Blog Post
Two-for-one hotel hack week — Four reasons why hackers love breaching your favorite resorts
In a previous blog post, we went over how important it is for hotels to take PCI Compliance seriously. Believe it or not, this week, both the Trump and Hilton hotel chains confirmed they have suffered data breaches, resulting in the loss of customer data at multiple locations. There is no technical term for two big organizations in the same industry confirming data breaches in a single week, so we’re going to have to use the non-technical term and refer to the occurrence as a “twofer”, or a “double whammy.”
It’s really not as bizarre a coincidence as it might seem, as hotels are still the 4th most often attacked industry, and for 4 good reasons:
Reason #1: An Abundance of Credit Cards
If you’re staying in a hotel, you’re probably not paying with cash. If you’re staying in a Trump or Hilton hotel, you’re definitely not paying with cash. Unlike at retailers, credit cards are the default payment method for hotels. The symbiotic bond between credit card companies and hotels has produced hotel credit cards that provide incentives, similar to how you earn frequent flyer miles on an airline credit card. This leads to hotels being a veritable treasure trove of cardholder data. In short, hackers want credit card numbers, and hotels have them in spades.
Reason #2: What Kind Of Person Stays In A 5-Star Hotel?
What kind of person shells out thousands of dollars for swankier rooms, and fluffier towels to steal?
Rich people.
Think like a hacker for a second: would you rather steal credit card numbers belonging to Middle American suburban housewives, or corporate bigwigs who can afford classier sounding shower gels in their hotel bathrooms?
Reason #3: All For One, And One For All
The thing about fancy hotels is, you don’t build just one of them. Hotel chains like the Marriott and Hilton have locations all over the world, and these hotels are usually connected via a network, and use similar systems to process booking information. While that structure makes it’s incredibly convenient to process thousands of bookings many hotels handle daily, it’s the exact scenario that the idiom ‘putting all your eggs in one basket’ cautions. If one location gets compromised, chances are that hackers will be able to infect the rest of your network along with it.
Reason #4: There’s No One More Desperate For WiFi
You’re on holiday, and you just have to show your Facebook friends that you’re having a good time. While you are perpetually connected to the internet in your home country, data roaming prices are ridiculous overseas, which means that your hotel room is one of the few remaining strongholds for you to get online. Hackers know this, which is why they have developed a tool that capitalizes on the fact that WiFi is a core requirement for us in Maslow’s hierarchy of needs.
DarkHotel, a targeted spear-phishing spyware & malware-spreading campaign, is one method hackers use to attack guests through hotel WiFi networks.
First, the hackers pick a well-to-do target, and lurk within the hotel’s network for days, waiting for him to check in. Once he logs on to the hotel’s WiFi using a laptop or tablet, the fiendish hackers send him pop-up alerts disguised as legitimate software updates. Once the poor fellow starts the update, he’ll be cruising in malware county. It’s an attack method that succeeds for the very same reasons that ninjas were feared in feudal Japan; it’s well-disguised, quiet, and incredibly hard to detect, even after infiltration.
A Public Love Affair
It’s not a secret to the hotel industry that hackers love them. Hotels have been receiving metaphorical love letters from hackers for years. Hoteliers know that their clientele and organizational structure make them prime targets for attackers, but keeping hackers out isn’t as easy as it seems. Changing their infrastructure would mean spending millions of dollars developing and implementing a new system, and would also mean a decrease across the board in convenience and connectivity between branches. Then comes the mandatory data security education for ground-level staff, who will have to understand the risk that comes with processing credit card information, and also learn to detect anomalies.
Still, the fact is that whatever hotels are doing now to prevent data breaches clearly isn’t enough. This year alone, in addition to the breaches at the Trump and Hilton hotel chains, White Lodging and Mandarin Oriental properties also confirmed data breaches. While working on a new security infrastructure should definitely be in the best interests of all hotel chains, a quick fix would be to mitigate the risk of a data breach by securing cardholder data. This means finding cardholder data on systems, and either deleting or safeguarding that information so that hackers will have less information to steal. And with the average cost per loss record at $154, you can certainly afford to ditch every record you can find.
Ground Labs’ Enterprise Recon software helps you do this in record time. After a quick setup, you’ll be all set to search your network for rogue cardholder data, which you may then choose to delete, encrypt, mask, or move to a safe location off-network.
Get started on a free trial of Enterprise Recon here.