Category Archives: Privacy

May 1, 2013 · 6:33 am

Hospitality Industry Privacy Risks: Texas Hotel Employee Arrested For “Attempted Improper Photography And Visual Recording”; Cell Phone Placed In Ceiling Above Guest Room Shower

“…Police say a guest reported hearing an alarm-type sound coming from the bathroom area of her hotel room while she was in the shower…she hotel room privacyfound a small pinhole with a camera lens behind it in the ceiling. After moving the tiles, she discovered the cell phone…Hotel security removed the camera from the ceiling and noted that it was powered on…The room’s electric lock showed that (the defendant) had entered the room the day prior with the key assigned to him….”

A housekeeper at the Hyatt Regency hotel located at 208 Barton Springs is charged with misdemeanor attempted improper photography and visual recording. Blue Moo Too, 30, is charged after his cell phone was found hidden in a ceiling tile above the shower of one of the hotel rooms.

Video on the phone showed a man placing it in the bathroom ceiling and wiping away his footprints from the bathtub. The hotel’s executive housekeeper identified the man as her employee, Too, a housekeeper at the hotel.

Too was booked into Travis County Jail on April 12 with a $25,000 bail. He has since bonded out. Police say they didn’t find evidence of any other victims on his cell phone. His computer is still being looked at. At this time, the former housekeeper is facing up to one year in jail and a fine of no more than $4,000.

For more: http://www.kvue.com/news/Hyatt-hotel-worker-charged-with-improper-photography-203045331.html

Leave a Comment

Filed under Crime, Guest Issues, Labor Issues, Liability, Management And Ownership, Privacy

Tagged as , , , , , , ,

April 7, 2013 · 6:51 am

Hospitality Industry Payment Security: More Restaurants And Hotels Are Using “Mobile Credit Card Readers” To Increase Efficiency; FTC Report Cites Financial Information Security Issues

Mobile Payment Report FTC-page-001

The report encourages industry-wide adoption of strong measures to ensure security throughout the mobile payment process. The report addresses ways sensitive financial information can be kept secure during the mobile payment process, such as through end-to-end encryption. The possibilities for encryption listed in the report cover everything from the authentication of data during the transaction to the secure storage of information on a mobile device. Click on “Mobile” to read report.

“The Smelly Cat Coffee Shop in Charlotte is one of the nation’s top users of the Square card reader. The business uses the device for all of its credit card transactions…(the restaurant) says customers’ card info is safe because the program doesn’t allow cashiers to see customers’ information when they swipe…”

Mobile credit card readers like the Square and Intuit devices are growing in popularity around the country. The devices offer merchants the ability to accept credit card payments anywhere and are often less expensive than traditional card swiping technology.

But the Federal Trade Commission and consumer watchdog groups are urging consumers to be vigilant about protecting their financial information when using the devices. The FTC recently released a report on the growing popularity of mobile payment devices. The report did not name any specific threats that come from using mobile card devices.  The agency is urging consumers, as well as merchants, to make sure that financial data is protected in each transaction.

The Better Business Bureau said consumers should make sure they trust the merchants they allow to swipe their debit and credit cards using the devices. It is buyer beware. According to Janet Hart of the BBB, people should be careful how, when, and where they use their credit card; because, there is the chance data could be misused.

Staff at the shop said they have not had any negative reactions from customers using the device at the store.

“It’s a similar security that you would find on a receipt, on a printed receipt, that a waiter or waitress would be exposed to in a restaurant,” said Burleson. However, advocates said consumers should use the same caution when using the mobile readers that they would use when ordinarily swiping their credit cards.

For more:  http://centralny.ynn.com/content/top_stories/654110/mobile-card-readers-spike-in-popularity–groups-urge-concern-over-possible-id-theft/

Leave a Comment

Filed under Crime, Guest Issues, Liability, Management And Ownership, Privacy, Risk Management, Technology

Tagged as , , , , , , , ,

March 31, 2013 · 1:33 am

Hospitality Industry Data Security Risks: Hotels Are At Significant Risk Of “Large-Scale Hacking” Of Guest Personal Information, Including Information In Reservation Systems

“Data security is becoming an issue of significant importance in the hospitality industry…(because of) an increase in hacks and malware attacks, which frequently target hotel systems because they’re a rich source of cybercrime in hotelspersonal information… hackers aren’t just targeting data on hotel systems but also the information passed along to reservations systems…credit card theft is much easier — and more likely — through large-scale hacking…another reason hotel guests are vulnerable to having their personal information stolen: They’re easily distracted.”

Several days after Traci Fox visited a small independent resort in the Catskill Mountains, she received an unexpected call from a shoe store. Where did she want it to ship the $400 worth of pricey sneakers that she’d ordered?

Fox believes that her hotel may have compromised her credit card information. At least one government agency shares her concerns. Last summer, the Federal Trade Commission sued Wyndham Hotels, alleging that the company had failed to protect its customers’ personal information. As a result, the FTC claims, hundreds of thousands of credit card numbers fell into the wrong hands, leading to millions of dollars in fraud-related losses. Wyndham denies any wrongdoing and is fighting the suit.

The problem may run deeper than the theft of credit card numbers, however.

The personally identifiable information in your guest profile, such as your home address, your license plate number and your date of birth, which is attached to your reservation, can end up in the hands of a third party that offers little or no warranties about how it will protect your data. “These kinds of areas are more worrisome than some huge Visa bill,” says hotel consultant Marion Roger. “Once your identity has been cloned, you can easily spend years and hundreds of thousands in legal and other fees.”

For more:  http://www.washingtonpost.com/lifestyle/travel/the-navigator-when-you-check-in-your-private-information-may-be-checked-out/2013/03/28/07cb90ca-9599-11e2-bc8a-934ce979aa74_story.html

Leave a Comment

Filed under Crime, Guest Issues, Liability, Management And Ownership, Privacy, Risk Management, Technology, Theft

Tagged as , , , , , , ,

March 17, 2013 · 7:04 am

Hospitality Industry Cybercrime Risks: Hotel And Restaurant “Connected Point-Of-Sale (POS) Systems” Attacked By New Malware Called “Dexter”; Steals Credit Card Data And Transmits It “Encrypted” Back To Attacker

“…Just before the 2012 festive period, a new piece of malware surfaced and was found in hundreds of POS systems in hotels, restaurants, retailers and private parking providers. The malware was discovered by Israel-based security cybercrime in hotelsfirm Seculert: ‘Dexter’ (which comes from the string ‘BKDR_DEXTR.A’) is a data-theft tool used to target and attack POS systems. The program, which is Microsoft Windows-based, uses common techniques to search the memory of running processes to identify credit-card track data, but with the uniqueness of the attacker having full control…”

Connected point-of-sale (POS) systems – that’s the checkout to you and me – are the most recent targets of the cybercriminal, and a specially-crafted malware, dubbed Dexter, is further indication that now all kinds of connected devices may be vulnerable to attack.

Seculert CTO and co-founder Aviv Raff explains that while the company is as yet uncertain as to who is behind Dexter, the author is fluent in English: Dexter mainly targeted English-speaking countries. The malware was located in 40 different countries, but notably 42 per cent of POS systems targeted were in North America and 19 per cent UK-based. “Instead of going through the trouble of infecting tens of thousands of consumer PCs or physically installing a skimmer, an attacker can achieve the same results by targeting just a few POS systems with specially crafted malware,” Raff says.

The malware injects itself into the iexplore.exe file in Windows servers, through rewriting in the registry key. It then’ pinches sensitive credit-card data from the server, before transferring it through a remote command and control system. Windows-based POS systems are used increasingly in the industry, and according to Seculert’s findings, 51 per cent of targeted POS systems use the outdated Windows XP. The high percentage indicates Windows-based machines that process unencrypted track data are viable targets.

Microsoft Windows XP may be the ‘preferred’ choice for POS systems, especially among smaller retailers who feel that they cannot afford to upgrade, but with the operating system to be discontinued in 2014, the question is over what support will be offered for remaining XP users and if they will be able to handle the upgrade to Windows 7 or 8.

“Dexter only has three purposes in life,” says Trustwave’s security researcher Josh Grunzweig. “To always be running on the victims’ machine, to find any card, or track, data in any running program on the victim, and to communicate with the attacker who is controlling it.”

The latter is what makes the malware stand out and impresses Grunzweig. “I can’t remember the last time I saw a piece of malware that targeted POS systems that had a nice command and control structure to it,” adds Grunzweig.

He explains the hacker maintains control of the attack by using normal communication methods, but with the skill to hide what it was sending by encoding the data. This involved sending out a message to the attacker, by default, every five minutes and also checks the victim to see if there is any track data running every 60 seconds.

The magnetic strip on a credit card contains three tracks and the malware attempts to extract data from memory relating to tracks one and two, containing numeric or alphanumeric data that can be used to clone the card that was used in a transaction. If Dexter finds any of this track data, it alerts the attacker in the next message sent and the process is repeated. The attacker has the control to change the times and install additional malware or even remove Dexter altogether.

“The most unusual thing about Dexter is the small amount of public attention it has received,” says Trustwave’s Josh Grunzweig. “The issues that make POS-specific malware difficult to discuss in the industry also affects the ability of antivirus companies; without samples they are unable to provide detailed protections for specific threats.”

For more:  http://eandt.theiet.org/magazine/2013/03/turn-on-log-in-checkout.cfm

Leave a Comment

Filed under Claims, Guest Issues, Liability, Management And Ownership, Privacy, Risk Management, Technology, Theft

Tagged as , , , , , , ,

February 20, 2013 · 6:42 am

Hospitality Industry Social Media Management: Hotel Management Must Have Policies In Place To Deal With An “Online Reputation Crisis” Including “Act Quickly, Publish Official Response, Remove Content And Rally Supporters”

Given the rapid-fire pace at which content can spread via social networks, hotels have never been more vulnerable. A seemingly minor issue can quickly escalate into a full-blown crisis, causing serious damage to Hospitality Industry Social Media Managementreputation.

After a power outage at a Texas hotel last summer, a paralyzed American war veteran called the front desk to request help from his room. For reasons not entirely clear, the clerk allegedly laughed at the request and mocked him. The guest got down by throwing his wheelchair and bags down three flights of stairs and sliding down on his backside. Then he went to straight to the media.

The incident incited a public furor that quickly spread to social networks. The hotel, its employees and the entire brand came under attack, with expressions of outrage and calls for a brand-wide boycott. Despite a solid reputation, it seemed nothing the brand could do—issue a refund and a public apology, dismiss the employee, implement staff training—would appease detractors.

  • Be prepared – Given the risks involved, a social media policy with a crisis management component must be a priority. Outline the steps to take in the event of a crisis, the people responsible, and the role social media will play in messaging. Keep a list of emergency contacts at hand, including your social media administrator.
  • Act quickly – When a crisis hits, there’s no time for bureaucracy. You must respond quickly and decisively. But first you must assess what’s at stake. Include senior management in decisions, and if appropriate seek advice from a PR firm or lawyer.
  • Publish an official response -  An official response is a critical step. It should be honest and sincere, should speak to your company’s credentials, and should be authored by a senior executive. Post it to one channel—your website or blog, a video—and direct all inquiries there.
  • Rally supporters – Call on your community of fans to help get your messaging out. Their words will have more impact and reach than official brand messages.
  • Don’t fuel the fire – Buchmeyer tells me of another incident in which a client attempted to quell a spate of angry comments on its Facebook page by deleting them and blocking detractors. This only resulted in escalating the situation. Monitor conversations and respond as appropriate, but resist the urge to sanitize. In some cases it may be better to “go dark” on social media rather than draw attention to the issue and further provoke detractors. This is especially true in the case of a tragedy or natural disaster, when communications should be restricted to community support and keeping guests informed.
  • Get the content removed – Getting damaging content taken down can be challenging, especially if it has spread to multiple channels. Go to the source and ask them to remove it, but don’t be heavy handed. At the same time, appeal to the host site to have it removed. Litigation is an option if the content is libelous, but use it as a last resort. Engage in charitable causes and community work that will garner positive content to displace the negative.
  • Reputation management—a company wide function – The media loves a scandal, and exposés of security, sanitation and safety issues are popular topics that can be highly damaging to business. Employees must be aware that social media has raised the stakes. The consequences of guest mistreatment, negligence and lapses in quality, service and security can be severe. Management must play its part by providing the training, empowerment and support necessary to ensure standards are understood and upheld.

For more:  http://www.hospitalitynet.org/news/154000320/4059521.html

Leave a Comment

Filed under Guest Issues, Labor Issues, Liability, Management And Ownership, Privacy, Risk Management, Technology, Training

Tagged as , , , , ,

February 18, 2013 · 7:09 am

Hospitality Industry Information Security Risks: Hotels, Restaurants And Retailers Accounted For 78% Of “Data Breaches By Cyber-Criminals” In 2012; “Weak Or Guessable Passwords” Is Most Common Vulnerability

“…Almost one-third of all victims had critical systems administered by a third party…Attackers had no trouble exploiting that weakness, with vulnerable remote-access systems accounting for the method of entry in 47 cybercrime in hotelspercent of the cases…in most cases, users – not software vulnerabilities – were to blame. Almost 90 percent of systems had weak or easily guessable passwords, with “Password1″ continuing to be the most common, according to Trustwave’s report…”

An analysis of breach data for 2012 found that retailers and the hospitality industry continued to command the most interest from cyber-criminals, accounting for 78 percent of the breaches documented by security services firm Trustwave.

The businesses are typically easy targets, having outsourced the administration of important servers and business data to firms that focus more on keeping the systems functioning than on security, says Christopher Pogue, director of digital forensics and incident response for Trustwave’s SpiderLabs.

“An integrator may have 1,000 customers and may do remote administration for all of them using, not 1,000 passwords, but maybe two or three,” Pogue said. “That leaves a vulnerability that can be exploited by attackers.”

For more:  http://www.techweekeurope.co.uk/news/retailer-hotel-crime-107589

Leave a Comment

Filed under Crime, Liability, Maintenance, Management And Ownership, Privacy, Risk Management, Technology, Theft

Tagged as , , , , , ,

January 7, 2013 · 7:46 am

Hospitality Industry Legal Risks: Hotel “Mobile Applications” Must “Post Privacy Policy” Allowing Guests To “Access And/Or Request Changes To Personal Information”

“…In the case of an online service, “conspicuously posting” a privacy policy requires that the policy be “reasonably accessible…for consumers of the online service…the consumer (must be able) to access or request mobile technologychanges to personal information, (and) the operator of the site will notify consumers of changes, and the effective date of the policy..”

Hotel companies are actively entering the mobile application space as a means of gaining market share and solidifying guest relations. In addition to online travel agents like HotelsbyMe.com, a number of brands including Omni, Choice and Starwood have developed mobile applications. However, as mobile applications gain popularity, hotel companies should consider how privacy and security laws will impact how they can use those applications.

For companies with operations in California, that issue was highlighted on December 6, 2012, when the California Attorney General filed a lawsuit against Delta Airlines for failing to include a privacy policy with a smartphone application. The lawsuit, the first of its kind, alleges that Delta violated California law requiring online services to “conspicuously post its privacy policy” by failing to include such a policy with its “Fly Delta” mobile application.

The California online privacy law

In 2004, California enacted the California Online Privacy Protection Act (“CalOPPA”). This law requires operators of websites and online services to “conspicuously post” privacy policies about the personal information that is collected, how the consumer can access or request changes to personal information, how the operator of the site will notify consumers of changes, and the effective date of the policy.

In the case of an online service, “conspicuously posting” a privacy policy requires that the policy be “reasonably accessible…for consumers of the online service.”

CalOPPA does not define an “online service” or mention “mobile” or “smartphone” applications, likely due to the fact that in 2004, smartphones and mobile applications were just being developed. However, the California Attorney General considers any service available over the internet or that connects to the internet, including mobile apps, to be an “online service.”
For more:  http://www.hotelnewsresource.com/article68597Hotel_Lawyer_on_How_New_Privacy_Law_Enforcement_May_Affect_Your_Mobile_Apps_Used_in_Marketing_.html

Leave a Comment

Filed under Guest Issues, Liability, Management And Ownership, Privacy, Risk Management

Tagged as , , , , , , ,

October 4, 2012 · 6:29 am

Hospitality Industry Security Risks: Hotel “Electronic Room Locks” Opened With “Hacking Device” Tool Disguised As “Dry Erase Marker” (Video)

A trio of hackers have built a tool that appears to be an innocent dry erase marker, but when inserted into the port on the bottom of a common form of hotel room keycard lock triggers the lock’s open mechanism in a fraction of a second.

The security researchers who spend their days breaking into clients’ systems to find and fix security vulnerabilities often call themselves “penetration testers,” or “pentesters.” But one group of hotel lock hackers just gave the term “pentest” a very different meaning.

The inconspicuous lock hacking device is an adaption of one demonstrated at the Black Hat security conference in July by Cody Brocious, a hacker and software developer for Mozilla, who discovered and exploited a vulnerability in Onity locks, a cheap and popular hotel room lock that the company says are used on at least four million hotel rooms worldwide. Through the port on the bottom of the lock intended for a device that hotels can use to set master keys, Brocious found he was able to read the lock’s memory, including a decryption key stored on the locks that gave him access to their opening mechanism.

1 Comment

Filed under Crime, Guest Issues, Liability, Management And Ownership, Privacy, Risk Management, Technology, Theft

Tagged as , , , , , ,

June 27, 2012 · 6:28 am

Hospitality Industry Information Risks: Federal Trade Commission (FTC) Sues Hotel Operator Over Guest Account Data Theft That Results In Over $10 Million Of Credit Card Fraud

“… fraudulent charges on Wyndham’s consumer accounts totaled more than $10.6 million following three data breaches in less than two years. The breaches occurred in April 2008, March 2009 and in late 2009…”

The Federal Trade Commission said repeated failures to secure consumer data led to hundreds of thousands of consumers’ payment card information being exported to an Internet domain address registered in Russia.

Wyndham, which operates several hotel brands, including the value-oriented Days Inn and Super 8, is one of a large number of organizations that acknowledged in the past three years that they had been hacked by people seeking either financial gain or intellectual property.

Other victims have included entertainment giant Sony, the International Monetary Fund, Google, Lockheed Martin and Citigroup.

For more: http://www.reuters.com/article/2012/06/27/uk-ftc-wyndham-idUSLNE85Q01Q20120627

Leave a Comment

Filed under Crime, Guest Issues, Insurance, Liability, Management And Ownership, Privacy, Risk Management, Theft

Tagged as , , , , , ,

June 25, 2012 · 6:27 am

Hospitality Industry Information Security: Hotel And Restaurant Guests Face Increased Risks Of “Credit Card Cloning”; Stolen Data Rewritten Onto New Cards And Used Instantly

 ”…an unscrupulous restaurant waiter with a pocket skimmer might be able to steal information from hundreds of customers a week, selling that information to those with the means to encode fake credit cards. Battery-powered skimmers can be carried in a pocket…copying information as customers swipe cards to pay for gas or withdraw cash…”

The (stolen) information then can be emailed or downloaded over the Internet and rewritten onto any card with a magnetic strip, such as gift cards or hotel keys. While the victim’s credit card is still in his or her possession, someone could be using a perfect replica hundreds of miles away.

The process, called “cloning,” accounts for much of the growth in credit card fraud during the past few years, officials said. According to a Javelin Strategy and Research report, credit card fraud has increased 87 percent since 2010, culminating in aggregate losses of $6 billion nationwide.

Credit card cloning is easy and lucrative, accounting for its popularity, said Sileo, who founded the Web site Thinklikeaspy.com.

People whose cards are skimmed might not know for weeks or months that their information has been stolen. Once someone realizes it, the account usually is closed quickly. Savvy crooks know to rack up major bills just as fast.

Read more here: http://www.kentucky.com/2012/06/24/2236535/financial-crimes-credit-card-cloning.html#storylink=cpy

Leave a Comment

Filed under Crime, Guest Issues, Liability, Management And Ownership, Privacy, Risk Management, Theft

Tagged as , , , ,