The anatomy and consequences of a hotel data breach

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.hotelmanagement.net/operations-management/the-anatomy-and-consequences-of-a-hotel-data-breach-28653

Data breach incidents have dominated the news in 2014, and they are only
becoming more frequent and damaging. Security industry experts say that 78
percent of all companies and organizations in the U.S. suffered a data loss
within the past two years.

Unfortunately, hotels are frequent targets for data thieves. Several
factors are to blame: (1) hotels do a large amount of business through
payment cards, a favored type of identity theft crime among cyber
criminals; (2) hotels frequently tie their computer systems together with
the computer systems of others; and (3) high employee turnover and poor
employee training in security practices.

Arguably the most notorious hotel data breach incidents happened to Wyndham
Worldwide. In April 2008, hackers gained access to Wyndham’s computer
system through a single computer in one of its franchised hotels. This
computer's link to Wyndham’s property management and reservations system
was used by the hackers to gain access to Wyndham’s servers. Once inside
Wyndham’s system, the hackers obtained administrator passwords and access
codes, compromising the computer systems of 41 properties. The intrusion
was not detected for months.

Despite Wyndham’s diligent efforts to identify and remedy system
vulnerabilities, the hackers returned twice more in 2009. The second attack
resulted in the compromise of information from 39 franchised hotels; the
third, 28 hotels.

The hackers, believed to have been operating from Russia, stole guest
credit and debit card account information. In total, more than 600,000
accounts were compromised and the potential for payment card fraud has been
estimated to exceed $10 million.

The consequences to Wyndham have been serious and seemingly endless.
Initially, Wyndham undertook the expensive process of issuing notifications
to all affected individuals as required by the data breach notification
statutes of 47 U.S. states. Wyndham also spent time and resources
attempting to satisfy state consumer protection regulators and attorneys
general that it was adequately responding to the breaches.

Wyndham also bore the legal costs of challenging assessments imposed by
credit card companies for recovery of fraud costs associated with the
breaches.

Wyndham’s woes were only just beginning. In April 2012, the Federal Trade
Commission brought a lawsuit alleging that Wyndham had failed to use
adequate security practices concerning consumer information, and that it
amounted to unfair and deceptive trade practices. Wyndham’s motion to
dismiss was denied by the court in early 2014. The case is ongoing.

Then, in May 2014, a Wyndham shareholder brought a derivative action
against it; a motion to dismiss remains pending.

The accepted industry wisdom is that a determined hacker can get into
virtually any system, regardless of how well it is protected. Industry
experts and lawmakers are calling for faster and better intrusion response
as a defense, through implementing closer monitoring and tighter protocols
to detect breaches earlier and having cyber incident response plans.

In the end, hotel owners, management firms and brands may not be able to
avoid becoming victims of cyber attacks, much in the same way that Wyndham
and its franchised hotels became victims. What hotel companies can control
is their readiness to respond.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!