Blogs & Stories

Trustwave Blog

The Trustwave Blog empowers information security professionals to achieve new heights through expert insight that addresses hot topics, trends and challenges and defines best practices.

Why Cybersecurity in the Hotel Industry Should be a Joint Effort

Recent cybercrime headlines in the hospitality industry should make for unsettling reading after last year brought another raft of attacks against hotels. The global hospitality industry now sits in the top three of industries most frequently targeted by hackers, according to the 2015 Trustwave Global Security Report.

The steady flow of high-profile data breaches revealed that point-of-sale malware remains a primary threat, but criminals are also setting their sights on other sensitive data - as well as third-party providers, such as booking and car rental companies, which maintain hordes of information on travelers.

Thieves have seized the opportunity to capitalize on the wealth of data that passes through varying weak spots in hospitality networks, and they're now looking for more than just credit card data. Hotels hold contact details, travel plans, air miles, birth dates, passport data and personal preferences on millions of guests - all of which can be used by criminals in a multitude of ways, ranging from fraud to extortion.

According to the aforementioned report, 65 percent of the hospitality industry's security breaches were via point-of-sale (POS) systems, with weak remote access security contributing to 44 percent of those compromises.

But a number of breaches also affecting the industry targeted booking partners - companies that facilitate reservations on behalf of the hotel brands for services such as air travel, car rental and room bookings. Often these providers don't carry the brand recognition of the hotel chains, which makes them an attractive target to the hackers who see them as a potential weak link in the data chain. This trend began in the Europe, but has spread to other regions as well.

Attackers likely specifically and deliberately targeted businesses that provide service to hotels, airlines and car rental companies because they serve as an attractive aggregation point for the sensitive data of many customers.

Regardless of where the initial breach occurs, one thing is certain: if customers can't rely on a brand's booking system, they will simply go elsewhere. Statistics show that nearly one in five shoppers have dropped out of an online travel booking because of security concerns around payment.

There must therefore be tighter control across a hotel and its network of partners. Without that, the entire chain is vulnerable to attack.

Assess risks everywhere

Understanding where critical data lives within your enterprise and how it moves, both internally and outside of the organization, is paramount. This includes ensuring that third-party access points are covered up. You also need to inventory systems to understand their patch and vulnerability status, and assess current volumes of detected security incidents and how long it takes to respond to these known incidents.

Protect the POS system

POS attackers often take advantage of vulnerabilities, from configuration errors like easy-to-guess passwords to underlying flaws in the system itself, to access payment terminals and plant malware. Bars, restaurants and gift shops are often as big of targets as hotel front desks. Identifying this type of breach can be extraordinarily difficult because POS malware variants are difficult to identify, so it is critical that hotel chains - and their partners - have experts regularly conduct deep-dive penetration to sniff out potential vulnerabilities before criminals can take advantage of them.

Find malware and keep data protected

Hoteliers must accept that either their systems or those of their partners may be infected with malware, and often threats can reside on the system for months without being picked up. To mitigate the potential damage caused by unidentified malware, hoteliers and their partners should implement intrusion detection, security management and threat intelligence services, as well as scan inbound and outbound communication to flag data-stealing malware in real time and prevent information from leaving the door.