Sources: Data breach shows industry liability
05 FEBRUARY 2014 10:02 AM
Hackers targeted a hotel operator for almost nine months and stole customer credit card data and personal information from 14 properties in eight states, sources said.
REPORT FROM THE U.S.—A data breach at hotel owner, developer and management company White Lodging is raising new questions and concerns about the preparedness of the hospitality industry at a time when cyberattacks on business enterprises are increasing dramatically, according to sources.
First revealed 31 January by former Washington Post reporter Brian Krebs on his “Krebs on Security” blog, the attackers of Merrillville, Indiana-based White Lodging, whose portfolio includes more than 169 properties in 21 states, allegedly collected customer credit and debit card numbers, security codes, card expiration dates and other personal information from guests who had stayed at a total of 14 hotels in Colorado, Florida, Illinois, Indiana, Kentucky, Pennsylvania, Texas and Virginia. Individual brands said to be affected include nine Marriott properties, two Holiday Inns, one Sheraton, one Westin and one Radisson.
The launch of the attacks dates back to last March and theft of data continued until 16 December, White Lodging said Monday in a statement.
With the exception of the Merrillville Radisson, none of the property management systems were compromised. The attacks, which exploited point-of-sale systems, were allegedly aimed at restaurants and lounges in the hotels.
"Upon learning of the suspected data security breach we immediately contacted appropriate federal law enforcement officials and initiated a third-party forensic review, including a review of all other properties managed by White Lodging," the company said in its statement.
The company reported that guests at its hotels who did not use credit cards within the targeted venues such as restaurants, or who used their room accounts at the outlets, were not affected by the breach.
Marriott International and Carlson Rezidor Hotel Group issued statements saying they are working closely with White Lodging, mentioning that systems they own were not affected but offering little additional information.
White Lodging also manages 28 Hilton Worldwide properties across multiple brands. No evidence suggests that those hotels were affected by the data breach, according to a statement Tuesday from Hilton.
A vulnerable industry
Bob Russo, GM of the PCI Security Standards Council, said in recent years the hotel industry has been particularly vulnerable to cyberattacks.
"For the last couple of years, the hospitality industry has been plagued by data theft, credit card breaches and hacking attempts made to steal credit card data," he said. "Last year, the two biggest global reports on data breaches, Trustwave’s Global Security Report and Verizon’s Data Breach Investigation Report, both show hospitality continuing to struggle in this area. Verizon, meanwhile, reports that accommodation, food and lodging made up for nearly 54% of their caseload."
Although the broader industry is threatened, Russo said, "franchised hospitality locations are at an exponentially greater risk. Standardization of computer systems among the franchise (and hospitality) models is common and, in the event a security deficiency exists within a specific system, deficiencies will be duplicated among the entire franchise base."
In the case of White Lodging, "cybercriminals took full advantage of this vulnerability, targeting specific franchised businesses and exploiting common points of failure across franchisee properties," Russo said.
Between April 2008 and January 2010 there were three attacks against Wyndham Hotels & Resorts. In June 2012, the U.S. Federal Trade Commission filed a lawsuit against the company and three of its subsidiaries for security failures that allowed hackers to access payment-card accounts. The theft resulted in more than $10.6 million in fraudulent charges, according to the FTC.
In the fall of 2009, Radisson Hotels & Resorts revealed that the computer systems in some of its hotels had been compromised. And in 2010, the Westin Bonaventure Hotel & Suites in Los Angeles disclosed a possible data breach at four restaurants and valet parking operations.
A ‘mixed business model’
One key factor that makes hotel operators particularly vulnerable to cyberattacks is that there is no standardized industry business model, according to Anthony Roman, owner of New York-based investigative and security consulting firm Roman & Associates.
"For example, because of their difficult mixed business model, a hotel company can set a particular standard of IT security for franchisees, but many of those franchisees cannot afford it," Roman said. "And in some cases, the hotel companies are not enforcing their standards. And you have the same kinds of issues with the rest of that mixed business model."
As a result, there is broad diversity between hotel operators that are well-protected and those that are not, he said.
Roman said only about 25% of all U.S. businesses, including hotel operators, are fully compliant with current data security best practices. That means that three out of four are not and are potential disasters waiting to happen, he said.
Frank Wolfe, CEO of Hospitality Financial and Technology Professionals, agreed that a diverse business model contributes to the industry's vulnerability. But he disputes any contention that hotel management companies or any other subgroup are more vulnerable or less well prepared than anyone else.
"The real challenge is cost," Wolfe said. “And I think that cost is now eating into the mission of hospitality."
In the White Lodging case, sources said a number of important questions are still unanswered.
Tammara Combs, an Austin, Texas-based data security consultant whose portfolio has included hospitality clients, said she is curious about what customers learned, and when and from whom they learned it.
"Did the customers suspect or know that something was going on last March?" she said. "Or did they just now discover the breach and then trace it back to last March? That's one question I'd like to see answered."
The problem, Combs said, is that there often are not enough alert mechanisms embedded in hotel computer systems for operators to quickly see that unusual activity or a breach is going on.
"But there should have been something in White Lodging's system that would have alerted them," Combs said.
White Lodging first learned of the breach when the company was contacted by banks about suspicious credit card activity, Krebs said, who also first revealed the massive cyberattack on Target stores.
The questions about what White Lodging knew and when it first knew concerns Combs. "The possibility that they might not have known this was going on, or that they might not have contacted customers, are important questions that deserve answers," she said.
Krebs acknowledged that those are legitimate questions. "And I don't know the answer to them," he said. "But my sense is if they had good answers to those questions, they might have volunteered that information."
Based on all available public evidence, Krebs said, "My sense is that they have not known for long."
The reason? The U.S. financial industry is highly fragmented and suspect information can go unnoticed, he said.
"As long as it's not one large institution that's taking a large hit, they don't have infinite resources to try to tie specific cards to specific breaches," Krebs said. "They're not going to see it. That's why it's possible for the same card to be compromised in multiple places. So there are a lot of things that can contribute to a breach going undetected for a long time."
Neither White Lodging nor Marriott responded to requests for comment.
Getting management's attention
The truly bad news when it comes to cyberattacks, Roman said, is that given the ever-increasing sophistication of hackers and criminal organizations, no company, no matter how much money it spends or how many resources it deploys, can ever declare itself 100% protected against a breach.
At the same time, he said, he is increasingly concerned that the hotel industry is not paying sufficient attention to the growing severity of the threat or what is required to mitigate it.
"It's not clearly understood or accepted by senior management and executives in the hotel (companies) that superb IT security can result in a profit model and can also improve the brand's image," Roman said. "It can also become a saleable commodity and protect the brand image against tarnishing."
However, he said, he sees no reason to believe that the White Lodging incident will serve as a wake-up call. "I don't see it happening currently," he said. "And I don't see it happening in the foreseeable future. I have had many conversations with executives and IT professionals. It is not a priority within the hotel industry."
Wolfe, however, stressed that based on the number of credit card transactions hoteliers complete every day, the industry is relatively safer than some others, such as retail sales, when it comes to data security. "There are a lot of other places that are not as prepared as we are," he said, adding that many operators do need to be more vigilant.
Russo concurred that incidents such as the White Lodging breach "underscore the importance of making payment security part of your business-as-usual activities—not just a one-time exercise, but an everyday business practice."