Check into a hotel and you might be signing up for more than you bargained for. That is the message emerging from a wave of data breach documented in a new analysis by security firm Panda Security that studies recent attacks on hotels and the way they are now showing signs of spreading beyond the big chains.
Hotels, after all, process and store huge amounts of data from customers, principally credit cards but also names, addresses and passport numbers. There is probably no sector besides airlines and perhaps banks that hold so much valuable data on people's identities even though most business travellers and consumers still see them as a low-risk.
The biggest issue is data breaches, mostly of credit card data held on Point of Sale (POS) terminals. There has also been a clutch of database attacks of the sort that have become endemic in many other sectors as well as at least one really odd attack on travelling business executives called'Darkhotel by the firm that uncovered it, Kaspersky Lab. That was most likely a state-sponsored attack, which marks it out as an outlier but one that offers a warning to business travellers. Just because you're away from HQ, don't assume that your communication back to base via VPN can't be breached using sneaky malware. Hotels are now a measurable risk.
A POS crimewave
In the UK, reports of hotel breaches date back at least five years with Britain's Travelodge an early victim when it admitted suffering a mystery leak after customers reported receiving suspicious emails to addresses used to make bookings. At the time it was seen as an unusual event though subsequent events show that to be a bit complacent.
Since 2014, things have become a lot more serious with a cross section of mostly US hotels suffering major breaches during Point-of-Sale (POS) terminals. Panda Security lists a string of attacks on big brands including on Trump Hotels, Hilton Worldwide, Hyatt, Starwood, Rosen Hotels & Resorts as well two separate attacks on hotel management outfit White Lodging and another on non-US hotel Mandarin Oriental.
The scale of these attacks is not usually made public but was certainty large enough to affect several thousand individual hotels and probably several million customers who visited them in the last two to three years.
Several issues jumped out of these incidents. Clearly, the attackers were looking for credit card rather than general customer data, especially valuable if taken from the mostly upmarket chains. As was demonstrated in parallel attacks on US retailers (Target being only the most infamous example), POS terminals and the networks supposed to protect them were frighteningly easy targets thanks to a lack of encryption of the date they captured.
But it wasn't all about a lack of POS encryption; hotel networks were demonstrably poorly defended, in some cases allowing the hackers to sit undetected on networks for more than a year before the loss of data became apparent from third-party reports.
"They realised because they were contacted by the credit card companies or the FBI," points out Panda Security Labs director, Luis Corrons. Had that not happened the companies would have remained clueless. That suggests that many attacks might still have gone undetected simply because they were small enough not to be noticed or traced back to hotel transactions.
"In most cases the malware has been running for several months or years. They [hotels] had no idea."
Hotel networks hard to defend
The reason hotel networks are tough to defend has to do with the trend to target all businesses with social engineering and malware concocted specifically to beat individual defences. This tactic is now being aimed at smaller hotels, a sign that the sector is about to come under much broader and more calculating attack.
Computerworld UK has learned of a recent and undocumented incident aimed at a customer of Panda Security, a small luxury hotel in Spain which was on the receiving end of a phishing ruse based on opening an attachment for what looked like a legitimate room booking form. Eerily, the booking form was identical to the one used by the victim hotel.
Panda Security believes that MO was to execute some new malware of a kind that would have slipped past antivirus software using signature detection with the intention of moving sideways to the hotel's credit card database or POS systems. There is nothing unusual about this but the fact that attackers are now taking the time to target the vast number of small establishments serves as a warning not only to other hotels but their customers too.
In the view of Corrons, the sector is still not well defended. The smaller hotels that make up most of the industry are content with their defences as long as nothing appears to be going wrong. They don't see themselves as targets, a common attitude among smaller firms across the developed world.
"They were not concerned at all," he says of one hotel customer hit with malware. "They don't have a security perspective," he adds, ruefully.
Today the threat was to credit card data but attackers are in the process of moving to ransomware and extortion, a model spreading like wildfire in other sectors. When the route to POS attacks was closed that will be the next avenue of attack, says Corrons, referring to the alarming but logical possibility of large-scale attacks that encrypt rather than simply steal data passing through POS terminals. If that comes to pass then encryption will have solved the data loss issue but ironically not that the equally important one of data possession.
Hotels face an approaching storm that few have grasped the significance of. Meanwhile, for hotel customers, almost all of whom buy rooms based solely on location matched to price, it's almost as stark. The hotel you plan to check into next week on that business trip probably has excellent physical locks but none on the data you hand over. Just remember that.