The hotel industry is seeing a rapidly growing trend of data security breaches that are part of the latest trend of industries targeted by cyber criminals. The trend is now reaching the radar of the general public, after Hilton Hotels & Resorts acknowledged hackers stole credit card information from a large number of the franchise locations in November.
According to Barry Kouns, President & Chief Executive Officer at Risk Based Security, there have been 49 reported data breaches from the hospitality industry between 1/1/14 and 11/31/15. Kouns acknowledges that many breaches go unreported by organizations. Of the group of reported breaches, almost 60% exposed client credit card numbers, according to Risk Based Security.
This two-year long trend first received some notice after hotel owner, developer and management company White Lodging acknowledged a cyber hack in the first quarter of 2014. That attack (as has been the case with the Hilton breach and the Mandarin Oriental data breach) targeted point-of-sale devices inside of restaurants, coffee bars and gift shops located within the 14 hotels breached. The White Lodging cyber attack was where the issue really first came on the radar for the hotel industry.
In fact, that attack prompted John Buchanan to write his article “Sources: Data breach shows industry liability” on Hotel News Now.com. In that report, Buchanan sites an expert who discusses how the industry is being threatened and is seen as a good target for cybercriminals — especially for franchise chains within the industry.
Part of the reason franchises make such an attractive target is because the franchise models typically have a standardized model, even within their computer systems. Because of that standardization, when a security deficiency exists within a specific system, it can be used against the entire franchise.
Former Washington Post reporter Brian Krebs broke both the Hilton and White Lodging breaches on his blog, Krebs on Security. White Lodging confirmed a second data breach in February 2015, attacking the same systems in different hotels.
What can hotels do to protect themselves?
The biggest issue most hotels seem to struggle with centers around their inability to quickly implement security patches in their networks. One of the easiest suggestions Mr. Kouns offers to those in the hospitality industry is for the company to conduct regular network scans and to fix issues.
Another key implementation step is to make sure that anti-virus software and definitions are kept updated. New viruses come out every day and the anti-virus protection software is usually pretty good at staying on top of the new viruses, offering fixes regularly. If a company isn’t updating their anti-virus software, that company is leaving itself exposed for a potentially avoidable hack.
Risk Based Security is one of several companies that offers different solutions to businesses to help them mitigate their risk of a data breach. They offer a subscription service designed to provide clients with the tools, services and resources to stay informed about the latest security threats and have ready access to security expertise while maintaining a continuous improvement posture.
Another key element is providing training to employees regarding cyber security. Many data breaches occur when an employee has either visited a website or clicked on an email that corrupts the computer. Most of the time, the employee is aware that they have made a mistake … but since nothing obvious happens right away the employee is tempted to stay quiet rather than bring up the issue to their IT department and potentially get in trouble.
Some of the most successful companies to avoid data breaches discuss open communication and react in a supportive way when a computer is attacked. That reaction encourages employees to report potential data breaches, which can make the difference between catching an issue quickly, or having your company’s name attached to the next data breach report.