Point-of-sale malware has become an infamous source of headaches for retail IT. Memory-scraping malware and POS skimmers especially have wreaked havoc on small and medium-sized businesses, including boutiques and restaurants, mainly as a way to steal customer payment data. Even large, global retailers such as Target have been negatively impacted by the malicious feats of POS hackers.
However, more recently, businesses in the hospitality industry have been repeatedly blindsided by cyber attacks. This not only puts these businesses at risk, but can be a threat to hotel customers and travelers as well. Let's review the latest string of incidents targeting hotels and assess some possible prevention methods for the future. We'll examine how individuals can travel safer, as well as how hotel administrators can boost their overall security posture with solutions like Trend Micro's OfficeScan.
White Lodging Services Corporation
Hackers have long been known to target anything that will get them a dime, but the apparent trend of hacking hotels can be traced back to March 2015. It was then that the luxury Mandarin Oriental Hotel Group run by White Lodging Services Corporation became the victim of a cyber attack that breached the POS and resulted in the possible theft of payment card data. The company did not specify how many cards were affected, but stated that it was a "limited number."
"Mandarin Oriental can confirm that the credit card systems in an isolated number of our hotels in the U.S. and Europe have been accessed without authorization and in violation of both civil and criminal law," the company wrote in a press release announcing the breach. "The Group has identified and removed the malware and is coordinating with credit card agencies, law enforcement authorities and forensic specialists to ensure that all necessary steps are taken to fully protect our guests and our systems across our portfolio."
Incidentally, White Lodging's troubles were far from over. Less than a month later, the group announced another suspected hacking, this time of its restaurants and lounges. The company released the names of 10 properties that had been affected from July 3, 2014 through Feb. 6, 2015. Once again, the culprit was POS malware.
Since then, there has been no news of subsequent attacks on any White Lodging properties. However, the worst was still ahead for the rest of the hospitality industry.
A sequence of cyber attacks
Hilton: In September 2015, Brian Krebs reported that several sources in the financial industry had traced multiple cases of credit card fraud back to Hilton Hotel properties. At the time, there was no official announcement from Hilton that confirmed this information. This changed in November when the company wrote in a press release that its POS systems had, in fact, been breached and as a result, cardholder names and payment information were stolen. Hilton noted in the release that the breach had affected customers within a 17-week period, from Nov. 18 to Dec. 5, 2014 or April 21 to July 27, 2015. The company recommended cautious monitoring of credit and payment card activity going forward for anyone that may have visited any of Hilton's properties within these time frames.
Trump Hotel Collection: In between the time that the Hilton breach has first been suspected and confirmed, the Trump Hotel Collection confirmed suspicions of its own regarding a possible breach of its POS system. The company announced in early October that it had been actively affected by malware for nearly a year, and that any customers who paid with credit or debit cards between the dates of May 19, 2014 and June 2, 2015, may have had payment information stolen. All of the following locations were affected: Trump SoHo New York, Trump National Doral, Trump International New York, Trump International Chicago, Trump International Waikiki, Trump International Hotel & Tower Las Vegas and Trump International Toronto.
Starwood: Shortly before Hilton confirmed its suspected breach in November, Starwood announced that 54 of its properties, including Sheraton, Westin and W locations, had been preyed upon by cyber attackers, resulting in the possible exposure of debit and credit card information of its customers. Once again, the culprit was POS malware, and once again, the bug mainly affected restaurants, bars and gift shops.
Hyatt Hotels: Two days before Christmas, Hyatt announced that it too had become the victim of a cyber attack targeting its payment systems, and that it was launching an investigation into the incident. As more details emerged, Trend Micro reported that 250 Hyatt properties in more than 50 countries were affected by the breach. Other than the large-scale nature of the breach, the cyber attack fit the profile of all the hotel breaches that preceded it. The cyber threat mainly impacted restaurant POS systems, it is believe to have compromised customers' debit and credit card information and the malware was present in the system for a prolonged period Aug.13 to Dec. 8, 2015.
"While POS malware is certainly an issue for hotel managers, the travelers staying in these locations are put at risk as well."
Travelers Beware: What to know before you go
While POS malware is certainly an issue for hotel managers, the travelers staying in these locations are put at risk as well. In order to ensure secure travels, there are a few things individuals should keep in mind:
- Understanding the region's threat environment: It's important to remember when traveling domestically or abroad that different regions are beholden to varying threat environments. As noted by Trend Micro researchers, Brazil, for example, has a growing underworld of cyber criminals, who largely operate out in the open on accessible public forums. This fact, as well as the region's preference toward banking-focused attacks, shapes the overall threat environment.
- Wi-fi connections can often be unsafe: Another issue that comes up during travel is wi-fi connectivity. Many hospitality institutions – including hotels and resorts – offer free, public wi-fi. However, as Trend Micro researchers have pointed out, these seemingly "secure" connections aren't secure at all. It's helpful to plan ahead for connectivity needs when traveling, and utilize a virtual private network to access online resources as opposed to the hotel's free wi-fi.
- Safeguard personal data: This is particularly critical when traveling with mobile devices that can provide access to personal details. Trend Micro has provided a few tips for secure traveling, including ensuring that Web browsers have high-level security settings activated, and that mobile devices are password protected. It's also beneficial to wipe any unnecessary sensitive information from laptops or smartphones, and to back up all other important data. It's also advantageous to reset passwords after a trip to ensure security. More safe traveling tips can be found here.
What can hotel managers do?
Needless to say, this string of incidents are all clearly connected, not in the sense that they have been perpetrated by the same hacker necessarily, but in that they highlight a popular threat vector at the moment. Going forward, there are several key steps that hotels can take to improve threat protection.
First and foremost, any hotel chain that has not started using EMV-enabled card readers across its properties should do so immediately. The main benefit of EMV chip-card technology is in its unique authentication measures. Magnetic stripes share reusable, easily compromised payment data with each swipe. In contrast, EMV chips create a one-time transaction code that, if stolen, will essentially be worthless to a hacker. As of October 2015, merchants including hotels will be held accountable for losses associated with POS malware-related card theft should they not use EMV-enabled card readers.
More importantly, hotel management must stay up to date on cyber threats that are currently in circulation, especially targeted threats that single out the hospitality industry. For example, Trend Micro discovered a unique strain of malware called MalumPOS in June 2015. The bug specifically targets data on POS systems running on Oracle MICROS, software that is used by merchants in multiple industries, but especially in hospitality. It is integral that hotels take findings such as these seriously, and not fall into the mindset of "this will never happen to us". From here, management must take every effort imaginable to protect sensitive customer information, and this includes leveraging threat protection software.
Hotels should also consider adopting Trend Micro's OfficeScan, which is a unique system that combines on-premises security with cloud-based protection to secure physical and virtual environments, including point-of-sales platforms. OfficeScan provides advanced protection from malicious threats, including Trojans, ransomware and new variants of existing malware. The solution is able to identify and block any threats and provide centralized visibility and control of critical assets. In this way, hotel managers and IT administrators can security the organization's desktops, servers, laptops and its POS system from a single console. Deep Discovery is also a great option to consider, as it can detect malicious activity on the network.