Tips to keep hotel data hackers at bay
Tips to keep hotel data hackers at bay
11 FEBRUARY 2015 8:25 AM
Hotel data hacks will become an increasingly familiar sight in the years to come, attorneys said during the Hospitality Law Conference.
HOUSTON—Lara Shortz surveyed the crowd Tuesday at the Hospitality Law Conference and asked attendees to raise their hands if they’ve been involved in a data breach.
“If you haven’t raised your hand, you should,” Shortz, an attorney at Michelman & Robinson, said during a session titled “Anatomy of a hospitality data breach.”
The session was especially timely given reports that White Lodging was again targeted by data haxkers. In 2014, malware was found in the food-and-beverage outlets of 14 of  its hotels a year ago.
Such hacks are likely to become even more prevalent in the future and hotels are prime targets, presenters said during the session at the Hospitality Law Conference. Shortz said hotels are the third most likely business to be targeted by hackers, behind retailers and F&B outlets.
Point-of-sale hacks are popular, and hotels are especially vulnerable because the properties experience a high level of business travel, which is attractive to hackers because of the sensitive data such travelers carry; high employee turnover at hotels; and a reliance on outside vendors and systems, Shortz said.
Sandy Garfinkel, chairman of law firm Eckert Seamans’ data security and privacy group, cited statistics that found 79% of United States companies have been subject to a data breach at some point in the past two years. He said the news media tends to ignore smaller hacks that happen frequently.
“Hackers are ahead of the game,” Garfinkel said. “There’s no question about this. Defending against these attacks is becoming more and more difficult. We’re falling behind. … This is a losing battle in some ways.”
Incident response
Shortz outlined several measures hotel operators can take to ensure they are prepared if a data breach occurs on property.
Some of those steps include:
  • limit access to computer systems;
  • upgrade passwords and firewalls;
  • limit off-site working to senior management;
  • perform penetration testing; and
  • ensure intrusion detection systems are in place.
Shortz said a comprehensive incident response plan also is crucial. “This is not just a phone call to your IT guys,” she said.
This plan should include who will report the breach to authorities and ensure security software is up to date.
“You want to be prepared when that breach happens, and you have to have everybody on board to do that,” she said.
The implications of being hacked are significant, Garfinkel said. He referenced Wyndham Worldwide Corporation’s three separate hacks that took place from 2008 to 2010 where 45 hotels were hit and 800,000 credit card accounts were stolen.
He estimated that Wyndham’s response to the situation has come at a cost of more than $10 million.
“Remember when I said a lot of your colleagues in the industry aren’t sleeping well at night,” he said, referencing earlier comments made during the session. “This is why.”
Hack attack
In discussing White Lodging’s 2014 breach, Shortz said the F&B system of the franchisee was targeted and it took some time to nail down the cause of the problem. Garfinkel said point-of-sale attacks that impact F&B operations are becoming increasingly popular.
He said hackers are able to follow the link from an individual hotel to the franchisor, and then continue to follow that path to other linked-in hotels that share the same system.
Also of concern to hotels is the Dark Horse Virus, Shortz said. This virus is meant to capture sensitive data business travelers might have on their devices. She said it presents itself as a system update when a user logs onto a hotel’s Wi-Fi network and is prompted to type in their name and room number.
“It can go undetected for months,” she said.
Marriott International was fined $600,000 last year by the U.S. Federal Communications Commission for blocking the personal Wi-Fi hot spot of a guest. In its defense, the company said personal Wi-Fi is a security concern; however, Microsoft and Google have disagreed with that argument, Shortz said. 
Data hacks will continue to happen in the hotel industry, the presenters said. During an interview with Hotel News Now following the session, Garfinkel said it’s not a matter of if a hotel company is hacked, but when.
“We are just at the forefront of dealing with these issues,” Shortz said.

Correction, 11 February 2015: An earlier version referenced a statement from White Lodging that was made in relation to a data hack made in 2014. That statement has been removed.

No Comments

Comments that include blatant advertisements or links to products or company websites will be removed to avoid instances of spam. Also, comments that include profanity, lewdness, personal attacks, solicitations or advertising, or other similarly inappropriate or offensive comments or material will be removed from the site. You are fully responsible for the content you post. The opinions expressed in comments do not necessarily reflect the opinions of Hotel News Now or its parent company, STR and its affiliated companies. Please report any violations to our editorial staff.