High profile data breaches have become a familiar sight over the last year, and are now a top concern for almost every area of business. Unfortunately, as the recent spate of attacks against leading names around the world shows, the hospitality sector has more cause to worry than most.
The 2015 Trustwave Global Security Report actually found the hospitality and food and beverage sectors to be two of the three industries most frequently targeted by cyber criminals, behind only the retail sector. Of the 574 security compromises we investigated around the world, 13 per cent were in the food and beverage sector, and 12 per cent were in hospitality.
While any organisation that deals with large amounts of consumer data is vulnerable to repeated attacks by cyber thieves, hotels, bars and restaurants are uniquely vulnerable because of their unavoidable reliance on Point-of-Sale (POS) terminals.
Of all the cases we investigated, 95 per cent of all breaches in bars and restaurants were through POS terminals, along with 65 per cent in hotels. By comparison, although the retail sector accounted for 35 per cent of all data breaches, only 27 per cent of these involved POS terminals, with the majority taking place through vulnerabilities in e-commerce systems.
We found that weak remote access security was the main reason POS terminals have become such easy targets, with this contributing to 44 percent of all POS compromises. While some flaws are inherent in the technology itself, one of the most common weaknesses is a human one - the poor use of passwords. Passwords tend to be a chink in the armour almost everywhere they are used, and we have found ‘Password01’ is still the most common choice.
When it comes to POS terminals and other remote access technology, users tend to enter simple, easy-to-guess passwords because it will be easier and faster for them, and will often just leave the default password set if this is possible. This gives attackers an easy route into the system to covertly plant malware.
The front desk is the obvious choice of target, but bars, restaurants and gift shops are also easy ways to rack up large amounts of data from unsuspecting customers. Identifying this type of breach can be extraordinarily difficult because POS malware variants are difficult to identify.
While POS represents the biggest threat, the hospitality sector is also vulnerable due to the large number of partners they work with. Booking partners which facilitate services such as room bookings, flights and car rentals often represent a way for criminals to side-step the victim’s defences.
Often these providers don't carry the brand recognition of the hotel chains, which makes them an attractive target to the hackers who see them as a potential weak link in the data chain. This trend began in the Europe, but has spread to other regions as well.
Identifying the threat
Regardless of the method criminals use, data breaches of this kind are usually very difficult to detect, with thieves masking their tracks to continually harvest as much customer data as possible. Our report found that breaches took a median of 81 days to identify, and went on for a median of 111 days. In 81 per cent of cases we looked at, the victim was unable to identify the breach themselves.
The illusive nature of most breaches means that it is critical for businesses - and their partners – to have experts regularly conduct deep-dive penetration tests to sniff out potential vulnerabilities before criminals can take advantage of them. Hoteliers and bar and restaurant owners must accept that either their own systems, or those of their partners, are very likely to already be infected by malware, or will be targeted in the near future.
However, the situation is far from hopeless. Implementing intrusion detection, security management and threat intelligence services will enable hoteliers and bar and restaurant managers to more easily identify malware in their system and mitigate the damage. Scanning inbound and outbound communications will make it possible to flag data-stealing malware in real time to prevent information from leaving the door in the first place.
The unique vulnerabilities of the sectors mean that hotels, bars and restaurants are likely to stay at the top of the hacker hit list. With major breaches taking a heavy toll in customer trust and increasingly steep fines, organisations cannot afford to leave any stone unturned in hunting down and defending against cyber threats.