Hotels and their guests have become increasingly frequent targets for cybercriminals. Recognizable names to suffer attacks over the past year include Hilton Hotels, Hyatt Hotels, Trump Hotel Collection, Starwood Hotel Group and Rosen Hotels and Resorts, which suffered a major data breach after failing to spot an unauthorized cyber intrusion for more than 17 months!
For hotels, the pain goes beyond the embarrassment of having their respective brands tarnished by negative publicity and fallout with their customers. Adding insult to injury, a U.S. appellate court ruled last year that the U.S. Federal Trade Commission (FTC) could levy hefty fines and punishments against Wyndham Hotel Group for poor security practices that date as far back as 2009, leading to the theft of 600,000 customer details.
Why are cybercriminals specifically targeting hotels? Hotels have traditionally focused their security efforts on the physical safety of their guests but have struggled to keep up with the measures needed to ensure the digital safety of their patrons. Complicating matters, many hotels operate as franchises over multiple geographies, stretching the limits of their security infrastructure. Factoring in the variety of devices that are connecting to hotels’ Internet services and networks, it is no wonder that cybercriminals are probing for vulnerabilities.
Kaspersky Labs identified a sophisticated malware campaign known as DarkHotel, which preyed on victims connecting to hotel Wi-Fi networks by posing as updates to common applications like Google Toolbar, Adobe Flash and Windows Messenger. Once installed, the malware stole sensitive information from a victim’s laptop that could be updated remotely. Intrusions like this allow criminals to install even more advanced tools on an unsuspecting victim’s laptop, such as keystroke logging to steal passwords and login credentials.
With the volume of credit card swipes going through a hotel’s point-of-sales systems at check-in, restaurants and gift shops, it is very tempting for cybercriminals looking for payment card information (PCI), such as cardholder name, card number, expiration date and verification code. On the black market for cybercriminals, a partial credit card record can go for as much as $5 and a full credit card record can go for as much as $30. In a twist of irony, the price for stolen credit card information has been falling because cybercriminals have been trading in bulk!
A common problem in the hospitality industry is high turnover. A disgruntled employee does not need a high level of authority to access sensitive information—or even rooms. While we often take precautions to prevent physical theft of our devices, a cybercriminal only needs a few minutes to download malicious code. This can actually be more harmful and costly to an organization or individuals than a stolen device. Malware in the form of ransomware, a digital form of extortion, has become an increased problem for consumers and enterprises, and a lucrative practice for thieves.
So what precautions can you take to reduce your risk?
- Install a software security suite from a trusted company such as Kaspersky Labs, Trend Micro, Check Point Software or Symantec and make sure it is updated regularly.
- Strengthen your passwords to include a mixture of uppercase and lowercase characters, numbers and symbols.
- Avoid using the same password across multiple sites to limit how far a comprised password can travel.
- Make sure the software applications on all of your devices are updated regularly, especially prior to traveling, to prevent hackers from exploiting known vulnerabilities. Be sure to install updates on a trusted network.
- Ensure that a website is encrypted with a Secure Sockets Layer (SSL) certificate by looking for the padlock icon or “HTTPS” in the address bar before entering personal information.
- Refrain from clicking on advertisements and email links from suspicious or unknown sources.
- Monitor your credit card accounts frequently for unauthorized purchases and check your credit report often!
About the Author
Tim Ayer is currently a Product Marketing Manager with the Security and Data Protection Division at Tech Data. As a 20+ year veteran in the IT Channel, he has worked closely with some of today’s leading software publishers and hardware manufacturers to connect with VARs, MSPs and System Integrators.