Point-of-sale malware has become an infamous source of headaches for retail IT. Memory-scraping malware and POS skimmers especially have wreaked havoc on small and medium-sized businesses, including boutiques and restaurants, mainly as a way to steal customer payment data. Even large, global retailers such as Target have been negatively impacted by the malicious feats of POS hackers.
However, more recently, businesses in the hospitality industry have been repeatedly blind sided by cyber attacks. Let's review the latest string of incidents targeting hotels and assess some possible prevention methods for the future.
White Lodging Services Corporation
Hackers have long been known to target anything that will get them a dime, but the apparent trend of hacking hotels can be traced back to March 2015. It was then that the luxury Mandarin Oriental Hotel Group run by White Lodging Services Corporation became the victim of a cyber attack that breached the POS, and resulted in the possible theft of payment card data. The company did not specify how many cards were affected, but stated that it was a "limited number."
"Mandarin Oriental can confirm that the credit card systems in an isolated number of our hotels in the U.S. and Europe have been accessed without authorization and in violation of both civil and criminal law," the company wrote in a press release announcing the breach. "The Group has identified and removed the malware and is coordinating with credit card agencies, law enforcement authorities and forensic specialists to ensure that all necessary steps are taken to fully protect our guests and our systems across our portfolio."
Incidentally, White Lodging's troubles were far from over. Less than a month later, the group announced another suspected hacking, this time of its restaurants and lounges. The company released the names of 10 properties that had been affected from July 3, 2014 through Feb. 6, 2015. Once again, the culprit was POS malware.
Since then, there has been no news of subsequent attacks on any White Lodging properties. However, the worst was still ahead for the rest of the hospitality industry.
A sequence of cyber attacks
Hilton: In September 2015, Brian Krebs reported that several sources in the financial industry had traced multiple cases of credit card fraud back to Hilton Hotel properties. At the time, there was no official announcement from Hilton that confirmed this information. This changed in November when the company wrote in a press release that its POS systems had, in fact, been breached and as a result, cardholder names and payment information were stolen. Hilton noted in the release that the breach had affected customers within a 17-week period, from Nov. 18 to Dec. 5, 2014 or April 21 to July 27, 2015. The company recommended cautious monitoring of credit and payment card activity going forward for anyone that may have visited any of Hilton's properties within these time frames.
Trump Hotel Collection: In between the time that the Hilton breach has first been suspected and confirmed, the Trump Hotel Collection confirmed suspicions of its own regarding a possible breach of its POS system. The company announced in early October that it had been actively affected by malware for nearly a year, and that any customers who paid with credit or debit cards between the dates of May 19, 2014 and June 2, 2015, may have had payment information stolen. All of the following locations were affected: Trump SoHo New York, Trump National Doral, Trump International New York, Trump International Chicago, Trump International Waikiki, Trump International Hotel & Tower Las Vegas and Trump International Toronto.SoHo New York, Trump National Doral, Trump International New York, Trump International Chicago, Trump International Waikiki, Trump International Hotel & Tower Las Vegas and Trump International Toronto.
Starwood: Shortly before Hilton confirmed its suspected breach in November, Starwood announced that 54 of its properties including Sheraton, Westin and W locations, had been preyed upon by cyber attackers, resulting in the possible exposure of debit and credit card information of its customers. Once again, the culprit was POS malware, and once again. The bug mainly affected restaurants, bars and gift shops.
Hyatt Hotels: Two days before Christmas, Hyatt announced that it too had become the victim of a cyber attack targeting its payment systems, and that it was launching an investigation into the incident. As more details emerged, Trend Micro reported that 250 Hyatt properties in more than 50 countries were affected by the breach. Other than the large-scale nature of the breach, the cyber attack fit the profile of all the hotel breaches that preceded it. The cyber threat mainly impacted restaurant POS systems, it is believe to have compromised customers' debit and credit card information and the malware was present in the system for a prolonged period – Aug.13 to Dec .8, 2015.
What can be done going forward?
Needless to say, this string of incidents are all clearly connected, not in the sense that they have been perpetrated by the same hacker necessarily, but in that they highlight a popular threat vector at the moment. Going forward, there are several key steps that hotels can take to improve threat protection.
Firstly, any hotel chain that has not started using EMV-enabled card readers across its properties should do so immediately. The main benefit of EMV chip-card technology is in its unique authentication measures. Unlike magnetic stripes, which share reusable, easily compromised payment data with each swipe, EMV chips create a one-time transaction code that if stolen, will essentially be worthless to a hacker. As of October 2015, merchants – including hotels – will be held accountable for losses associated with POS malware-related card theft should they not use EMV-enabled card readers.
More importantly, hotel management must stay up to date on cyber threats that are currently in circulation, especially targeted threats that single out the hospitality industry. For example, Trend Micro discovered a unique strain of malware called MalumPOS in June 2015. The bug specifically targets data on POS systems running on Oracle MICROS, software that is used by merchants in multiple industries, but especially in hospitality. It is integral that hotels take findings such as these seriously, and not fall into the mindset of "this will never happen to us". From here, management must take every effort imaginable to protect sensitive customer information, and this includes leveraging threat protection software. As recent events have revealed, hotel breaches do happen, and a lot is at stake.