respond to a ransomware incident.
According to the FBI, the number of cyber threat occurrences quadrupled to 4,000 per day last year from 1,000 per day in 2015.
There is a common thread among hotel breaches. Hackers are targeting hotels because of the type of POS systems utilized. These are often integrated POS environments running applications that are not as secure as modern, hardened payment terminals designed to capture and encrypt payment data. Hotel systems send the data to the back office instead of directly to the payment processor, adding an additional step that creates weakness in the hotel POS system.
In addition, there are large volumes of payment card transactions between restaurants, on-site shops, spas, parking, and the front-desk, ensuring there is plenty of customer data for a hacker to compromise.
Hotel brands and franchisees need to be ever more vigilant as attacks against all types of organizations are on the rise. The number of cybersecurity incidents worldwide increased 38 percent in 2015 from 2014, according to the Global State of Information Security Survey 2016 by PwC, CIO, and CSO.
Hotels are especially vulnerable to this type of attack where a type of malware disrupts access to a system until a ransom is paid. This is because they often use integrated POS systems with applications not as secure as modern hardened payment terminals designed to capture and encrypt payment data.
Hotel systems create other ransomware vulnerabilities by sending the data to the back office instead of right to payment processors. They present further ransomware opportunities to hackers by using computers to automate functions.
Hackers can break into hotels’ payment systems through a remote access point belonging to one of its vendors, so they should closely monitor third-party access to their networks. Their IT security teams should also be in control of vendor access to enforce access control policies and watch all third-party activity.
One of the largest data breaches in history was conducted through a third-party vendor when hackers stole data from 70 million credit cards by gaining access to a mega-retailer’s network through credentials belonging to an HVAC contractor.
Guests have been duped into providing their credit-card and other personal information on fake websites posing as a legitimate booking site. At the same time, hoteliers have been tricked into sending their monthly fees to falsely branded webpages.
In today’s day and age of cyber crime, consumers and hotel employees must make sure the websites they are using are legitimate and not run by hackers.
Hotels are particularly vulnerable to distributed denial of service, or DDoS, attacks, where an entire hotel chain’s website is shut down by being overwhelmed with traffic sources. This is because hotels have a wide array of devices – from closed-circuit TVs to sprinklers – managed by computers, all of which can be used to send pulses to other systems on the infrastructure and disable them.
Hackers can access personal information from public Wi-Fi-connected devices at hotels through a “man-in-the-middle” attack that emulates a legitimate Wi-Fi access portal. This allows nearby threat actors to view everything public Wi-Fi users do online using this fake connection, including logging into their bank accounts, giving credit card numbers to websites, or checking email.
They can also trick public Wi-Fi users into accessing what looks like a safe website when actually they are opening a fake version that asks to download a “security patch” or another critical update. Upon complying, Wi-Fi users may unknowingly consent to install malware that can give cyber thieves more access to their computers, phones, or tablets.
Given the array of digital threats facing hotels, it is imperative that these organizations protect their networks from attack to prevent disruptions in service or, worse yet, jeopardize the safety of employees and guests. Statistics indicate that such incidents will become more frequent, so it is not a matter of if but when the next cyber attack will occur.
Fortunately, there are measures that hotel owners, operators, and employees can take to safeguard themselves from falling victim to threat actors. Protections they can implement to be truly secure include:
Hotels should bring on a managed security information and event management (SIEM) platform for their remote locations to be warned right away of cyber attacks. They may also want it for inside the perimeter if they lack the expertise and resources to properly use SIEM internally.
Hotels should train employees to not open suspicious emails or links inside them as they may contain malware. They should also be taught to not send emails to unrecognized email addresses or send sensitive information through unsecured emails, texts, or other communications.
Hotels should ensure they have reliable anti-virus and anti-malware software installed on their networks and all their devices, including laptops and smartphones, to deter breaches. The software should have behavioral detection to find new and more sophisticated threats.
The Payment Card Industry Security Standards Council (PCI SSC) has put forth a set of stipulations, the Payment Card Industry Data Security Standard (PCI DSS), in response to rapid PCI expansion. Hotels should make sure they are compliant with these regulations, which require businesses to send credit-card information in a secure environment, to prevent paying heavy fines and losing data, revenue, and customer trust.
Schedule a free security consultation today.
We're counting down the top hotel POS data breaches of all-time.
5 min read
7 min read