Why data hacks are impacting the loyalty business
Memory-scraping malware found in Hilton, Target and 20 other POS attacks
Sage business software latest to report data losses – insider suspected
If you discounted the latest news of a POS attack at Hilton Worldwide hotel chain as just another security breach that is not relevant to you as a loyalty professional, then think again. Security breaches damage the reputation of the organisation being hacked, but crucially they also affect the confidence of the consumer. If customers decide that loyalty points are not a big enough carrot to make sharing data worthwhile then the whole loyalty equation breaks down.
And the fall-out goes further than this. Hotels and large retailers have never been the most secure places when it comes to data. Staff in hotels particularly are usually on the way round the world and stay for only short periods. Networks need to interact between reception (where they take an advance card payment transaction) the restaurant, the bar and various other hotel POS stations, such as the spa. Hotel chains, such as the Hilton, share data with other locations, or use the same network and data storage facility for the whole chain even though individual hotels may be operated as a franchise.
The cynical, and those in the know payments wise, are fairly blasé about card data theft, because they are well aware that data from every one of our cards has been stolen many times already. But most people get touchy about their personal details being shared, such as who they were staying at the hotel with! Here lies the problem, as was more than illustrated with last year’s Ashley Madison illicit dating site data breach.
What we know about the Hilton Group attack:
Twenty hotels belonging to the HEI Hotels and Resorts group have been hit by PoSeidon malware that targets POS systems with the intention of stealing customer data to sell it on.
The group, which includes the Marriott, Hyatt, Le Meridien, Sheraton, Westin and the Intercontinental chains, is the latest in the hotel industry reported the payment card data breaches due to PoS malware this week.
POS malware is a type of memory scraper that hunts for data in the correct format for track 2 credit card data (the payment data contained on a mag-stripe of a payment card. This data is only available unencrypted in memory very briefly. However, memory scraping malware is designed to gather it instantly when it is detected. The credit card info is then sent to the attacker’s remote computers, to be subsequently sold on underground sites.
This is by no means the first case of a compromised hotel PoS system. Other US hotel groups that have been targeted in recent years include the Mandarin Oriental hotel group, the Hilton Worldwide hotel chain and the Trump Hotel Collection.
HEI issued a notice that it “recently” became aware of a security incident possibly affecting the personal information of some customers who made payment card purchases at point-of-sale terminals, such as food and beverage outlets, at certain HEI managed properties.
“As a precaution, we are providing this notice, on behalf of our hotel property owners, to make potentially affected customers aware of the incident and call their attention to steps they can take to help protect themselves,” the notice said.
The hotel group said it was alerted to a potential security incident by its card processor, and an “extensive forensic investigation” had revealed payment card data stealing malware had been installed on HEI payment processing systems at certain properties.
“We believe the malware could have affected payment card data – including name, payment card account number, card expiration date and verification code – of customers who used a payment card at point-of-sale terminals at the affected properties,” the hotel group said.
The company listed 20 hotels that investigators believe were affected by the malware at various periods ranging from December 2016 to June 2016.
HEI said it had disabled the malware and was in the process of re-configuring various components of its network and payment systems to enhance the security of these systems.
This includes moving payment card processing to a stand-alone system that is completely separated from the rest of the network.
“We have contacted law enforcement and will continue to co-operate with their investigation. We are also co-ordinating with the banks and payment card companies,” the hotel group said.
Could they do more?
Ths is not the first time that the Hilton group has been affected by POS malware, so it seems this was not a lucky break for the hackers. They have done the right thing by separating the card payment system from the rest of the hotel network, but undoubtedly better data security practices are also needed.
George Rice, senior director of payments for HPE Security, suggested format-preserving encryption (FPE) for companies to secure their environments through the use of one security approach across all of their business operations,” he said.
Joe Fantuzzi, CEO of risk management firm RiskVision said: “It’s clear that these PoS attacks are netting lucrative gains for cybercriminals. “PoS systems remain the low hanging fruit for attackers, yet they continue to hit victims where it hurts the most – accessing customer data,” he said.
These continued attacks are against well-established retail and hotel brands, said Fantuzzi, indicate that no organisation is immune from compromise.
Philip Lieberman, president of Lieberman Software, said the current business model of hotels and their franchisees does not include cyber security as one of the deliverables provided to their licensees.
“The types of equipment and software used by the properties, and the software patching and monitoring are woefully inadequate for today’s threats,” he said.
Few – if any – large hospitality companies provide centralised network operations and security operations centres, said Liberman.
“There are costs of operating such facilities as well as privacy issues that would need to be addressed, but no hotel chain to date has stepped up and shown leadership in cyber security,” he said.
It is not just the hospitality industry that is suffering from malware hacks.
Business software company Sage has warned that a data breach using an internal log-in may have compromised employee data at nearly 300 UK firms
According to Sage, which is a UK based company, there has been some unauthorised access using an internal log-in to the data of a “small number” of UK customers.
The data breach may have compromised the personal details and bank account information of employees of nearly 300 UK companies, according to the BBC.
Sage reported the breach to the City of London police and the information commissioner’s office (ICO) a few days ago.
The software firm said in a statement that it is working closely with the authorities to investigate the breach and is notifying customers who may be affected.
News of the breach has already affected the company’s share price.
Highlighting that the cost of data breaches are seldom confined to remediation and recovery costs, Sage’s share price fell as much as 4.3% in early trading on 15 August 2016.
Sage, which provides business software for accounting and payroll services to firms across 23 countries, has an annual turnover of £1.3bn, and is the only technology stock on the FTSE 100.
Early reports are suggesting that the Sage hack could be a revenge attack by an employee.
According to reports by the Ponemon Institute, and Quocirca, most organisations in Europe rely on outdated security technologies, exposing them to breaches by malicious or hapless insiders.
Malicious employees are usually the focus of insider threat protection efforts, but accidents and negligence are often overlooked data security threats.
This report from analyst group Quocirca looks at the challenges faced by organisations when it comes to the insider threat and the protection of sensitive information.
Internal threat of data breaches
Eduard Meelhuysen, vice-president for Europe at cloud security firm Netskope, said the data breach at Sage is a powerful reminder that although many businesses look to protect their data from outside threats, the “uncomfortable truth” is that a significant risk often comes from the inside.