Hospitality Business Payments in the Wake of Major Breaches
In recent years the hotel and restaurant industry has been rocked by an increased number of hackers who have stolen secure data. Hotels have reported more than a dozen data breaches in the past several years. A recent Trustwave study on data breaches ranked hotels as the most vulnerable industry with a 38% occurrence rate.
This has been a major hurdle for the hospitality industry because high profile breaches have led to loss of business and negative brand impact. Many have been data-stealing malware attacks have impacted a large volume of credit card transactions. According to Cisco, point-of-sale invasions make up 30% of security attacks against hotels. The costs from these cybercrimes have averaged $5.18 million in the last six years, according to the Ponemon Institute.
Attacks & Resolution
Just last month, the Galt House, Louisville’s largest hotel, reported a security breach on its payment card system. Customers who stayed at the Kentucky hotel from December of 2016 to April of 2017 were affected by the malware attack.
The hotel has since hired a computer forensics firm to strengthen its security system. The hotel is also partnering with payment card networks to initiate heightened monitoring efforts.
A 2015 data attack affected hotels operated by HEI Hotels & Resorts that included Starwood, Marriott, Hyatt and Intercontinental properties. The breach resulted in credit card theft for thousands of transactions at its hotels.
Investigators determined that hackers used point-of-sale malware to steal customer names card information, verification codes and account numbers from transactions between March of 2015 and June of 2016. To avoid future attacks, HEI reported that it installed a new payment processing system outside of its computer network.
Several years back, the Wyndam Hotel Group faced a large-scale data breach that resulted in data theft for hundreds of thousands of customers and a lawsuit with the Federal Trade Commission. Thus, the hotel chain invested in a new information security management system to catch intrusions more quickly. This included improving data security standards and maintaining better records of ongoing compliance efforts.
Some large hotel chains also were impacted by third-party security attacks in June of this year. Those hotels included Lowes Hotels, Four Seasons Hotels and Resorts, Trump Hotels and Hard Rock Hotels and Casinos. This breach on software vendor, Sabre Corp., resulted in unauthorized access to thousands of credit cards and some reservation info. Sabre resolved the attack and is working with Mandiant, a large security forensics firm, to improve its SynXis Central Reservation system.
Breaches Abroad
Similar attacks have been reported by hoteliers in Mexico, Canada, the Czech Republic, and elsewhere. For instance, recently Austria’s 111-year-old luxury hotel, the Romantik Seehotel Jagerwir, reported that hackers used ransomware to hijack its central key management system and cash desk system. The hackers were able to deprogram room keys to lock current guests out of their rooms.
The hotel replaced its existing systems and delinked some of its computers to avoid future attacks on essential services. The hotel also opted to move from a digital lock system back to traditional locks and keys.
The Mandarin Oriental Hotel Group, a Hong Kong-based luxury hotel chain, has dealt with multiple attacks on its systems in recent years. The attacks have resulted in theft of customers’ credit card data. The chain has shied away from disclosing details on how it has resolved the breaches.
Experts say the hotel industry is an easy target for hackers because of the millions of credit card transactions processed annually. In addition, hotel systems house a massive amount of personal data, reservation info and guest preferences. All of this sensitive information can be dangerous in the wrong hands.
Combating a Trend
In the wake of increased attacks, hotel chains continue to vow that protecting customer and payment information is their biggest priority. Thus, hotel chains must continue to raise their standards on ways to better protect their data and payment systems. P2PE is becoming the answer for most of these companies.
Security experts have called for more proactive efforts needed in the areas of reporting and notification from credit card issuers. Better protection likely calls for significant upgrades and investment in network systems, changes in third-party payment to hotel vendors and a greater investment in monitor systems at the terminal level.
More partnership with the payment card industry will also help in continuing to advance chip and PIN technology. Hotels continue to explore fraud tools that can swiftly find suspicious data breaches and track affected credit cards to notify customers.
The last thing travelers visiting the Hilton Bentley Miami or the Crown Plaza in Times Square want to do is worry about is hackers on vacation. Greater system and payment security will help travelers stay happy and give them a greater sense of confidence in hotel chains.