cyber image 1

Last thing I remember, I was
Running for the door
I had to find the passage back
To the place I was before
“Relax,” said the night man,
“We are programmed to receive.
You can check-out any time you like,
But you can never leave.”

Iconic American rock band The Eagles released “Hotel California” in 1976 and it rocketed to the top of the music charts. Many Eagles fans consider Hotel California to be the band’s single best song. The lyrics describe a strange, disturbing existence in which those who check in to the Hotel California become caught in a web from which they may never escape. Forty years later, it appears The Eagles may have seen the future, in which hotel guests run the risk of being caught in a web spun by cyber thieves.

As noted travel author Peter Greenberg recently wrote, “Cyber thieves love hotels—and not just the front desk. They target hotel spas, parking facilities, and anywhere there’s either WiFi or the opportunity for a credit card transaction.”

Some recent examples of the love cyber thieves have for hotels would include a major attack on Hyatt Hotels last year that targeted about 250 locations worldwide, nearly 100 of those in the United States. Just before Hyatt reported its breach, Starwood, a hotel chain that includes such brands as W Hotels, Sheraton, Westin and Le Meridien, reported 54 of its locations had been hit by malware designed to steal customers’ credit card information. In September 2015, Hilton Worldwide reported a possible breach at several of its properties, including the company’s flagship Hilton locations as well as Embassy Suites, Doubletree, Hampton Inn and Suites, and Waldorf Astoria Hotels & Resorts. In October, the Trump Hotel Collection confirmed a breach that affected customers at Trump SoHo New York, Trump National Doral, Trump International New York, Trump International Chicago, Trump International Waikiki, Trump International Hotel & Tower Las Vegas, and Trump International Toronto. Other victims included the Mandarin Oriental hotels in the U.S. and Europe and hotel management firm White Lodging Properties whose breach affected the Marriott and Starwood brand families.

The obvious question—what is it about hotels that make them particularly vulnerable—was asked and answered by Mark Bower, HPE Security global director of product management for enterprise data security, in a recent article in Business Travel News. Bower said the type of point-of-sale (POS) systems used at hotels is part of the problem. “These are often integrated POS environments running applications in an environment that is not as secure as modern hardened payment terminals designed to capture payment data and implement encryption independent from the POS itself,” said Bower. Moreover, the same article quotes Shaun Murphy, founder and CEO of SNDR, a message- and file-sharing app, as saying “If you call a hotel to make a reservation, they manually type in your card information and leave your credit card on file…Your personal details are stored in so many different systems, there are so many more ways for malware to have access to them.”

Hotels deal with a high volume of payment card transactions and have significant employee turnover. They are ripe targets for attack, and business travelers are well served to think you can check in any time, but remember, your data may quickly leave.

By Tom Davis, SDI Cyber Risk Practice
March 8, 2016