By Jim Butler and the Global Hospitality Group®
Hotel Lawyers | Authors of www.HotelLawBlog.com
14 January 2014
Hotel Lawyer: The growing problem of security breaches with sensitive customer information.
The recent headlines about the Target and Neiman Marcus security breach with customer credit cards highlights a growing crisis that concerns owners and operator of hotels as well as retailers. In this article, Bob Braun, one of the senior members of our Global Hospitality Group® who focuses on data security -- when he is not working on hotel management or franchise agreements -- gives us some thoughts on what to do about this problem.
The Target and Neiman Marcus breaches:
What hoteliers need to know
Robert E. Braun | Senior Member, Global Hospitality Group®
The Target and Neiman Marcus problem. The massive security breach of Target's customer data may affect more than 110 million Americans -- potentially about 1 in 3 persons living in the United States. Followed in quick succession by another 40 million customers of Neiman Marcus (and more disclosures expected soon from other retailers), it is time for us in the hotel industry to look at our own policies and procedures, and to think about how we should respond to these malicious attacks.
Hoteliers beware. Hotels are obvious targets for identity and financial theft for many reasons. Hotels transact business through credit cards, and those credit cards are kept on file and can be accessed multiple times during a guest's stay. The possibility that a credit card charge will be recorded occurs with each night's room charge, room service, bar or restaurant bill, spa charge, and so on. Every charge is another opportunity for an identity thief to access the information using sophisticated computer hacks and other malicious software, generally without the hotel's knowledge.
The need to respond to guest demands is another source of insecurity. The Identity Theft Resource Center noted, "The ability to connect to the Internet is an integral part of many individual's daily life. This has led to the increased demand for public WiFi." As a result, hotels find themselves compelled to offer wireless internet, and that service is almost always unsecured. But an unsecured wireless network is "just as dangerous as leaving files of your most important personal documents on a street curb for all to see. Hackers can easily get into an unsecured wireless network and get financial information, business records or sensitive e-mails." (PC World, "Got Wireless Security"). At the same time, hotels have little say in the matter. Guests demand wireless internet service.
Finally, hotels have employees -- lots of employees -- and many of them have access to the credit card and other personal information of guests. No matter how well trained and supervised, more personnel correlates to greater risk. The fact that low-level employees typically have access to key guest information, and that there is, historically, a high turnover in hotel employees, exacerbates the problem.
What happened to Target? While investigations are continuing, sources have reported that investigators believe the attackers used similar techniques and pieces of malicious software to steal data from retailers. One of the pieces of malware is a RAM scraper, or memory-parsing software, which allows cyber criminals to grab encrypted data by capturing it when it travels through the live memory of a computer, where it appears in plain text, the sources said. While the technology has been around for many years, its use has increased in recent years as retailers have improved their security, making it more difficult for hackers to obtain credit card data using other approaches.
The lesson? Even as merchants become more vigilant and focus on the security of their systems, criminals have become more sophisticated and are investing more time and effort in crafting their own systems.