Denys Rudyi - Fotolia

PoS malware attacks highlights need for security standards in hotel industry

Ongoing data breaches through point of sale malware highlights the need for security standards and central support for franchisees in the hotel industry, say security experts

Twenty hotels belonging to the HEI Hotels and Resorts group have been hit by point of sale (PoS) malware, highlighting the need for security standards in the industry.

The group, which includes the Marriott, Hyatt, Le Meridien, Sheraton, Westin and the Intercontinental chains, is the latest in the hotel industry to report payment card data breaches due to PoS malware.

Compromised PoS systems other US hotel groups in recent years, including the Mandarin Oriental hotel group, the Hilton Worldwide hotel chain and the Trump Hotel Collection.

HEI issued a notice that it “recently” became aware of a security incident possibly affecting the personal information of some customers who made payment card purchases at point-of-sale terminals, such as food and beverage outlets, at certain HEI managed properties.

“As a precaution, we are providing this notice, on behalf of our hotel property owners, to make potentially affected customers aware of the incident and call their attention to steps they can take to help protect themselves,” the notice said.

The hotel group said it was alerted to a potential security incident by its card processor, and an “extensive forensic investigation” had revealed payment card data stealing malware had been installed on HEI payment processing systems at certain properties.

“We believe the malware could have affected payment card data – including name, payment card account number, card expiration date and verification code – of customers who used a payment card at point-of-sale terminals at the affected properties,” the hotel group said.

The company listed 20 hotels that investigators believe were affected by the malware at various periods ranging from December 2016 to June 2016.

HEI said it had disabled the malware and was in the process of re-configuring various components of its network and payment systems to enhance the security of these systems. This includes moving payment card processing to a stand-alone system that is completely separated from the rest of the network. 

“We have contacted law enforcement and will continue to co-operate with their investigation. We are also co-ordinating with the banks and payment card companies,” the hotel group said.

HEI said its systems are now safe to use, but it urged customers to remain vigilant and continue to monitor statements for unusual activity.

Risk visibility

George Rice, senior director of payments for HPE Security, said businesses need to consider the far-reaching consequences of a data breach and require that their franchisees adhere to strict data security practices to avoid negative impacts.

“Industries that embrace standards-based security practices such as format-preserving encryption (FPE) make it possible for companies to secure their environments through the use of one security approach across all of their business operations,” he said.

Joe Fantuzzi, CEO of risk management firm RiskVision said: “It’s clear that these PoS attacks are netting lucrative gains for cybercriminals and as a result, we will likely see more down the road.

“PoS systems remain the low hanging fruit for attackers, yet they continue to hit victims where it hurts the most – accessing customer data,” he said.

These continued attacks against well-established retail and hotel brands, said Fantuzzi, indicate that no organisation is immune from compromise.

“It’s imperative that organisations have complete visibility into their risk posture, which, in turn, allows them to prioritise the vulnerabilities that can open the door for customer data theft, affecting brand and reputation for years to come,” he said.

“For retailers and the hospitality industry, that especially means shoring up security gaps around vulnerable third-party PoS systems, before attackers can find and exploit these vulnerabilities to cause harm.”

Read more about PoS malware

Philip Lieberman, president of Lieberman Software, said the current business model of hotels and their franchisees does not include cyber security as one of the deliverables provided to their licensees. 

“Along this same lines, the types of equipment and software used by the properties, software patching and monitoring are woefully inadequate for today’s threats,” he said. 

Few – if any – large hospitality companies provide centralised network operations and security operations centres, said Liberman.

“There are costs of operating such facilities as well as privacy issues that would need to be addressed, but no hotel chain to date has stepped up and shown leadership in cyber security,” he said.

Read more on Privacy and data protection