There has been significant publicity surrounding the security breach at an email marketing company. This is rightfully so, given the scope of the breach and the hospitality brands impacted. However, those looking to avoid security breaches may gain more from reviewing the details of the security breach at the Briar Group restaurants. As detailed in the March 28 settlement with the State of Massachusetts, the breach (which apparently had a duration of almost 8 months) occured due to mundane management errors, such as the failure to change default user names and passwords and otherwise secure remote access utilities and wireless networks. You can read more about the Briar Group's experience at the Data Privacy Monitor.
Back in February, we worked with The Data Privacy Monitor on a post explaining that there is more to data security than just compliance with the Payment Card Industry Data Security Standards (PCI-DSS). In mid-March, the three major hotel industry associations - the American Hotel & Lodging Association, Hotel Technology Next Generation, and Hospitality Financial and Technology Professionals - issued a joint statement to hotels sending the same message:
Many hoteliers believe they are not vulnerable because they use Point-of-Sale and Property Management Systems that have been validated as conforming to the latest PCI security standards. Unfortunately this is far from the case. Even such validated systems can be vulnerable if the hotel operates them in an unsecured manner. Leading forensics firms agree that the most important security measures are those that keep cyber criminals from getting inside the hotel network in the first place. Once inside, there are many ways for them to steal the data, even if the PMS or POS system itself is secure.
Those who read our post would be familiar with the statement's recommendations. However, they bear repeating as the Verizon-Secret Service 2010 Data Breach Investigations Report indicates that 96% of data security breaches would have been stopped by taking these essential steps.
- Have your IT Manager or network consultant map out your network electronically, and then eliminate all default passwords from all devices. This should be done at all access points, even the PC in the parking garage attendant’s office. Amazingly, Verizon Business reported that, in 53% of newsworthy attacks investigated in 2009, data thieves gained entry into the network by guessing, correctly, that the network's default password was - wait for it - "password."
- Eliminate holes in remote access to systems inside your network. Remote access by vendors is an essential part of support for many hotel systems. The data thieves know this, and they know how to use it to get inside your network. They know all the default passwords, and they have even been known to steal master customer lists, complete with current passwords, from vendors.
- Use an Internet firewall. If you are connected to the Internet without a firewall, then people you don’t know are probably reaching into your network. A 2007 University of Maryland study counted more than 2,200 attacks on an average Internet-connected computer every day – equating to one every 39 seconds.