Cyber crime is on the increase and no industry or institution is immune.
High-profile cases have involved victims from a wide range of industries, from financial institutions to the telecommunications firms. The hotel sector has had its fair share of security breaches of late with some of the world’s biggest operators including Hilton and Starwood falling victim to payment system hackers.
It’s lead to harsh criticism of the hotel and hospitality industry for failing to take enough preventative measures to protect the security and the privacy of their guests.
Hotel News Middle East finds out why cyber crime is a growing concern for the hotel sector and speaks to experts about what steps they should be taking to counteract this alarming threat, which in extreme cases could even threaten the lives of their guests.
A growing global threat
Organised crime has been quick to take advantage of the opportunities offered by the Internet and in particular, the growth of e-commerce and online banking. Specialist criminal groups are targeting individuals, small businesses and large corporate networks to steal personal information in bulk in order to profit from the compromised data now available to them.
From hacking to Phishing, cyber criminals the world over are constantly devising new ways of gleaning this personal information, and this activity is on the rise, to the point of generating a cybercrime epidemic.
“Cybercrime in the past 12 months has been nothing short of epic,” says IBM cybersecurity evangelist, Limor Kessem.
“Never before have we borne witness to the magnitude or sophistication of online crime as we did in 2015.”
She cites the 2015 Cost of Data Breach Study by IBM and the Ponemon Institute, which reveals the average total cost of a data breach increased from US$3.52 million in 2014 to $3.79 million in 2015. She also notes World Economic Forum (WEF) forecasts that cybercrime will become a $2.1 trillion problem by 2019.
Kessem predicts cybercrime will reach new levels in 2016, particularly as far as organised crime against businesses, mobile threats and cyber extortion are concerned.
KPMG also believes cybercrime will “hit the big time” in 2016 and notes how governments the world over are finally taking it seriously.
The UK Office of National Statistics, for example, has now recognised the threat and is including cybercrime figures in its national figures. Its recent field trial revealed more than 7.5 million cyber offences were committed against individuals in the country last year.
Meanwhile, WEF’s report on the top five global risks in 2016 has identified cybercrime as the biggest threat to the US.
IBM Corp’s chairman, CEO and president, Ginni Rometty, recently said cyber crime was “the greatest threat to every company in the world”.
The UAE is a target
Cyber security is becoming an increasing challenge for firms in the UAE and organisations need to be better prepared to ward off attacks, according to the recent KPMG 2015 UAE Cyber Security Survey.
The study focused on UAE organisations’ readiness and ability to respond to cyber-attacks and assessed responses from key sectors in the UAE over a period of two months.
A third of respondents who participated in the survey revealed they had been hacked in the past 12 months and that their businesses had taken between two weeks to a month to recover. More than half of the respondents that had been hacked didn’t know that they were being targeted by cyber criminals and only 50% of respondents said that they had cyber-attack contingency arrangements in place. Nitin Khanapurkar, partner, KPMG Lower Gulf, says the UAE is on the list of the top 10 destinations targeted by cyber criminals.
“There is a lot of turmoil in the Middle East region, but the UAE is considered safe, so it’s a target for people who want to create unrest,” he says. “In the cyber space one way of causing de-stabilisation is to go after financial institutions and other critical infrastructure.
Key sectors under threat from cyber hackers across the Gulf region, he adds, include financial services, oil and gas, technology, government, retail, construction, healthcare and hospitality.
The 2015 hotel targets
The reality of the cyber security threat was brought home to hoteliers in 2015 after some of the world’s largest operators – Hilton, Starwood, Hyatt and Mandarin Oriental – had their payment systems compromised during the course of the year.
In November, Starwood Hotels revealed hackers had infected point-of-sale (POS) at locations across North America between December 2014 and April 2015.
Investigations found that malware – the term used to refer to a whole host of malicious software such as viruses – was detected in some restaurants, gift shops and other points of sale with the compromise lasting several months at some properties.
“The malware was designed to collect certain payment card information, including cardholder name, payment card number, security code and expiration date,” the company said in a statement. “The affected hotels have taken steps to secure customer payment card information and the malware no longer presents a threat to customers using payment cards at Starwood Hotels.”
The Starwood attack followed reports earlier in the year that credit card systems at several Mandarin Oriental properties in the US and Europe had been accessed by cyber crooks, while a few months later, the Trump Hotel Collection found its payment systems had been breached by cybercriminals.
At the end of 2015, Hyatt Hotels revealed payment processing systems at up to 250 of its properties across the US, China and India had been infected by malware between August and December.
“The malware was designed to collect payment card data – cardholder’s name, card number, expiration date and internal verification code – from cards used onsite as the data was being routed through affected payment processing systems,” according to Hyatt’s global president of operations, Chuck Floyd. Another US hotel chain targeted last year was Hilton with hackers infecting some of its POS computer systems with malware to steal credit card information.
Hilton has advised anyone who used payment cards at Hilton Worldwide hotels between November 18 and December 5, 2014 or between April 21 and July 27, 2015 to watch for irregular activity on credit or debit card accounts.
In an online statement, Hilton says information impacted included cardholder names, payment card numbers, security codes and expiration dates.
“Hilton Worldwide has taken action to eradicate the unauthorised malware,” says the statement, “…and has further strengthened its systems.”
ME hospitality sector exposed
Cyber crime and fraud expert Peter Goldmann, the president of FraudAware, says like any other large industry, “hospitality is highly vulnerable to attacks by cyber criminals”.
“This is especially true for hospitality companies whose secure networks and databases store large amounts of customer information including in some cases, credit card data, social security numbers, date of birth etc. These comprise the fuel for identity fraud,” he explains.
“In addition, there is the ongoing risk of internal theft of information breach—by employees with authorised or unauthorised access to secure networks.”
Anthony Perridge, security sales director at Cisco, warns that hotels are “one of the highest targeted entities for cyber-crime” and the “changing threat landscape” is the biggest issue for the industry as criminal methods become more crude.
“We have agile actors who are increasingly more well-funded, and are improving their approaches for attack,” he says.
“Just 10 years ago we were focused on less sophisticated attacks like Blaster and Slammer. We were getting phishing emails from hackers in Nigeria saying ‘if you give me $10 today, I’ll give you $1,000 in two weeks’, and they were poorly worded so we could spot them easily. But today attackers are going to LinkedIn, studying very detailed information about hotel chains and their employees and then sending targeted emails to people to click on a malicious link.
“Even in 2014 the US Secret Service advised the hospitality industry to inspect computers made available to guests in hotel business centres, warning that attackers had been compromising hotel business centre PCs with keystroke-logging malware in a bid to steal personal and financial data from their guests.”
Eric Eifert, senior vice president for managed security services at Abu Dhabi-based DarkMatter, believes hotels in the Middle East are a “prime target” for cyber criminals due to the “international nature of the guests, diverse credit cards utilised, and the difficulty law enforcement would have isolating victims”.
“Only recently, a high-end hotel in the region wanted me to email a copy of my credit card, front and back, with a form including my signature to reserve high tea. This is completely insecure and a horrible security practice, highlighting the vulnerabilities that exist in the region,” he reveals.
“Anyone processing credit card information should not rely on the Payment Card Industry (PCI) assessments as their only cyber security defence.
“In a recent intrusion investigation that I supported involving a hotel, which had successfully passed its PCI audit, malicious software was still identified on its network, and was stealing credit card information prior to it being transmitted to the credit card company. It had been on their system for nine months and they only found out when law enforcement officials contacted them.”
Eifert says hotels and the hospitality industry at large are being targeted by cyber criminals “intent on stealing credit card information and other personally identifiable information (PII)”.
“They are targeting IT systems that contain this information which include the Point of Sales (POS) systems, guest registration databases, and anything else apart from the network they find interesting,” he continues.
“What I have seen cyber criminals do is leverage spear phishing attacks to gain access to a host or user accounts and then move laterally to other systems on the network. Spear phishing is an email that appears to be from an individual or business that you know. But it isn’t. It’s from the same criminal hackers who are trying to access credit card and bank account numbers, passwords, and the financial information on individual PCs.”
POS panic – and it’s just the start
Given data exfiltration is the main risk for the hotel industry, the lack of security measures for day-to-day business activities is “surprising”, says Omar Atabani, director of Foundstone Services – EMEA, part of Intel Security.
“POS is a weak point as they are usually acquired from a local bank, but securing the POS network is the responsibility of the hotel (merchant),” he notes.
“One of the latest methods we are seeing is the use of malware to infect the hotel’s POS and once completed, the hacker will start capturing credit card information as well as other customer personal information.”
Cisco’s Perridge says POS intrusions represent more than 30% of security attacks against hotels.
“[And] malware is definitely a problem. It’s no longer a question of, ‘if’ you will be breached, it’s a matter of ‘when’,” he warns.
“Most hotels have probably been breached already but don’t even know about it. In general, 95% of large businesses are targeted by malicious traffic, with the average cost of each breach being $4.5 million and it takes up to 45 days to resolve a cyber–attack if they don’t have the right security solutions in place.”
While POS infections are currently the most common type of hotel cyber crime, “Web App and Card Skimmer attacks against hotels are growing very fast [too],” Perridge reveals.
“From a cloud perspective, most of the online reservation systems are interconnected with a high security standard, but this is not always the case if the hotel has built its own system.”
Intel Security’s Hidden Data Economy report released in October 2015 found that stolen login credentials to hotel loyalty programmes were also offered for sale on the dark market.
“Apparently, these allow buyers to conduct online purchases under the guise of their victims,” says Atabani. “McAfee Labs researchers found a major hotel brand loyalty account with 100,000 points for sale for $20.”
Another point of interest for hackers is hotel WiFi networks, because they are “publically accessible and use weak authentication methods”, Atabani continues.
KPMG’s Khanapurkar says rogue access points for WiFi are very common and hotels are a top target.
“When hotel guests check in, they normally need WiFi, and 99 out of 100 will not check for the authenticity of the connection because they just want to get access,” he notes.“There are people who impersonate hotel networks and then misuse the personal details provided.”
Cyber criminals also have the power to “virtually’ take over a hotel, which in the worst-case scenario, can put guest lives at risk, warns Khanapurkar.
“Most hotels have centralised systems for air conditioning, electricity, and sprinkler systems etc, all of which are WiFi enabled, allowing hackers to create havoc and jeopardise human safety,” he says. “Cyber crime is the means of modern warfare.”
Improving awareness and education
Most top-level hoteliers understand the cyber crime risks and the possible loopholes, yet few are taking the appropriate action, argues Khanapurkar.
“There is a lack of awareness and most hotel staff are not trained to cope with this threat,” he says. “There’s more emphasis on physical security than cyber security.”
KPMG’s aforementioned 2015 UAE Cyber Security Survey was designed to shock organisations to take action. The company also runs awareness workshops and conducts cyber security audit, notes Khanapurkar.
“We start with board members because organisational awareness needs to come from the top down,” he explains.FraudAware’s Goldmann says hoteliers should make awareness training a priority.
“This includes training all employees in secure password policies, permitted and non-permitted internet use and access and also the consequences for non-compliance with information security rules and policies,” he says.
Atabani also stresses that education is essential: “We should be conducting regular awareness campaigns, addressing general users, technical staff, and management.”
Hotels also need a crisis plan at the ready to deal with cyber crime attacks, according to Khanapurkar. “When it comes to breaches like this, companies often don’t know how to react,” he says. “It’s critical hotels have a response team in place.”