Does your hotel need a wake-up call of its own?
In a trend that continues to escalate against so-called “softer” targets, the travel and entertainment industry has been bearing the brunt of many of the data breaches of late. There are some specific reasons why this has been happening to hotels in particular and I expect the trend to not abate any time soon. However, the industry does have options – if they choose to schedule a wake-up call and start taking action now.
Part of the problem that hotels have is clearly the large amount of data they collect and retain in their data warehouses. Like other softer targets, such as localities and state governments, they maintain a high volume of detailed information on clientele because they need it to do their job. But having lots of data isn’t what makes hotels vulnerable in particular – it’s the challenges of the industry. There are four main reasons why hotels keep getting hacked:
- Lots of mergers, acquisitions, and divestitures – Consolidation is a huge risk because differing IT policies and procedures have to be merged and changed, and often with those changes come personnel changes. Keeping track of who did what and how is an easy way to expose vulnerabilities, not to mention vulnerabilities that may already have been exploited, as was the case with Starwood / Marriott.
- Open systems with large amounts of franchisees – The hotel industry is largely run on a franchise model with each hotel having some latitude on how they run their house with their own local partners while having access to the central systems. This makes the risk of introducing malware and other attacks so much higher than it does in the closed systems of banks and payments and, as retailers and restaurants have found, these threats are hard to contain, even with rigorous enforcement of front of house systems.
- Inconsistent and aged investments – Hotels are not IT powerhouses. Frankly, IT-wise many guests only care that their reservation and billing info is accurate and that they can get on the Wi-Fi. Hotels inconsistently invest in infrastructure when it isn’t visible to guests and doesn’t directly drive revenue. Likewise, the investments that are made are used as long as possible, while patching and updating can be spotty. It shouldn’t take a major breach to drive that investment!
- Internal threats like no other – No one likes to point fingers at employees but the realities are that hotels have been the scene of identity theft and credit card fraud since the beginning – think credit card skimming “swipe through” schemes. Background checks or not, front of house hotel employees have much easier access to customer data and there are lots of employees that require access, not to mention those staff have a high turnover rate.
These challenges are tough to manage and would-be attackers are all too keen to them. Without directly dealing with them, hotels are going to keep being ripe targets for attack. However, there are things that can be done to change the trajectory – but it will take a loud wakeup call for many vendors, sadly.
So what can hotels do about it?
Hotels have a lot of choices, including strengthening firewalls, intrusion detection, encrypting data, and limiting access to data through access controls. But, focusing on infrastructure, perimeter, and intrusion detection is a losing battle since these measures only protect you from the threats you know about and don’t offer any protection once compromised or circumvented. Furthermore, many hotel chains have heavily invested in passive, data-at-rest encryption protection for their storage, databases, and data warehouses – which unfortunately doesn’t address the current threat vectors and only provides a false sense of security.
The key is to think about what the attackers are after at the hotel chains – the data warehouse – and how that great resource can be used while preventing abuse. Adopting a data-centric security model allows for the data to be protected as it is acquired and traverses through the organization and, if an attacker gains access through the perimeter, then the risk that the actual personal data will be exposed is dramatically reduced. Data-centric protection with technologies like tokenization allows the organization to use the protected data for their operations, analytics and data sharing, meaning that any exfiltrated data would be useless tokens and considered out of scope of a data breach. Guest safety and privacy has to extend through the full environment, not just the front doors!