systems, later confirming seven properties were affected. In April, previous hacking victim White Lodging
Hotel Services Corp. announced
POS systems at 10 of its franchised
hotels had again been compromised.
The month prior, Mandarin Oriental Hotel Group disclosed hacks at
“an isolated number” of hotels in the
United States and Europe.
Cybercrime threats to the lodging
industry are nothing new, but the
volume of attacks going after guest
card payment information raises the
question, why does this keep happening to hotels? But that question is, perhaps, a flawed one. Chris
Zoladz, founder of Navigate LLC, an
information protection and privacy
consultancy, suggests POS systems
are the larger target, and those exist
well beyond the hospitality industry.
According to Privacy Rights Clear-inghouse, a nonprofit group that
keeps a chronology of all manner of
data breaches disclosed to the public
through company releases and media
reports, there were 111 breaches related to hacking or malware on POS
systems during 2015. Of that total,
only seven of the breached entities
were hotel companies. Others on that
2015 list included Sabre, United Airlines, American Airlines, Uber, Star-bucks and Chick-fil-A.
“POS systems are often the weak
link in the chain and the choice of
malware,” said Mark Bower, HPE
Security global director of prod-
uct management for enterprise data
security. “They should be isolated
from other networks but often are
connected. A check-out terminal in
constant use is usually less frequently
patched and updated and is thus
vulnerable to all manner of malware
compromising the system to gain
access to cardholder data.”
Instead of why hotels, a better ques-
tion is what is it about hotels. What
makes their POS systems particularly
vulnerable and valuable to hackers?
Bower suggests the type of POS
systems used at hotels are part of the
problem. “These are often integrated
POS environments running applica-
tions in an environment that is not as
secure as modern hardened payment
terminals designed to capture pay-
ment data and implement encryption
independent from the POS itself.”
directly to the payment processor.
The extra stop in integrated systems
creates a weakness that cybercrimi-
nals are quick to tap.
In addition, hotels deal with a high
volume of payment card transactions—
between restaurants, on-site shops,
spas, parking facilities and front-desk
billing—and card information is stored
with the hotel in the run-up to, and
duration of, a single stay.
“If you call a hotel to make a res-
ervation, they manually type in your
card information and leave your
credit card on file,” said Shaun Mur-
phy, founder and CEO of SNDR,
a message- and file-sharing app,
who specializes in cybersecurity.
“Your personal details are stored in
so many different systems, there are
so many more ways for malware to
have access to them.”
The hospitality industry, too, suffers
from a high turnover of employees and
HILTON’S JIM HOLTHOUSER DURING A
NOVEMBER DATA-BREACH DISCLOSURE
Travel Suppliers = Easy
Pickings For Hackers
Doug Clare, vice president of
product management for Fico, an
analytics software company, said
the travel industry gets hit “pretty
hard” with fraudulent transactions.
Booking a ticket or hotel room
online is anonymous.
Acceptance Of Arrangers
Common practices allow
cardholders to book trips for others.
Card Matching Not Required
Airport counters and kiosks don’t
ask for the card with which the
flight was purchased; the same
goes for hotel reservations.
Chip Cards Help,
They add security within the point-of-sale environment, but card-not-present transactions and holding
card numbers on file remain risky.
Have issued chip cards
in the next
Source: Business Travel News
survey of 198 travel buyers