Hotel Lawyer: The Growing Problem of Security Breaches with Sensitive Customer Information

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.hotelnewsresource.com/article75893.html

The Target and Neiman Marcus problem. The massive security breach of
Target's customer data may affect more than 110 million Americans --
potentially about 1 in 3 persons living in the United States. Followed in
quick succession by another 40 million customers of Neiman Marcus (and more
disclosures expected soon from other retailers), it is time for us in the
hotel industry to look at our own policies and procedures, and to think
about how we should respond to these malicious attacks.

Hoteliers beware. Hotels are obvious targets for identity and financial
theft for many reasons. Hotels transact business through credit cards, and
those credit cards are kept on file and can be accessed multiple times
during a guest's stay. The possibility that a credit card charge will be
recorded occurs with each night's room charge, room service, bar or
restaurant bill, spa charge, and so on. Every charge is another opportunity
for an identity thief to access the information using sophisticated
computer hacks and other malicious software, generally without the hotel's
knowledge.

The need to respond to guest demands is another source of insecurity. The
Identity Theft Resource Center noted, "The ability to connect to the
Internet is an integral part of many individual's daily life. This has led
to the increased demand for public WiFi." As a result, hotels find
themselves compelled to offer wireless internet, and that service is almost
always unsecured. But an unsecured wireless network is "just as dangerous
as leaving files of your most important personal documents on a street curb
for all to see. Hackers can easily get into an unsecured wireless network
and get financial information, business records or sensitive e-mails." (PC
World, "Got Wireless Security"). At the same time, hotels have little say
in the matter. Guests demand wireless internet service.

Finally, hotels have employees -- lots of employees -- and many of them
have access to the credit card and other personal information of guests. No
matter how well trained and supervised, more personnel correlates to
greater risk. The fact that low-level employees typically have access to
key guest information, and that there is, historically, a high turnover in
hotel employees, exacerbates the problem.

What happened to Target? While investigations are continuing, sources have
reported that investigators believe the attackers used similar techniques
and pieces of malicious software to steal data from retailers. One of the
pieces of malware is a RAM scraper, or memory-parsing software, which
allows cyber criminals to grab encrypted data by capturing it when it
travels through the live memory of a computer, where it appears in plain
text, the sources said. While the technology has been around for many
years, its use has increased in recent years as retailers have improved
their security, making it more difficult for hackers to obtain credit card
data using other approaches.

The lesson? Even as merchants become more vigilant and focus on the
security of their systems, criminals have become more sophisticated and are
investing more time and effort in crafting their own systems.

What should I do? The fact that Target, and others, have been victimized
might not seem, at first, to impact other businesses. Securing guest and
corporate information is a key task, and the steps necessary to implement a
secure environment are unique to each organization. However, there are some
general considerations that all firms should be aware of that are essential
to securing information:

- Inventory and Identify Information. Hotels operators should inventory
potentially sensitive information and document on which computers, servers
and laptops it's stored.
- Restrict Access and Collection of Data. Operators and owners should keep
sensitive information on the fewest number of computers or servers, and be
sure to segregate it -- the fewer copies of data you have, the easier it is
to protect.
- Use Technology. Hotels should utilize encryption and other means for
storing, and secure connections for receiving or transmitting, credit card
information and other sensitive data.
- Design and Implement Effective Policies and Procedures. Firms should
design, institute and follow an effective privacy policy, including
policies for using social media, and should be careful not to overstate the
effectiveness of their measures. Remember - no system is completely safe.
- Passwords and Access. For internal communications and information,
protect sensitive data with strong passwords and change passwords on a
regular basis.
- Deal with Vendors. Much, if not most, of computer systems and services
are handled by vendors -- check their security practices. Hotels should
review their agreements with vendors to ensure that they are implementing
best practices, that they are responsible for the security of the
information they handle, and that they work with and at the direction of
the client in case of a breach.
- Review your Insurance. Cybersecurity insurance has gone through
tremendous changes in just the past year; review your policies to ensure
that they are effective and provide meaningful coverage.

Most of all, hotel companies need to make a commitment to secure the
sensitive information of their companies and their guests, and to seek out
informed consultants and advisors. Information security is a relatively new
and rapidly changing area, and requires specialized knowledge; the
investment today can protect a hotel from being front page news -- for the
wrong reasons -- later.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The 
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk 
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.