Articles Posted in Data Technology, Privacy & Security

Published on:

19 July 2017

Hotels rely on third-party vendors to help run their properties efficiently, and often must give them access to sensitive guest data. This leaves hotels vulnerable to cyber attacks; they’re only as secure as their vendors are, and may find themselves directly liable for a data breach.  My partner Bob Braun, senior member of JMBM’s Global Hospitality Group® and co-chair of JMBM’s Cybersecurity and Privacy Group, discusses recent hotel cybersecurity breaches and how hotel owners can protect themselves.

Hotel data breaches
It’s not you, it’s your “friends”
by
Robert E. Braun

July was another notable month for hotel data breaches – on a single day, several well-known hotel brands and managers, including Four Seasons, Trump Hotels, Hard Rock Hotels & Casinos and Loews Hotels all announced that customer data may have been compromised as a result of a security failure. Each of the incidents is related to Sabre Hospitality Solutions’ credit card data breach in its SynXis hotel-reservations system, which Sabre first announced in a quarterly filing with the Securities and Exchange Commission on May 17. Based on Sabre’s investigation, Sabre announced that the breach was contained to “a limited subset of hotel reservations,” but the incident did allow an unauthorized party to access cardholder names, payment card numbers, card expiration dates, card security codes for some, and, in some cases, guest name, email, phone number and address.

Moreover, the duration of the breach was long quite long. Sabre’s investigation determined that the unauthorized party first obtained access to payment card and other reservation information on August 10, 2016, and the last access to payment card information was on March 9, 2017. The hackers had potential access for seven months.

CONTINUE READING →

Published on:

1 February 2017

Theft of confidential data by hackers is a major threat to businesses worldwide and the hotel industry is no exception. Hoteliers remain vulnerable to hackers seeking confidential information such as guests’ credit card data and employees’ personal information. They are also vulnerable in other ways. In a recent hotel breach, the hackers did not go after confidential data, but rather sought a ransom payment after taking control of the hotel’s technology. My partner Bob Braun, senior member of JMBM’s Global Hospitality Group® and co-chair of JMBM’s Cybersecurity and Privacy Group, describes what happened, and shares what hotels can do in response to such threats.

Hotels and Ransomware — Something Special
by
Robert E. Braun

Last year, at the Global Hospitality Group’s Meet the Money™ Conference, I participated in a panel on Cybersecurity and we discussed how cybersecurity issues affect the hotel industry.  One of the comments was that hotels, more than most private industries, have to take into account the kind of physical harm that might be done by a hacker. We noted that not only are guest information systems targets, but also the life and safety systems – HVAC, elevators, electricity and so on.  We concluded that while financial theft could impact a hotel and its reputation, a hack of the physical structure of a business could put the hotel out of business.

Locked Out

Our discussion turned out to be prescient when, this week, Romantik Seehotel Jaegerwirt, in the Austrian Alps, had their systems frozen by hackers, which resulted in the complete shutdown of hotel computers.

The 111-year-old hotel had already been targeted by hackers twice.  This time, however, the hackers breached the key card system, made it impossible for guests to enter their rooms and prevented the front desk from reprogramming cards.

The hackers demanded €1500 in Bitcoin, promising that control of the key card system and room locks would be returned.  Management of the hotel, fully occupied at the beginning of the winter season, chose to pay the ransom, rather than attempt a solution that could have taken significant time and harmed their 180 guests. CONTINUE READING →

Published on:

10 May 2016

One of the great breakout sessions at our recent Meet the Money® hotel conference in Los Angeles was organized by my partner Bob Braun and moderated by Jeff Higley of HotelNewsNow. I was particularly impressed by the panel’s evidence of how costly cybersecurity breaches can be, how much can be done to prevent or limit exposure, and how reasonable the cost can be for a pro-active approach.

Here is Bob Braun’s summary of this panel last week in Los Angeles. This is a compelling call for an ounce of prevention. . .

 

5 Cybersecurity takeaways from Meet the Money®
by
Bob Braun, Hotel Lawyer and Data Security Advisor

Meet the Money® changes with the times, and the 2016 conference showcased the first panel on Cybersecurity in the hospitality industry – “Who’s Knocking at Your Digital Door,” featuring Bob Braun, from JMBM’s Global Hospitality Group and Co-Chair of the Firm’s Cybersecurity and Privacy Group; Bob Justus, of Optiv Security; Brad Maryman, from Maryman & Associates; Christian Ryan, from MARSH; and Kevin Shamoun, from Zeamster.  Jeff Higley, of STR/HotelNewsNow.com moderated the panel.

The panelists, representing technical, legal law, law enforcement, insurance and payment systems, identified key cybersecurity challenges for the hospitality industry.  Five key takeaways were:

  • Compliance does not equal security. Each of the panelists agreed that while meeting legal and business requirements is essential, compliance does not necessarily achieve real cybersecurity — completing checkboxes on a task list or questionnaire is only a first step. The panelists noted that each of the major hotel breaches in the last year, which involved every major hotel chain, implicated point of service credit card systems that complied with industry standards.  Hotels and hotel companies need to look beyond complying with standardized requirements and has to evaluate their own risk profile and apply meaningful security plans.
  • Informed response is better than instant response. Too many organizations make the mistake of reacting before they think, especially when reporting a breach. Data breaches can be complicated matters, and it is essential to understand the scope of the breach, the data and individuals involved, and how a firm can remediate the source of the problem before disclosure. There is no question that speed is important, but some breaches do not require notification, while acting without ascertaining the facts can require multiple notifications, which is damaging to reputation and sends the wrong message.
  • Credit cards are not the only risk. While much focus is placed on the theft of credit card numbers, hotels must consider other risks. Hotels and hotel companies hold massive amounts of sensitive personal information that can be used to steal a guest’s identity.  Moreover, hotels need to consider more than data; the interconnection of systems means that breaking into a financial structure can give a hacker access to door locks, heating and air conditioning systems, electrical, plumbing and other key structural and physical parts of the hotel.  What would happen if a hacker flooded a hotel, or opened the doors?  This damage can far exceed the damage from lost credit cards, and cause untold damage to the hotel, its brand and owners.

CONTINUE READING →

Published on:

11 January 2016

What part do hotel owners play in preventing a cyberattack and the resulting data breach? The hospitality industry relies on its reputation for confidence, and that confidence can be shattered when guests learn that their private information has been compromised. What can hotel owners do and how should they work with brands and management to prevent a cyberattack?

In the article below, my partner, Bob Braun reminds hotel owners that because they are generally required to indemnify brands and managers for costs the managers and brands incur – which could include a costly data breach – it is in the owners’ best interests to have a comprehensive plan in place.  This article first appeared in Hotel Business Review in December 2015, and is reprinted with permission from www.hotelexecutive.com.

Not Just Heads in Beds – Cybersecurity for Hotel Owners

by
Bob Braun, Hotel Lawyer and Data Security Advisor

The basics of the hotel business have traditionally been simple: good location, fair prices, appropriate amenities and good service were the keys to success. While those factors are important today, hotels are no longer simply a “heads in beds” business; hotels are increasingly brand-oriented. Brands focus not only on the services and products they sell, but on developing the perception and recognition of the brand associated with those goods and services. That means that hotels, like all brands, need to focus more and more on understanding their customers and how to reach them, whether through loyalty programs, advertising, social media or otherwise.

The upshot of the focus on branding in the hospitality business is that hotels gather lots of information about their guests, ranging from credit card data to addresses, phone numbers, travel plans and preferences, birthdays, and more – all of which are valuable not just to the hotel brands and operators, but to cyberthieves. While hotel companies have understood this for years, they are, along with other customer-intensive industries, learning that collecting that information comes with responsibilities and, possibly, liability.

Cybercrime is big business. In 2014, there were 42.8 million detected security incidents (and, most likely, many more that were never discovered). Estimates of annual cost of cybercrime to the global economy ranges from $375 billion to as much as $575 billion as companies face increased vulnerability, ranging from greater technology available to cybercriminals and new types of cybercrime, like crypto-ransom. Cybercriminals began targeting hotels years ago. In a 2010, a Forbes magazine article quoted Nicholas Percoco, who said that “The hospitality industry was the flavor of the year for cybercrime. These companies have a lot of data, there are easy ways in and the intrusions can take a very long time to detect.” The lesson for hotel owners is that they cannot stand idly by – hotel owners must be proactive by instituting best practices in their own operations, requiring the same from managers, and obtaining insurance coverage to fund the inevitable costs of a breach.

The Wyndham Case

The threat to the hospitality industry became particularly evident in the recent federal court case brought by the Federal Trade Commission (the FTC) against Wyndham Hotels. On August 24, 2015, the Third Circuit United States Court of Appeals issued its ruling in the case FTC v. Wyndham Worldwide Corporation. The case was highly anticipated by the data security community generally for its expected ruling on the authority of the Federal Trade Commission to regulate data security standards, but nowhere was the anticipation more keen than in the hospitality industry. After all, this decision didn’t deal with retailers, banks or dating sites – it addressed a major hotel player and, by implication, all operators, brands and owners in the industry. The decision should be a wake-up call to hotel owners because, as described below, hotel owners may ultimately bear the cost of data breaches involving their hotels. Owners should look at the Wyndham decision as an opportunity to consider whether their brands and managers have taken the steps necessary to protect guests and, ultimately, the hotel owner.

CONTINUE READING →

Published on:

03 November 2015

FCC takes two enforcement actions on Wi-Fi

On November 2, 2015, the FCC issued two separate news releases on Wi-Fi blocking. In one action, the FCC announced a $718,000 fine against M.C. Dean, one of the nation’s largest electrical contracting companies, for blocking personal mobile “hotspots” of convention visitors and exhibitors who tried to use their own data plans at the Baltimore Convention Center to connect to the Internet rather than paying M.C. Dean substantial fees to use the company’s Wi-Fi service.

FCC fines Wi-Fi hotspot provider M.C. Dean

According to the FCC, as the exclusive provider of Wi-Fi access at the Baltimore Convention Center, M.C. Dean charges exhibitors and visitors as much as $1,095 per event for Wi-Fi access. Last year, the Commission received a complaint from a company that provides equipment that enables users to establish hotspots at conventions and trade shows. The complainant alleged that M.C. Dean blocked hotspots its customers had tried to establish at the Baltimore Convention Center. After receiving the complaint, FCC Enforcement Bureau field agents visited the venue on multiple occasions and confirmed that Wi-Fi blocking activity was taking place.

The Enforcement Bureau’s investigation found that M.C. Dean engaged in Wi-Fi blocking at the Baltimore Convention Center on dozens of occasions in the last year. During the investigation, M.C. Dean revealed that it used the “Auto Block Mode” on its Wi-Fi system to block consumer-created Wi-Fi hotspots at the venue. The Wi-Fi system’s manual describes this mode as “shoot first, and ask questions later.” M.C. Dean’s Wi-Fi blocking activity also appears to have blocked Wi-Fi hotspots located outside of the venue, including passing vehicles. The Commission charged M.C. Dean with violating Section 333 of the Communications Act by maliciously interfering with or causing interference to lawful Wi-Fi hotspots.

FCC fines and warns Hilton

In a separate announcement, unrelated except as to the subject matter, the FCC proposed a $25,000 fine against Hilton Worldwide Holdings, Inc. for “apparent obstruction of an investigation into whether Hilton engaged in the blocking of consumers’ Wi-Fi devices”. A consumer complaint alleged that Hilton was blocking visitor’s Wi-Fi in Anaheim, California in order to force them to pay a $500 fee to access Hilton’s Wi-Fi. Other complaints alleged similar Wi-Fi blocking at other Hilton-brand properties. CONTINUE READING →

Published on:

02 September 2015

Blocking Wi-Fi connections is “patently unlawful”

On August 18, 2015, the FCC announced a $750,000 civil penalty and formal Consent Decree with Smart City Holdings for blocking consumers’ personal Wi-Fi access at various convention centers, meeting centers and hotels around the United States. Smart City is an internet and telecommunications provider for such facilities, and had been blocking personal mobile “hotspots” being used by convention and meeting attendees.

Apparently referring to the $80 daily fee charged by Smart City for use of its Wi-Fi at the events, Travis LeBlanc, Chief of the FCC’s Enforcement Bureau said, “It is unacceptable for any company to charge consumers exorbitant fees to access the Internet while at the same time blocking them from using their own personal Wi-Fi hotspots to access the Internet.”

The FCC Enforcement Chief went on to say, “All companies who seek to use technologies that block FCC-approved Wi-Fi connections are on notice that such practices are patently unlawful.”

The FCC is focused on preventing Wi-Fi blocking

The FCC action in the Smart City case really emphasizes how serious the FCC is about stopping the practice of hotels and related facilities from blocking consumer hotspots in order to sell their own more expensive access to the internet.

Starting with high-profile investigation and settlement with Marriott International last year, the FCC has taken the following steps: CONTINUE READING →

Published on:

31 August 2015

Massive data breaches affect hotels and their legal responsibilities. As unauthorized hacking of confidential data explodes in volume and seriousness, minimum expected standards are evolving that hoteliers and others must follow. Interestingly, the latest guidelines are provided in an August 24, 2015 appellate court decision involving Wyndham Worldwide as if to emphasize that these rules (really) apply to the hotel industry. How did this case arise? What are some basic steps that everyone with confidential data is expected to take? What happens if they don’t?

In the article below, my partner Bob Braun, explains the current situation and what it means to our industry.

FTC vs. Wyndham Worldwide – What it Means for Hotel Owners

by
Bob Braun, Hotel Lawyer and Data Security Advisor

Background on the case

On August 24, 2015, the Third Circuit United States Court of Appeals issued its ruling in the case FTC v. Wyndham Worldwide Corporation. The case was highly anticipated by the data security community generally for its expected ruling on the authority of the Federal Trade Commission to regulate data security standards, but nowhere was the anticipation more keen than in the hospitality industry. After all, this decision didn’t deal with retailers, banks or dating sites – it addressed a major hotel player and, by implication, all operators, brands and owners in the industry.

We know that cybercrime is big. In 2014, there were 42.8 million detected security incidents (and, most likely, many more that were never discovered). Estimates of annual cost of cybercrime to the global economy ranges from $375 billion to as much as $575 billion as companies face increased vulnerability, ranging from greater technology available to cybercriminals and new types of cybercrime, like crypto-ransom. CONTINUE READING →

Published on:

4 October 2014

Have you ever wondered why your cell phone or personal Wi-Fi hot spot does not seem to work in some hotels?

As more business and leisure travelers equip themselves to stay in constant communication with their work place and families, they have accelerated the tendency to shun high-priced hotel room telephones and internet connections. But sometimes, even when you are in the middle of New York City (or other major urban gateway) on a high floor, your cell service or Mi-Fi just does not seem to work, and you wonder if it is being jammed intentionally by the hotel.

On Friday, October 3, 2014, the Federal Communications Commission (FCC) confirmed (at least in one case) what a lot of travelers have suspected of hotel operators when it announced that Marriott International had signed a Consent Decree and agreed to pay a $600,000 civil penalty to resolve the FCC’s Wi-Fi blocking investigation. This was an investigation into whether Marriott intentionally interfered with and disabled Wi-Fi networks established by consumers in the conference facilities of the Gaylord Opryland Hotel and Convention Center in Nashville, Tennessee, in violation of Section 333 of the Communications Act.

According to the official FCC announcement, the FCC Enforcement Bureau’s investigation revealed that Marriott employees had used containment features of a Wi-Fi monitoring system at the Gaylord Opryland to prevent individuals from connecting to the Internet via their own personal Wi-Fi networks, while at the same time charging consumers, small businesses, and exhibitors as much as $1,000 per device to access Marriott’s Wi-Fi network.

Interfering with private cell phones, Wi-Fi or similar equipment violates federal law

The FCC has set up a special area on its website for providing information about and enabling the public to report illegal jamming. See www.fcc.gov/jammer.

On the website, the FCC prominently displays this warning: CONTINUE READING →

Published on:

14 January 2014

Hotel Lawyer: The growing problem of security breaches with sensitive customer information.

The recent headlines about the Target and Neiman Marcus security breach with customer credit cards highlights a growing crisis that concerns owners and operator of hotels as well as retailers. In this article, Bob Braun, one of the senior members of our Global Hospitality Group® who focuses on data security — when he is not working on hotel management or franchise agreements — gives us some thoughts on what to do about this problem.

The Target and Neiman Marcus breaches:
What hoteliers need to know
by
Robert E. Braun | Senior Member, Global Hospitality Group®

The Target and Neiman Marcus problem. The massive security breach of Target’s customer data may affect more than 110 million Americans — potentially about 1 in 3 persons living in the United States. Followed in quick succession by another 40 million customers of Neiman Marcus (and more disclosures expected soon from other retailers), it is time for us in the hotel industry to look at our own policies and procedures, and to think about how we should respond to these malicious attacks.

Hoteliers beware. Hotels are obvious targets for identity and financial theft for many reasons. Hotels transact business through credit cards, and those credit cards are kept on file and can be accessed multiple times during a guest’s stay. The possibility that a credit card charge will be recorded occurs with each night’s room charge, room service, bar or restaurant bill, spa charge, and so on. Every charge is another opportunity for an identity thief to access the information using sophisticated computer hacks and other malicious software, generally without the hotel’s knowledge.

The need to respond to guest demands is another source of insecurity. The Identity Theft Resource Center noted, “The ability to connect to the Internet is an integral part of many individual’s daily life. This has led to the increased demand for public WiFi.” As a result, hotels find themselves compelled to offer wireless internet, and that service is almost always unsecured. But an unsecured wireless network is “just as dangerous as leaving files of your most important personal documents on a street curb for all to see. Hackers can easily get into an unsecured wireless network and get financial information, business records or sensitive e-mails.” (PC World, “Got Wireless Security”). At the same time, hotels have little say in the matter. Guests demand wireless internet service.

Finally, hotels have employees — lots of employees — and many of them have access to the credit card and other personal information of guests. No matter how well trained and supervised, more personnel correlates to greater risk. The fact that low-level employees typically have access to key guest information, and that there is, historically, a high turnover in hotel employees, exacerbates the problem.

What happened to Target? While investigations are continuing, sources have reported that investigators believe the attackers used similar techniques and pieces of malicious software to steal data from retailers. One of the pieces of malware is a RAM scraper, or memory-parsing software, which allows cyber criminals to grab encrypted data by capturing it when it travels through the live memory of a computer, where it appears in plain text, the sources said. While the technology has been around for many years, its use has increased in recent years as retailers have improved their security, making it more difficult for hackers to obtain credit card data using other approaches.

The lesson? Even as merchants become more vigilant and focus on the security of their systems, criminals have become more sophisticated and are investing more time and effort in crafting their own systems.

CONTINUE READING →

Published on:

11 April 2013

Hotel Lawyer on technology challenges to your proprietary and sensitive corporate information. The continuing advances of technology continue to present a double edged sword. On the one edge are tremendous cost savings, efficiencies and power to manage information. On the other edge are daunting issues of information security and privacy.

In the article below, two of our Global Hospitality Group® lawyers talk about a recent court decision from the respected second circuit in New York that has important implications for every employer in the hospitality industry. It serves as a reminder that good employee handbooks and company policies are important to protecting your valuable business information and electronic data.

Here is what it is all about.

CONTINUE READING →