Consumer data from point-of-sales and property-management systems are often the targets in breaches, but they aren’t necessarily the entry points.
REPORT FROM THE U.S.—While most bad actors looking to access sensitive information stored on hotels’ systems will ultimately seek access to things such as point-of-sales terminals and property-management systems, their paths to those points can be more circuitous than hoteliers might suspect.
That means hoteliers have to be mindful of the myriad possible entry points because a single breach can have long-lasting effects on hotels and brands.
“Those concerns trickle down to how hotels operate in the franchise model,” said Patrick Dunphy, manager of workgroups and IT for HTNG. Brands “have to make sure there are proper security procedures at all hotels. An individual hotel breach tarnishes the entire brand.”
More and more systems within a hotel are interconnected, which means many seemingly innocuous devices might become perilous for an unprepared hotelier.
Dunphy said security flaws in things as simple as door locks and internet-connected thermostats can open up hotels to breaches.
“Once you get any online access, (systems) need to be hardened for prevention of breaches,” he said.
John Bell, founder and president of IT consulting company Ajontech, said because of vulnerabilities with various connected devices, hoteliers need to lock down access to anything holding sensitive data, such as credit card information.
“I run into hotels all the time that will not have a separate network for carrying credit card information,” Bell said. “So it’s mixed in with all the other information you have going through your network. That means if any of that gets compromised, all the credit card data is compromised.”
He said hoteliers often fall in to the trap where they think individual things should be locked down while networks largely remain open. He said instead they should lock down everything and only open things up as needed.
“A good basic rule for securing things is the principle of least privilege,” Bell said. “If you have a point-of-sale terminal, for example, it needs to talk to the server that supports it, and that’s it.”
Randy Westergren, a digital security blogger who discovered a flaw with Marriott International’s mobile app and servers in 2015, said the hotel industry faces the same security issues as many industries.
Point-of-sales “web applications and mobile applications are all easy targets for attackers,” Westergren said. “Especially for those organizations without strong technical backgrounds or well-established security practices.”
He said one unique issue for the hotel industry is the “smart” locks, which he said “have been widely exploited in the wild.” He said this issue has the potential to redefine how a “breach” is viewed.
“A breach involving credit card data from (point-of-sales) terminals doesn't quite hit as close to ‘home’ as an attacker gaining access to a victim's hotel room,” he said.
Bell said one of the most simple and straightforward security issues for hotels revolve around actual physical security of servers, computers and terminals.
“There is one property with 40 units I worked with that had their server located in the men’s bathroom,” Bell said. “There is absolutely no physical security for that server. At other properties, people have closets where machines are locked up, but anyone with a utility knife can cut through a wall, walk in then walk out with whatever they’d want. And nobody would notice for days.”
He said that issue could be addressed simply by putting servers and sensitive equipment in cages.
Not all mistakes are quite as stark as that, but Bell said there are simple steps many hoteliers overlook that could make their hotels much more digitally secure. Those include putting security tape on computers and point-of-sale terminals to avoid physical tampering or the use of devices that can stealthily amass sensitive data.
He said that could avoid the use of USB devices that log keystrokes or attachments to point-of-sales terminals that separately capture the credit card data.
“A person with evil intent can leave it there a couple months, then pick it up, take it home and pull out passwords and credit card information,” Bell said.
Dealing with third parties
Ted Harrington, executive partner at Independent Security Evaluators, said hoteliers must make sure third-party vendors, which are often a large part of hotels’ IT systems, are doing regular and thorough security testing through a neutral security expert.
“That helps the hotelier make informed decisions,” he said.
Bell said hoteliers also must be aware that equipment and systems that come through third parties are often preset to have minimal security. He said many properties will plug in things such as point-of-sale terminals or servers without realizing that their security features, such as firewalls, are completely disabled.
“I see everything shipped with wide-open firewalls, and no one goes back and shuts things down,” he said.
Harrington said hotels will be much more secure if hoteliers commit to more comprehensive security testing and do a better job of outlining what their potential threats might be. He noted that it’s an “impossible task” to guard against every possible security risk, so hoteliers must prioritize based on what their potential threats could be.
“The industry today relies very heavily on cursory security approaches,” Harrington said.
He said hoteliers should focus on “black box penetration testing,” which focuses on the root causes of security issues.
Harrington said hoteliers also often fall into a trap of equating things such as purchase card industry compliance with security. He said compliance to standards should be treated as a bare minimum, and each property should have its security setup tweaked to meet that hotel’s individual needs.
“To some extent, there is a reliance on compliance as if it is a security measure,” Harrington said. “If you look at any of these major hotel breaches that have happened in the last 12 to 24 months, my instinct is that most, if not all, were PCI-compliant systems, but they still suffered a compromise.”