Hotels are shaping up to be a prime hunting ground for cyber criminals. While government, healthcare and financial organisations remain among the most preferred prey of cybercriminals, the hospitality sector is emerging as a growing target for e-crime and, in a more unsettling turn, nation-state adversary groups as well.
International hotel chains, in particular, offer ripe picking for financial crimes, from stealing identities to pilfering credit card numbers via point-of-sale (POS) transactions. State-affiliated adversaries have also developed a deep interest in the hospitality sector, whether for tracking persons of interest while they are traveling, or to enable access to these potential victims when they use electronic devices outside the confines of protected networks. This is according to CrowdStrike’s recent Global Threat Report.
Hotels are an attractive target for cyber criminals
Hotels present a vast array of people that represent potential targets. These include business travellers and large conferences with thousands of attendees, who are all travelling with valuable information assets. In addition, the variety of types of hotels and hotel chains, which may not be employing the most modern security practices, also makes the industry a soft target.
While customers could be hesitant to share their information online, people don’t think twice about handing over their credit card details upon checking in to a hotel. We’ve seen a rise in attacks by financially motivated adversaries focused on POS devices, which often results in the resale of stolen credit cards in criminal marketplaces. Identity information such as passport scans also holds value on the dark web.
Hotels and retail outlets are facing significant pressure to improve the customer experience, primarily with technology that’s similar to what consumers use in their homes. Visitors want reliable, fast WiFi, they want to be able to use multiple personal devices in their rooms or to pay for services via personal apps. If a hotel elects to pursue speed and experience at the expense of investing in security, they’re opening the door for attackers to compromise information held by the hotel itself as well as access to guests directly.
With the Notifiable Data Breach scheme now active in Australia, both local and global hotel chains need to be prepared to report data breaches quickly. Any hotel doing business in Australia and collecting data here will have to disclose a breach, no matter where the hotel is owned.
Hackers refine attack methods
Data from CrowdStrike research shows that adversary groups are targeting WiFi networks as a way to penetrate back into the network on the machine of the user. Nation-state adversaries have maintained a deep interest in the hospitality sector, which may be for the purposes of tracking persons of interest while they are traveling or to enable access to these potential victims when they use equipment outside of normal corporate networks.
Looking back at the past year, there was a particular type of spear-phishing attack that was prominent in the hotel sector. This attack utilises spear-phishing emails with subject lines that reference customer details, invoices or payment information for a booking. The body of the email then explains that this information is contained within a document attached to the email, with instructions on how to unlock the protected document. The emails are usually directed to customer-facing personnel within the victim organisation, and open-source reporting has documented that quite often these emails will be followed by telephone conversations to enable successful exploitation. The primary objective of these operations is to deploy specialised tools which scrape PoS credit card data from the temporary memory where it is stored.
Another alarming development is the increasing use of malware-free attacks, or attacks that went undetected by traditional anti-virus software. In 2017, 45 percent of attacks on the hospitality sector were malware-free, according to our research. The industry is clearly a prime target and can’t afford to rely on legacy technologies that fail to provide real-time visibility and risk management required to combat today’s sophisticated attacks.
Best practices for hotels and hospitality sector
When evolving their security platforms, business leaders in hospitality need to consider; which threats would target the data of their guests? Have we got the correct tools in place to ensure we can detect, prevent and respond to attacks before they become a serious issue?
Creating a security culture means the frontline of defense is the employees in that hotel. They must recognise the value and sensitivity of the information they’re capturing on a daily basis, and understand the importance of protecting the digital identity of guests just as they would with physical security.
With this in mind, here are some basic cyber hygiene practices that hotels should adopt for more robust security:
Supply chain protection – attackers are increasingly targeting the IT supply chain and partner networks, since they generally have fewer security controls in place. Hotels work with a number of suppliers and could neutralist third party risk by shifting to proactive cyber-risk monitoring and mitigation.
Next-generation antivirus (NGAV) – this is critical to being able to detect and prevent malware on the PoS terminal. International hotel chains, in particular, are also a soft target when it comes to pilfering credit card numbers via point-of-sale transaction. Unlike traditional AV prevention, effective NGAV does not rely on reactive constant signature updates to allow businesses to detect and stop never seen before attacks.
Identity and credential management – default passwords, especially for hardware devices can allow direct access to critical data. With hotels digitising the customer experience through things like Internet of Things-connected vending machines or new ways to process payments, each of those devices need to be secure. Extra care should be taken to require strong passwords for all users, including default or built-in accounts.
Detection and threat hunting – focus your limited resources on those areas of the network that are most vital to the health of your business. This will enable organisations to identify irregular activity and eliminate ‘silent failure’ – the all too common issue that plagues traditional security technologies and where an attacker can roam undetected for months. Any and all connections to the Internet from your corporate environment should be monitored to identify data leaving the network. A team of expert threat hunters will also help detect evidence of an incident, in particular, looking beyond malware.
It’s important to note that every hotel is dealing with sensitive information and a high number of transactions, and has its reputation and customer loyalty at stake. As the hotel industry continues to emerge as a key target for cyber criminals, large and small hotel and hospitality chains need to evolve security platforms to better protect customer data and withstand a potential attack, should one occur.