Data Breaches Are Heaviest at Hotels

[Jake Kouns <jkouns () opensecurityfoundation org>]

http://online.wsj.com/article/SB10001424052748704743404575127674094249164.html

Hackers are now stealing credit-card data from hotels more often than
any other industry, according to data-security companies.

In a recent report, SpiderLabs, a unit of data-security firm
Trustwave, said 38% of its data-breach investigations in 2009 occurred
at hotels. Financial services accounted for 19% of the company's
data-breach investigations. Once an attack occurred, it took an
average of 156 days for the business to realize it, according to the
report. The problem has continued into 2010, says Nicholas Percoco,
senior vice president of Trustwave and head of SpiderLabs.

Verizon Business, another data-security firm, noticed a similar
increase in attacks on hotels starting around last April, says Dave
Ostertag, manager of investigative response at Verizon Business, a
unit of Verizon Communication Inc.

Hackers "find a weakness, flaw or common problem in an industry or
organization. Once they find that, they want to replicate it as many
times as they can," says Mr. Percoco.

The most common weakness at hotels is the security surrounding
point-of-sale software—the software hotels use to process credit-card
transactions. For example, often the systems are maintained remotely
by an outsourced information-technology company. To maintain the
computer system, the IT firm employees must sign in remotely. When
remote access user names and passwords are left blank or not changed
from their default setting, hackers can find those usernames and
passwords to gain access to the system to steal credit-card
information.

Last August, Radisson Hotels & Resorts said the computers at some of
its Radisson hotels in the U.S. and Canada were hacked between
November of 2008 and May of 2009. After announcing two credit-card
breaches in recent years, Wyndham Hotels & Resorts LLC recently
announced 37 of its Wyndham Hotels and Resorts branded properties
experienced credit-card data breaches between October 2009 and January
2010.

There is little customers can do to protect themselves besides
checking their credit-card statements carefully.

[..]
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/

Get business, compliance, IT and security staff on the same page with
CREDANT Technologies: The Shortcut Guide to Understanding Data Protection
from Four Critical Perspectives. The eBook begins with considerations
important to executives and business leaders.
http://www.credant.com/campaigns/ebook-chpt-one-web.php