Hotel sector faces cybercrime surge as data breaches start to bite

How secure is your next hotel visit?

Check into a hotel and you might be signing up for more than you bargained for. That is the message emerging from a wave of data breach documented in a new analysis by security firm Panda Security that studies recent attacks on hotels and the way they are now showing signs of spreading beyond the big chains.

Hotels, after all, process and store huge amounts of data from customers, principally credit cards but also names, addresses and passport numbers. There is probably no sector besides airlines and perhaps banks that hold so much valuable data on people's identities even though most business travellers and consumers still see them as a low-risk.

The biggest issue is data breaches, mostly of credit card data held on Point of Sale (POS) terminals. There has also been a clutch of database attacks of the sort that have become endemic in many other sectors as well as at least one really odd attack on travelling business executives called'Darkhotel by the firm that uncovered it, Kaspersky Lab. That was most likely a state-sponsored attack, which marks it out as an outlier but one that offers a warning to business travellers. Just because you're away from HQ, don't assume that your communication back to base via VPN can't be breached using sneaky malware. Hotels are now a measurable risk.

A POS crimewave

In the UK, reports of hotel breaches date back at least five years with Britain's Travelodge an early victim when it admitted suffering a mystery leak after customers reported receiving suspicious emails to addresses used to make bookings. At the time it was seen as an unusual event though subsequent events show that to be a bit complacent.

Since 2014, things have become a lot more serious with a cross section of mostly US hotels suffering major breaches during Point-of-Sale (POS) terminals. Panda Security lists a string of attacks on big brands including on Trump Hotels, Hilton Worldwide, Hyatt, Starwood, Rosen Hotels & Resorts as well two separate attacks on hotel management outfit White Lodging and another on non-US hotel Mandarin Oriental.

The scale of these attacks is not usually made public but was certainty large enough to affect several thousand individual hotels and probably several million customers who visited them in the last two to three years.

Several issues jumped out of these incidents. Clearly, the attackers were looking for credit card rather than general customer data, especially valuable if taken from the mostly upmarket chains. As was demonstrated in parallel attacks on US retailers (Target being only the most infamous example), POS terminals and the networks supposed to protect them were frighteningly easy targets thanks to a lack of encryption of the date they captured.

But it wasn't all about a lack of POS encryption; hotel networks were demonstrably poorly defended, in some cases allowing the hackers to sit undetected on networks for more than a year before the loss of data became apparent from third-party reports.

"They realised because they were contacted by the credit card companies or the FBI," points out Panda Security Labs director, Luis Corrons. Had that not happened the companies would have remained clueless. That suggests that many attacks might still have gone undetected simply because they were small enough not to be noticed or traced back to hotel transactions.

"In most cases the malware has been running for several months or years. They [hotels] had no idea."

Hotel networks hard to defend

The reason hotel networks are tough to defend has to do with the trend to target all businesses with social engineering and malware concocted specifically to beat individual defences. This tactic is now being aimed at smaller hotels, a sign that the sector is about to come under much broader and more calculating attack.

Computerworld UK has learned of a recent and undocumented incident aimed at a customer of Panda Security, a small luxury hotel in Spain which was on the receiving end of a phishing ruse based on opening an attachment for what looked like a legitimate room booking form. Eerily, the booking form was identical to the one used by the victim hotel.

Panda Security believes that MO was to execute some new malware of a kind that would have slipped past antivirus software using signature detection with the intention of moving sideways to the hotel's credit card database or POS systems. There is nothing unusual about this but the fact that attackers are now taking the time to target the vast number of small establishments serves as a warning not only to other hotels but their customers too.

In the view of Corrons, the sector is still not well defended. The smaller hotels that make up most of the industry are content with their defences as long as nothing appears to be going wrong. They don't see themselves as targets, a common attitude among smaller firms across the developed world.

"They were not concerned at all," he says of one hotel customer hit with malware. "They don't have a security perspective," he adds, ruefully.

Today the threat was to credit card data but attackers are in the process of moving to ransomware and extortion, a model spreading like wildfire in other sectors. When the route to POS attacks was closed that will be the next avenue of attack, says Corrons, referring to the alarming but logical possibility of large-scale attacks that encrypt rather than simply steal data passing through POS terminals. If that comes to pass then encryption will have solved the data loss issue but ironically not that the equally important one of data possession.

Hotels face an approaching storm that few have grasped the significance of. Meanwhile, for hotel customers, almost all of whom buy rooms based solely on location matched to price, it's almost as stark. The hotel you plan to check into next week on that business trip probably has excellent physical locks but none on the data you hand over. Just remember that.

Join the CSO newsletter!

Error: Please check your email address.

More about FBIKasperskyPandaPanda SecurityTravelodge

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by By John E Dunn

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place