In 2017, there were more than 53,000 confirmed security incidents and more than 2,200 data breaches (that were officially reported) according to Verizon’s 2018 Data Breach Investigations Report, many of which targeted hospitality companies. For example, last year Hyatt announced that 41 of its hotels had been infected by malware that stole an unknown amount of visitors’ credit card information. And more recently this year, a breach at Orbitz exposed data on 880,000 customer payment cards. The hospitality industry offers a tempting target for hackers looking to steal credit card data. Why? Because these organizations traditionally have a large attack surface that includes easily exploitable guest Wi-Fi, POS systems with little to no security, and a Rolodex of third-party vendors with network access. Let’s quickly review these individually. Here, Watchguard Technologies details what the top malware are and how hospitality companies should protect themselves.
Credit card data is valuable for obvious reasons, which drives attackers to target POS systems by installing malware once they’ve gained access to a hotel or restaurant’s network. This is often done with tactics like phishing emails, compromised third party access, or through an unsecured Wi-Fi network. This type of malware can run silently in the background for months or years, copying credit card data from the cards the POS system runs, and sending that information back to the hacker. This is what happened to Hyatt last year, as well as many other hospitality companies. Most POS systems don’t have any built-in security, so protecting the network they are connected to is extremely important. Furthermore, to help protect these systems and others within the organization, the network should be segmented to make it more difficult for hackers to get malware onto a POS system in the first place.
Free hotel Wi-Fi is also a tempting target for hackers. There are many ways a hacker can exploit free Wi-Fi to either steal guest information or get into other parts of the hotel’s network. Again, proper network segmentation is important – the guest Wi-Fi network should be kept separate from the business network so that if a hacker gets access to the guest network, he/she cannot burrow deeper to steal other private data. Hotel IT administrators should also consider deploying a Wireless Intrusion Prevention System (WIPS) that can detect and block hacking attempts against public Wi-Fi networks.
Hospitality companies also work with a large number of third-party vendors like delivery companies, cleaning services, supply providers, and more. These partners often have access to their network and can give hackers a back door into a system. For example, some experts believe that the Orbitz data breach was caused by hackers getting credentials from a third party that worked with Orbitz and had access to its customer database. Hospitality companies should limit the information they share with partners and vendors. Only give outside organizations access to the data they truly need and require them to use strong passwords.
Weak passwords and password security – this area is a major security issue for all businesses, hospitality included. Another possible explanation for the data breach at Orbitz was that an administrator’s password was intercepted or guessed. Stronger password practices could have possibly made a difference in this attack. If the admin in question had used a password with over 10 digits, including a random combination of numbers and letters, it would have been difficult to guess or crack. Many breaches occur because employees reuse passwords for multiple accounts, only to have one of those accounts compromised in a data breach. For example, Dropbox was breached in 2012 because a Dropbox employee’s password was stolen in a separate data breach at Expedia and that employee used the same password for his work account as his Expedia account.
The good news is that malware follows trends that can be measured and defended against. Here are some of the key findings from our Internet Security Report for Q4 2017, and what they mean for the your hospitality business.
Cyber criminals leveraged malicious Office documents to trick victims. An attack involving a vulnerability in Microsoft Office’s Dynamic Data Exchange (DDE) protocol made WatchGuard’s top ten malware list for the first time, and two of the top-ten network attacks we saw in Q4 involved Microsoft Office exploits. This means that hackers are increasingly disguising malicious code within Office documents. Malware is often delivered by a phishing email, which is a forged message designed to convince the recipient to click a link or open a document. If they do this, the malicious document will run code that usually secretly downloads and installs malware on their device. Train all your hotel or restaurant employees with work email accounts to be on the lookout for emails with Microsoft Office documents that they don’t expect or recognize - it could be an attempted hack.
Overall malware attacks grew significantly. WatchGuard saw 33 percent more malware in Q4 over the previous quarter. This can likely be attributed to heightened criminal activity during the holiday season. Like sales and advertising, malware is seasonal. Make sure your employees are trained to recognize phishing emails and review your security practices before major holiday seasons to prepare for these spikes.
Nearly half of all malware eluded basic antivirus (AV) solutions. This level of growth suggests criminals are using more sophisticated evasion techniques capable of slipping attacks past traditional AV services. Make sure that whatever firewall or Unified Threat Management (UTM) security product your organization has deployed offers both these AV methods.
Scripting attacks account for 48 percent of top malware. Script-based attacks accounted for the majority of malware detected in Q4 2017. This kind of malware is usually embedded in a web page or email attachment. All hospitality employees should be extremely careful when clicking on links or attachments in emails. Never click a link or open an attachment from an email address that you do not recognize, but also be aware that sophisticated phishing emails will often appear come from a member of your own organization. If something seems suspicious, be sure that you and your teams remember to confirm it offline or manually type the link into your browser instead of automatically clicking.
All of this information may seem intimidating, but basic security best practices make a huge difference when it comes to defending your businesses from cyber attacks. With some simple steps, hospitality organizations of all sizes can reduce the likelihood of sustaining a breach. Be sure to train employees to remain vigilant while using company email, especially with regard to messages that include Office documents or potentially malicious links and attachments. Lastly, stay ahead of seasonal malware campaigns and make sure you have a network security product that offers an AV solution with behavioral-based detection capabilities. Remember these tips to avoid becoming a data breach statistic in 2018.
Seattle-based WatchGuard Technologies Inc. manufactures network security products.