The uptake of online business and internet transactions in recent years has exploded and brands need to be more aware than ever of keeping their own – and customers’ – data safe. Show
The need for data security was not ignored over time but the fact is today’s cyber-criminals are finding new and increasingly sophisticated ways of stealing sensitive customer data from hotel websites, systems, servers and mobile platforms – even your front desk. And what could a security breach of your hotel’s systems or that of your partners lead to? Investigations, serious damage to your reputation, and loss of consumer trust, to name but a few immediate consequences – not to mention thousands of dollars in penalties and fines. Ask yourself: what if it was your hotel guests’ data that was hacked into? To match the endeavour of hackers, hoteliers need to pay even closer attention to how they accept, store, and secure customer data and how they use their systems. In this blog we’ll tell you everything you need to know about data breaches, including what they are, the various ways you could be hacked, the consequences, and how to protect yourself. Table of contents What is data security? Watch this first!Data security is defined by protecting sensitive information and data from being accessed, stolen, or damaged by unauthorised persons. Data security may be impacted by cyberattacks or data breaches and can have serious consequences for businesses. Watch this video to find tips on how you can keep your hotel safe from data security threats: What is a hotel data security breach?A data breach is the release, intentional or unintentional, of private or confidential information to an untrusted environment. In other words, when data is viewed or transferred by someone not authorised to do so, this is a breach. Data breaches may involve financial information such as credit card or bank details, personal health information (PHI), Personally identifiable information (PII), trade secrets of corporations or intellectual property. Most data breaches involve files, documents, and other sensitive information. Data breaches are a concerning and damaging threat to all kinds of industries and businesses worldwide. Hotels are especially vulnerable because they deal with a large amount of personal information from guests and customers. Hackers can take all types of sensitive information from hotels – anything from email addresses to home addresses and credit card data. The fines for such breaches are steep, but they’re not the only things your hotel should worry about. A security breach can significantly tarnish your company’s reputation in a very public way and many travellers say they will be less likely to book again with a company that lost their data through a security breach. 3 types of hotel security breachesHere are the most common forms of online security breaches that may occur – along with some tips to avoid a hotel data breach where you are… Hotel malwareMalware is any piece of software that was written with the intent of doing harm to data, devices or to people. Malware is perhaps the most common and most dangerous online security threat thanks to its diversity. Officially standing for malicious software, malware incorporates many different types of potential dangers to hotel technology such as reservations systems. These include:
The problem is that all of these types of malware require slightly different methods of removal and protection if a breach does take place at affected hotels. It’s always good practice to avoid engaging with suspicious emails and clicking insecure links, but the only way to be completely safe is to ensure you have anti-malware and antivirus software installed on all the devices you conduct your business with. SpamSpam has its origins way back in 1970 thanks to a Monty Python sketch and is the sending of an unsolicited message, mostly advertising via email. The term can also apply to other media such as instant messaging spam, search engine spam, spam in blogs, wiki spam, online ads spam, text message spam, Internet forum spam, junk fax transmissions, social spam, spam mobile apps, television advertising and file sharing spam. It’s all very unwelcome usually and in some cases carries more dangerous malware with it. However, there are plenty of ways to ensure you’re not bothered by spam at your hotel. Here are some tips:
DoS attacksA denial-of-service (DoS) attack occurs when a hacker or virus shuts down a machine or network and prevents it being accessed by its intended users. This is usually done by flooding the system with an unprecedented amount of traffic or by sending information that triggers a crash. The victims of DoS are usually high-profile organisations who people have a slight against. A few different methods of DoS attacks exist. They include:
DoS attacks are very hard to predict or prevent. Usually solutions depend on countermeasures once the attack has been noticed. Examples of a hotel data security breachSome of the world’s largest companies have fallen prey to data breaches, costing millions of dollars in damages. In 2013 Yahoo was attacked and three billion user accounts were compromised. In the same year eBay had almost 150 million customer accounts accessed illegally. Hotels and bed and breakfast properties have also been key targets of data breaches for many years – and there is one main reason for this: credit card payments. The security breach happens online, because that’s where your guests are making their bookings, or where your front desk staff are making bookings on their behalf. Unfortunately, going ‘off the grid’ isn’t a feasible solution to the issue – the online space is too big to ignore and credit card usage continues to grow. Seeing as hotels process countless credit card payments every day, it’s important to protect all the transaction details of each payment. If the correct systems aren’t in place, there is potential for a security breach to occur. Hotels aren’t unique in being attacked by hackers; other travel companies can be affected. Expedia-owned Orbitz admitted its systems may have leaked the personal information of people that made purchases between January 1 2016 and December 22 2017, affecting about 880,000 payment cards. And while not a strict data breach, Booking.com paid about 10,000 customers who fell victim to a scheme which conned customers out of data. However, a casual look at a timeline of incidents suggests the hotel industry has been more vulnerable than most. The incidents may have the side effect of deterring customers from trading data with the hotels in exchange for potential benefits of personalised services, a major commercial goal for hotel managers and owners. Marriott data breachIn 2018 Marriott announced that hackers had attempted to access its Starwood Hotels & Resorts Worldwide guest reservation database. Further investigation revealed unauthorised access to the system as far back as 2014, two years before Marriott acquired Starwood. A valuable lesson here is that businesses should always scrutinise the cybersecurity and data handling of other companies before they enter into any type of deal. Even though the hack happened before the acquisition, it’s still Marriott’s reputation that is compromised. The same principle should be applied when a company acquires new infrastructure, applications, and systems. While these seem like assets, they should also be treated as potential liabilities. Estimations said up to 500 million guests, including 327 million guests whose data includes “some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest (“SPG”) account information, date of birth, gender, arrival and departure information, reservation date and communication preferences, may have had their information at risk in the period between 2014 and 2018. Marriott also confirmed some compromised guest data includes payment card numbers and expiration dates. IHG data breachFront desk cash registers at more than 1,200 hotels in the InterContinental Hotels Group, which includes the Holiday Inn and Crowne Plaza brands, were infected with malware that stole customer debit and credit card data between September 29, 2016 and December 29, 2016. The company has a network of more than 5,000 hotels in over 100 countries so that could mean more than one-fifth of its hotels were affected. The malware stole information read from the magnetic stripe of a payment card as it travelled through the affected hotel’s server. That information could have included the cardholder’s name in addition to card number, expiration date, and internal verification code. The company suggests that anyone who stayed at one of its properties during the time period the malware was present review their payment card statement for any unauthorized activity and report the charges to the credit card issuer.Hilton data breachIn 2017 BBC News reported Hilton was fined $700,000 for mishandling data breaches in 2014 and 2015. The company discovered the first breach in February 2015 and the second in July 2015, but first went public with the breaches in November 2015. US federal investigators said Hilton “had taken too long to warn customers and lacked adequate security measures.” Wyndham data breachWyndham Worldwide were involved in a lawsuit after failing to properly safeguard customer information, in a case arising from three data breaches affecting more than 619,000 customers. The Federal Trade Commission wanted to hold Wyndham accountable for breaches in which hackers broke into its computer system and stole credit card and other details from customers, leading to over $10.6 million in fraudulent charges. Under the order, Wyndham established a comprehensive information security program designed to protect cardholder data including payment card numbers, names and expiration dates. Expedia security breachExpedia subsidiary Orbitz disclosed that about 880,000 payment cards had been impacted by a security breach that potentially exposed customers’ information to hackers. The travel booking site said an investigation determined that an attacker may have accessed personal information of people who made purchases between January 1 2016 and December 22 2017. The personal information potentially exposed includes credit card information, addresses and phone numbers of customers. The information attackers “likely accessed” included people’s names, dates of birth, email addresses, street addresses, and genders, Orbitz said. How to protect your hotel: cybersecurity best practicesNo hotel is too big or small to be a target. In fact, smaller independent properties may be even more vulnerable to attack, and less able to bounce back from the loss of reputation and damages paid. It’s not enough to have an SSL certificate on your website, or rely solely on third-party payment services such as Paypal or Google Checkout to handle your guests’ credit card security. Each program you use must be securely locked down. After all, sensitive data can be intercepted at any point in your guests’ booking process. For example, if your online booking system vendor is not Payment Card Industry Data Security Standard (PCI DSS) compliant, a wayward employee could easily decide to steal credit card data. This is why PCI DSS standards were invented. Furthermore, allowing your guests to pay securely helps to stop abandoned website bookings. Worldpay reports that nearly one in five online shoppers have dropped out of an online travel bookings because of security concerns around payment. If you are not actively protecting your guests credit card data, you are putting your business and customers at serious risk. Hotel security systems tip #1 Keep your devices and systems up-to-dateOne of the biggest risks to security is allowing your devices and systems to go too long without updates and software patches intended to improve and keep them safe. This makes them much more vulnerable to attack from hackers. The updates issued by your software providers are designed to protect you so it’s important to set your computers to automatically accept and install them periodically. Tip 1: Regularly backup your dataTo eliminate the risk of losing data or having it irretrievably damaged, it’s essential to make a habit of backing it up. This will include financial records, business plans, customer data, personal information etc. Backing up your data is generally easy and cost-effective, meaning there’s no excuse not to do it. Here’s a recommended strategy:
Tip #3: Protect against malware and virusesOften emails, pop-ups, fake accounts and profiles, and actual hackers will try to infect your computer and other devices with software designed to cripple your business or steal from you. Regularly check your bank and billing records to make sure this isn’t happening. It’s important to install antivirus and anti-spyware and always update when prompted. Additionally you should keep a track of all the equipment used by your business and who uses it. Educate all your employees on the risks and best practice, and never allow them to take sensitive material home with them, or use personal devices for work purposes. Tip #4: Prioritise password securitySome easy-to-remember tips here include frequently updating your passwords, never use the same password for everything, and use unique passwords. Once a hacker has used one password, every account you own could be under attack if you’ve always used the same one. The same goes if you’re using weak passwords that are easily guessed. The best idea is to change your passwords every few months. Tip #5: Know when to trust your software providerIt’s vital that you don’t take every correspondence with your hotel technology providers at face value. Phishing emails are very good at seeming legitimate when in fact they’re fake emails trying to steal information. So if your provider sends an email they have never sent before, there could be a good reason not to trust it. What is PCI compliance?The PCI Compliance Guide define PCI DSS (Payment Card Industry Data Security Standard) as “a set of requirements designed to ensure that all companies that process, store or transmit credit card information maintain a secure environment”. PCI DSS has changed the way the travel industry approaches safety standards relating to how credit card payments are handled and processed. The standard is enforced by major credit card companies – including Visa, MasterCard, American Express, Discover and JCB – as part of their merchant agreements. Designed to help prevent payment card fraud, the standard applies to any business involved in the processing, storing or transmitting of cardholder data, regardless of the transaction volume or dollar value involved. Should a guest use their credit card to pay for something at a hotel, for example – be it a room reservation, spa treatment or coffee – PCI DSS applies to that purchase. PCI DSS compliance is not a ‘nice-to-have’, but an absolute necessity. A security breach not only damages your reputation, but it could potentially wreak havoc on the lives of your guests, and cost you a significant amount in the way of data breach fees. Hotel PCI DSS requirementsHere’s your quick start list on PCI DSS compliance for hotels:
To help businesses determine their level of PCI DSS compliance, the PCI Security Standards Council provides various Self-Assessment Questionnaires (SAQs) online, as well as professional training for firms and individuals. The cost of becoming PCI DSS compliant depends on a number of factors, including the size of your business, existing IT infrastructure among other factors. To achieve PCI DSS compliance, follow these steps: 1. Speak with your acquiring bank(s) to determine the correct SAQ for your business 2. Complete the appropriate SAQ for your business 3. Submit
the SAQ, evidence of a passing scan (if required), the Attestation of Compliance HTTPS website security for hotelsCreating a safe hotel website experience should be treated as a duty of care for your guests; can you imagine the consequences of a traveller being defrauded via your website? There’s also the very real danger of travellers abandoning or not even landing on your homepage in the first place. The majority of websites use SSL encryption to protect any data that’s transmitted between a website and a shopper. The SSL encryption requires a secure form of communication between a website and the consumer, known as HTTPS – where the ‘s’ stands for secure. This is indicated to the user in the URL which displays ‘https’ in place of the standard ‘http’. It also shows the padlock symbol on the left-hand side of the URL bar which reassures people their data is secure when entering bank details or viewing their account online. It looks like this… What does it mean for your hotel’s website? The reality is at some point you will probably collect data from visitors, even if it’s just an email address. It’s also been proven that HTTPS sites will load faster than HTTP, another factor influencing user experience. Surveys say 84% of users would abandon a purchase if data was sent over an insecure connection, and a large majority are concerned about their data being intercepted or misused online. So, if you’re a hotelier that wants to convert direct bookings and maintain a high ranking on Google’s search results, it’s vital you’re HTTPS secure. In the psychology of a prospective guest, seeing that little green padlock will give them peace of mind and an immediate sense of trust in your hotel business. How to make a website HTTPS secure
One of the easiest ways to ensure your website is secure, along with many other benefits, is to invest in a professional website builder tool. These solutions will automatically come with secure encryption and will also help you maintain a functional, SEO-friendly, and charming hotel website. The beauty of using a customisable website builder is that you’ll have your brand new website within days and it will automatically keep up with Google’s updates as time goes by. The rise of the hotel credit card breachGlobal online travel sales are forecast to hit US $817.5 billion by 2020. Furthermore, statistics show that 74% of travellers from the US alone make use of credit cards while travelling – citing convenience, theft protection, and easier tracking of purchases as the top reasons. According to data from payment systems industry information provider Nilson, credit card use in the US jumped 42% from 2012 to 2018, accounting for US $120 billion in transactions. Unfortunately, these transactions are vulnerable to cyber-criminals who specifically target travellers with disposable incomes. Indeed, hotels are an active hotspot for credit card fraud; according to a study by Trustwave’s SpiderLabs, of 218 data breach investigations from 24 countries, 38% of the attacks occurred on hotels and, of the data stolen, 98% was credit card information. How hotels can avoid credit card fraudWith so much travel now being booked online – and through a variety of channels – the opportunity for hotels to increase sales is getting bigger all the time. However, it also creates challenges in making sure customer payment data is protected and that no breach occurs at the hands of hackers or fraudsters. The vast majority of security compromise (91%) occurs at point-of-sale systems and is most often Card Not Present (CNP) fraud. Because CNP transactions are so prevalent in the travel industry and much information is exchanged between hotel and customer, it’s important to know when you might be at risk and how to prevent any data breaches from happening. Since guests expect a hotel to be a safe place to escape to, even a single instance of failing to protect a customer’s data could have huge ramifications on your reputation and finances. Here’s what to look out for: Hurried purchases It’s important you don’t get flustered. Take the adequate time to verify their credit card, passport details, and other relevant documents to make sure they’re genuinely are who they say they are. Take the adequate time to verify credit cards, passport details, and other relevant documents to make sure people genuinely are who they say they are. First-time guests Be aware of a first-time customer who contacts you online to make a large purchase. Collect all the necessary verification information. For greater security, adopt a payment solution that is designed to capture transaction data in an intelligent manner. Purchaser location If you do have suspicions about a customer, do everything you can to verify their legitimacy, including calling and emailing them to collect data and confirm their identity. Inconsistent addresses 5 best practices for keeping your hotel data secure: 1. Use systems that can secure your customers’ cards 2. Inform
all managers and employees of company policies 3. Protect your point-of-sale systems 4. Comply with PCI security 5. Vet third parties Email phishing scamsGiven 15 million online hotel reservations are made on bogus third-party sites every year, travellers and guests are on high alert about being scammed. These rogue websites trick people into thinking they’re reserving directly with their hotel of choice then go on to steal their information and money. However, travellers aren’t the only people in the industry who should be worried; your hotel business is just as much of a target as anyone else, and you need to be aware of what phishing is and how to stop it. Almost 80% of organisations report they had been the target of a phishing attack each year. Let’s go through what it is, what it may look like, and how to prevent your hotel falling victim to email scams and phishing. What is a phishing scam?As the name suggests, phishing is quite similar to ‘fishing’ although far more malevolent. Whoever the phisher or hacker is attempts to lure their target into opening a malicious download, clicking on fake links, or entering personal information in order to steal data or identities. The end goal, of course, is to make money at someone else’s expense. In the case of a business like your hotel, the most common form of phishing would come via email. Likely to be posing as a friend, co-worker, manager, or trusted company the email would make a seemingly reasonable request to open an attachment or verify information but would then infect your computer and capture valuable data. Phishing email example Usually the email subject will be around changing a password, discussing transactions, updating information, important notifications etc. Consider this example of a phishing email from scammers posing as eBay: Seems perfectly legitimate on first glance but it’s hiding some concerning secrets. Here are some clues that may indicate this is a phishing email:
You should also carefully check
the incoming email address. Sometimes it’s complete nonsense, but often it will closely mimic the real address it’s passing itself off as. How to prevent email phishing attacks at your hotelIt’s particularly important you keep your data safe as a security compromise could also endanger the information of your guests, which could do catastrophic damage to your hotel’s reputation and brand image. There’s a whole range of actions you can take to reduce the amount of phishing emails you receive, and also how to make sure you delete them immediately if they make it to your inbox. Here’s a list of preventative measures for any email you suspect might be fake:
Once you know how to spot general phishing emails you should be relatively safe from harm. There are more complex attacks, known as ‘spear phishing’, which target high profile figures (whales) such as celebrities, but these should affect your hotel far less. 6 hotel data security tips to action nowDon’t forget these six expert tips outlined in the video at the start of this article. 1. Set up anti-virus software such as Windows Defender on your computer and make sure it’s up to date. 2. Don’t use email accounts shared between employees, for example , to log in to any online platforms and solutions. If an employee is accidentally careless online with the shared password, it can make you that much easier to hack. 3. Try not to use an email address listed on your site as your online system login or username. That potentially makes it easier for a hacker to identify you as their target. 4. Turn on the 2-Step Verification (or multi-factor verification) setting for your email account, Google, Microsoft and many others support this feature. 2-Step Verification is an extra layer of security, and will help keep hackers out, even if they manage to find your password – 2-Step Verification requires an additional piece of information that only you could know, like a generated code via your mobile phone or a personal security question. This is in addition to your username and password. 5. Schedule monthly reviews via HaveIBeenPwned.com (HIBP) to check if your email account has been involved in a data breach that you might not even have known about. You can subscribe to HIBP to be alerted of any future breaches. Go on, try it now – you might be shocked to find your email there! 6. Do not reuse passwords on different business-related accounts. Ideally, use a different, complex password for each online account you have where you have sensitive customer or financial data processed. This can be a hassle, but for a monthly fee, most password manager solutions, like 1Password.com, can make it simple by helping you remember all your passwords through their app, helping you to keep account information safe without worrying about forgetting many passwords. What are the 4 types of hackers?4 different types of hackers. Script Kiddies. When it comes to skill level, Script Kiddies are at the bottom of the totem pole and often use scripts or other automated tools they did not write themselves - hence the name. ... . Hacktivist. ... . Cyber Criminals. ... . Insiders.. What are the types of hackers?Different Types Of Hackers – And What They Mean For Your Business. Black Hat. The stereotypical 'hacker' – the kind you hear about on the news. ... . White Hat. The Yang to the Black Hat's Yin, White Hat hackers are the polar opposite of the Black Hat in every way. ... . Grey Hat. ... . Blue Hat. ... . Red Hat. ... . Green Hat. ... . Script Kiddie.. What is black hacker and a white hacker?While white hat hackers work to find and fix security problems in a system, black hat hackers exploit weaknesses for self-serving reasons, including financial gain, revenge or enjoyment. Using tools such as viruses, malware and spyware, malicious hackers can gain information and use it for criminal purposes.
What are the 3 different types of hackers?Hackers can be classified into three different categories: Black Hat Hacker. White Hat Hacker. Grey Hat Hacker.
|