Hospitality Industry On Mission To Curb Cyberattacks

Effort aims to make hotels less attractive targets for cybercrime

Three major hospitality trade associations have banded together to warn hotels nationwide about the rise in cyberattacks on their industry and to spell out the specific security measures the establishments should take ASAP to protect credit and debit card data.
The American Hotel & Lodging Association (AH&LA), Hotel Technology Next Generation (HTNG), and Hospitality Financial and Technology Professionals (HFTP) issued a rare joint statement that basically dispels the myth among some franchisees and smaller hospitality establishments that its up to vendors or credit card brands to properly lock down credit and debit card data.
Hotels and motels are increasingly becoming targeted by cybercriminals trolling for credit and debit card data. Hospitality accounted for 15 percent of the breaches in Verizons 2010 Data Breach Investigations Report, and 10 percent of data breaches investigated by Trustwares SpiderLabs last year were from the hospitality industry -- more than government (6 percent) and financial services firms (6 percent). While that was actually a decrease from the year before, when hospitality was the No. 1 target
with 38 percent of the breaches
, Trustwave has warned that the hospitality industry should remain on high alert. The organized crime group behind the hospitality hacks has basically expanded the scope of its targets to food and beverage (57 percent of the breaches this year) and retail (18 percent), according to Trustwave.
Our objective is to make our industry hard enough so we are no longer interesting to cybergangs, says Douglas Rice, CEO of HTNG.
Franchises, meanwhile, worry about their brand reputation when one of their franchises suffers a high-profile breach. And theres the potential for direct fines from [card] issuers. They do view the brands as having some responsibility for merchants operating underneath their brands, Rice says.
The goal is to get franchisees and smaller establishments up to speed on security. In most cases, the hotel, not the vendor, is responsible for preventing unauthorized people from gaining access to their system. This is the hole that is most frequently exploited by the criminals. Even when a national hotel brand or management company provides network security for the hotel, the local property remains in control of important elements, the trade associations said in
the joint statement
.
They specify three security steps each hotel should take. The first is to change all default passwords in the network on everything from servers to routers and firewalls. Rice says its the forgotten machines, like the PC on the engineering managers desk that uses a weak or default password. That can be the point of entry, he says. Some 54 percent of breaches logged by Verizon in its recent breach report had used the word password as the password, he notes.
The second step is to close holes in remote access points to the network. That includes removing default passwords and strengthening administrative and remote-access credentials, as well as instituting stronger authentication for vendors and staffers. And third, many smaller hotels dont have a network firewall, so the associations are calling for all establishments do get one: They think, Nobodys going to attack us -- we dont need a firewall. That attitude is fairly pervasive, Rice says.
Rice says the associations hope to raise awareness among franchisees and smaller hotels, as more of a neutral party than their franchise corporation would be, for example. The sometimes-awkward relationship between some franchises and their franchisees doesnt facilitate security, he says, and many large chains are hamstrung by old agreements that limit their oversight. They are less in a position to persuade them, he says. So we thought maybe we can chime in and be a separate voice thats not perceived to have a bias.
The hospitality industrys security statement and recommendations will also be published by the American Hotel and Lodging Association, which represents nearly half of the hospitality industry, including smaller, independent establishments less likely to be up on cybersecurity threats or even PCI.
The weakest link right now is the smaller, independent hotels that havent taken this seriously to date, Rice says.
But the associations say their security recommendations, which are merely a subset of PCI-DSS, dont constitute an actual security plan, and that hotels should follow PCI as well. We strongly recommend that hotels take the PCI requirements seriously because the threat is real and because PCI is effective. However, many hotels have told us they find completing the PCI standards very challenging or believe that their vendors have them covered. If this describes your mindset, then it is time for you take ownership of security for your hotel systems. Start work immediately on these three important areas that are entirely under your control; that can be addressed quickly, inexpensively, and effectively; and that can dramatically improve your security, they said in their directive.
Have a comment on this story? Please click Add Your Comment below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Hospitality Industry On Mission To Curb Cyberattacks