As data thieves continue to target the hotel industry, an attorney at the 2019 Hospitality Law Conference shares takeaways from recent hotel data breaches.
HOUSTON—Cybersecurity is an ongoing issue for the hotel industry, and there are a number of lessons hoteliers can take away from recent data breaches.
Sandy Garfinkel, attorney at Eckert Seamans and chairman of the firm’s data security and privacy group, spoke at the 2019 Hospitality Law Conference in Houston about what the hotel industry can learn from some of the most recent data breaches of hotel companies.
The main lesson to take away from the Marriott/Starwood data breach is to perform cybersecurity due diligence during a merger or acquisition, Garfinkel said.
“We just need to focus on the cyber threat when we’re doing due diligence in any sort of merger and acquisition scenario,” he said. “You’re acquiring a company that comes with its own baggage. That baggage might include a cyber issue.”
Over the years, he has put together a cyber due diligence checklist for M&A. The checklist is an ideal to aspire to as not everyone has the budget or time to do all of them, he said. When acquiring or merging with another company, he recommended that hoteliers:
- build in time for a sufficient cybersecurity assessment;
- perform independent penetration tests of the target environment.;
- review the inventory of cybersecurity products the acquired company has to what it has and what changes are necessary;
- review the new company’s third-party relationship inventory and perform a risk assessment.;
- check the dark web using experts who will look for things like user info credentials;
- identify infiltrations of the target company;
- research public breach data bases for recent disclosures; and
- review the target company’s past breaches, including remediation statutes and ongoing obligations.
Large acquisitions are not the only ones targeted, Garfinkel said. He’s currently working on a case now involving a property that was purchased in September 2018.
“Unbeknownst to both the seller and the buyer in February of last year was a data breach in the guest reservation system,” he said. “It was not discovered until December. It was shrunk down to the level of a single property transaction where the buyer acquired a cyber threat it didn’t know about and only learned about it a few months later and now had all the liability for the response and notification.”
Cleaning out old data
Hotel companies tend to hold onto data about guests and employees, Garfinkel said. Sometimes they keep data they don’t need anymore.
“As information gets old, it starts to get not as useful to you as a business,” he said. “I routinely have clients that have years’ and years’ worth of data they collected from guests and customers they don’t need anymore, and that’s lying around as potential inventory for a data thief.”
In January, Marriott officials confirmed there were approximately 5.25 million unencrypted passport numbers and approximately 20.3 million encrypted passport numbers compromised. Guest data dated back to 2014, so that was four years’ worth of data, and while some of that might still have been useful, hoteliers need to think about document retention and safe destruction policies to get rid of information that lures data thieves, Garfinkel said.
The traditional definition of personably identifiable information is generally expanding across the country, he said. Formerly, PII was just a person’s Social Security Number, payment card information, financial account information and his or her state-issued ID. Almost every state considers those as PII now, but they might also include biometric information, email account information, medical and health information.
“Some of the things that were on the list of things that were compromised in the Marriott/Starwood breach before would not have been considered to trigger legal duties, but in some states now do,” he said. “So we need to be aware the definition of what’s protected is expanding, and that’s a trend across the country.”
Most hotel data breaches used to affect the point of sales systems in the hotel, normally the restaurant or retail outlets as they would be considered to have the most valuable data, Garfinkel said. In more recent years, attacks have started targeting the property management systems and reservations systems.
Not every cyber threat is a high-tech threat, he said. He’s seen nine cases in the last year that involved social engineering attacks aimed at the hotel staff.
The most common occurrence was a data thief posing as a hotel brand company employee calling a targeted hotel, he said. The thief would say he was having trouble with the reservation system and ask the employee to log in. The employee would be able to log in without a problem, so the thief would ask for the employee’s log-in information to address it on their end.
“Not every employee fell for this, but it happened over and over again enough to create a series of instances in which they gave up their credentials,” he said.
Once the thieves can enter the reservation system, they can see guest data and partial credit card information, he said. Posing as an employee of the hotel, they can call up guests with upcoming reservations and tell them they need to rebook their reservation. The thieves ask the guests for their credit card numbers and PINs and, because they have access to their data, they can read to the guests the last four digits of their card numbers as a way of proving they work for the hotel.
While most guests didn’t fall for it, when the thieves were successful in gaining the credit card numbers, they immediately spent as much as they could, he said.
There are ways to prepare employees to combat these kinds of scams, Garfinkel said. Companies need policies and training to back it up that employees don’t give up credentials in these situations, he said. Train and update that training often, he said. Employers should also create a process for employees to report these situations, and they need to train employees how to use it and then reward them when they do it.
Employers should also segment employees’ access to different systems, he said. Make sure employees can’t get into systems they don’t need to access as part of their jobs. Change passwords regularly, he added.