Category Archives: Privacy

Hospitality Industry Technology Update: “Smartphones to Open Doors at Some Hotels”

“…Guests at these properties will receive a message on a Starwood app containing a virtual key, which will unlock the door with a tap or twist of their phone through the use of Bluetooth technology.Image The company says the iPhone 4s or newer models and the Android phones running 4.3 or newer will be compatible…”

“…Nevertheless, many hotel operators have been searching for ways to eliminate the bottlenecks that can form at a hotel’s front desk. The delays are the bane of many a road warrior’s travel experience…”

Guests arriving at the Aloft Hotel in Manhattan or one in Silicon Valley will soon be able to do something hotels have dreamed about offering for years: walk past the check-in desk and enter their rooms by using a smart phone as a room key.

The boutique hotel brand from Starwood Hotels & Resorts Worldwide Inc. plans to offer this feature at two hotels, in the Harlem neighborhood and in Cupertino, Calif., before the end of the quarter.

For more: http://online.wsj.com/news/articles/SB10001424052702304856504579339130820876304?mg=reno64-wsj&url=http%3A%2F%2Fonline.wsj.com%2Farticle%2FSB10001424052702304856504579339130820876304.html

Comments Off on Hospitality Industry Technology Update: “Smartphones to Open Doors at Some Hotels”

Filed under Guest Issues, Maintenance, Management And Ownership, Privacy, Technology

Hospitality Industry Cyber Security Risk: “The Target and Neiman Marcus Breaches: What Hoteliers Need To Know”

“…Most of all, hotel companies need to make a commitment to secure the sensitive information of their companies and their guests, and to seek out informed consultants and advisers.Image Information security is a relatively new and rapidly changing area, and requires specialized knowledge; the investment today can protect a hotel from being front page news — for the wrong reasons — later. Developing a comprehensive information privacy and security program…”

The recent headlines about the Target and Neiman Marcus security breach with customer credit cards highlights a growing crisis that concerns owners and operator of hotels as well as retailers. In this article, Bob Braun, one of the senior members of our Global Hospitality Group® who focuses on data security — when he is not working on hotel management or franchise agreements — gives us some thoughts on what to do about this problem.

The Target and Neiman Marcus problem. When 50 million Americans – more than 15% of the nation’s population – wake up to find that their credit card information was compromised while Christmas shopping, we all take note. When we find out that there were 70 million victims, and the information went far beyond credit card information, and that it wasn’t just one chain, Target, but at least four more, including Neiman Marcus (which estimates 40 million payment card numbers were compromised), we should start to look at our own businesses and procedures to think about how we should plan for and respond to these malicious attacks.

For more: http://www.hospitalitynet.org/column/global/154000392/4063594.html

Comments Off on Hospitality Industry Cyber Security Risk: “The Target and Neiman Marcus Breaches: What Hoteliers Need To Know”

Filed under Crime, Management And Ownership, Privacy, Risk Management, Technology, Theft

Hospitality Industry Technology Issues: Hotels And Restaurants Face “Privacy Issues” When Guests Wear “Google Glass”; Videotaping Without Permission

“…there are definitely privacy implications for those who wear and use Google Glass in public…People want to go (to restaurants and hotels) and not be known … and Hospitality Industry Google Glass Privacydefinitely don’t want to be secretly filmed or videotaped and immediately put on the Internet…as a society, know how to appropriately use our mobile phones, (and) most Google Glass wearers (should) know how to appropriately use them as well…”

In an effort to protect patrons in his restaurant from being photographed or videotaped without permission, Seattle restaurant owner Dave Meinhart  banned Google Glass from one of his restaurants. But last week, Nick Starr, a local early adopter of Google Glass, was kicked out of Dave’s other restaurant, Lost Lake Cafe & Lounge, starting a PR storm by demanding an apology and the firing of the waitress who kicked him out.

In just a few weeks, thousands of people will become the next wave of not-so-early adopters to receive Google Glass. Initially launched in early 2013, Google Glass quickly became a hot topic for tech pundits who questioned its ability to protect privacy, its usefulness, and whether or not it would be as cool as the bluetooth was.

For more:  http://www.forbes.com/sites/kellyclay/2013/12/03/how-to-not-look-like-a-jerk-with-google-glass/

Comments Off on Hospitality Industry Technology Issues: Hotels And Restaurants Face “Privacy Issues” When Guests Wear “Google Glass”; Videotaping Without Permission

Filed under Guest Issues, Liability, Privacy, Risk Management, Technology

Hospitality Industry Cybercrime Risks: Criminal Hackers Target Hotels Lacking “Advanced Data Security Safeguards” On Local Credit Card Transactions; “Chip-And-Pin Cards” Coming Soon

“…criminal hackers gravitate to some hotels because, like retail stores and restaurants, hotels do many credit card transactions at a local level, where centralized and highly sophisticated data security safeguards may be lacking…Most hotels are locally owned, though managed by big Cyber Risk Insurance Graphichotel chain companies. For hotel owners, it is expensive to come into full compliance with the tough global data security criteria set by the credit card companies…That includes using complex passwords, being wary of public Wi-Fi, updating antivirus software — and checking credit card statements carefully…”

“…In the United States, credit cards use magnetic strips that are more vulnerable to hacking than the electronic chips embedded in credit cards in Europe and elsewhere. Such cards also require entry of a PIN…these so-called chip-and-PIN cards are headed our way, said Kathy Orner, vice president for information security at Carlson Rezidor, a worldwide hotel company that is among the industry leaders in data security…all of the major credit card issuers plan to start introducing these cards in the United States within two or three years…”

In its 2013 Global Security Report, Trustwave, a data security management firm, says that the top three industries targeted for data breach attacks in 2012, measured by the number of its investigations, were retailing (45 percent), food and beverage (24 percent) and hotels (9 percent). Three years ago, the hotel industry was at the top, but hotels have since made “significant strides” in improving credit card security measures, the report says.

Last year, for example, the Federal Trade Commission sued Wyndham Worldwide, the hotel chain, for what it said was inadequate safeguarding of credit card information that led to three data breaches at hotels in under two years, with “millions of dollars in fraud loss, and the export of hundreds of thousands of consumers’ payment card account information to an Internet domain address registered in Russia.”

The threat is constant, Mr. Roman said. “The best protection is vigilance, and that takes work,” he said.

For more:  http://www.nytimes.com/2013/09/03/business/data-security-begins-with-the-traveler.html

Comments Off on Hospitality Industry Cybercrime Risks: Criminal Hackers Target Hotels Lacking “Advanced Data Security Safeguards” On Local Credit Card Transactions; “Chip-And-Pin Cards” Coming Soon

Filed under Guest Issues, Insurance, Liability, Management And Ownership, Privacy, Risk Management, Technology, Theft

Hospitality Industry Privacy Risks: Texas Hotel Employee Arrested For “Attempted Improper Photography And Visual Recording”; Cell Phone Placed In Ceiling Above Guest Room Shower

“…Police say a guest reported hearing an alarm-type sound coming from the bathroom area of her hotel room while she was in the shower…she hotel room privacyfound a small pinhole with a camera lens behind it in the ceiling. After moving the tiles, she discovered the cell phone…Hotel security removed the camera from the ceiling and noted that it was powered on…The room’s electric lock showed that (the defendant) had entered the room the day prior with the key assigned to him….”

A housekeeper at the Hyatt Regency hotel located at 208 Barton Springs is charged with misdemeanor attempted improper photography and visual recording. Blue Moo Too, 30, is charged after his cell phone was found hidden in a ceiling tile above the shower of one of the hotel rooms.

Video on the phone showed a man placing it in the bathroom ceiling and wiping away his footprints from the bathtub. The hotel’s executive housekeeper identified the man as her employee, Too, a housekeeper at the hotel.

Too was booked into Travis County Jail on April 12 with a $25,000 bail. He has since bonded out. Police say they didn’t find evidence of any other victims on his cell phone. His computer is still being looked at. At this time, the former housekeeper is facing up to one year in jail and a fine of no more than $4,000.

For more: http://www.kvue.com/news/Hyatt-hotel-worker-charged-with-improper-photography-203045331.html

Comments Off on Hospitality Industry Privacy Risks: Texas Hotel Employee Arrested For “Attempted Improper Photography And Visual Recording”; Cell Phone Placed In Ceiling Above Guest Room Shower

Filed under Crime, Guest Issues, Labor Issues, Liability, Management And Ownership, Privacy

Hospitality Industry Payment Security: More Restaurants And Hotels Are Using “Mobile Credit Card Readers” To Increase Efficiency; FTC Report Cites Financial Information Security Issues

Mobile Payment Report FTC-page-001

The report encourages industry-wide adoption of strong measures to ensure security throughout the mobile payment process. The report addresses ways sensitive financial information can be kept secure during the mobile payment process, such as through end-to-end encryption. The possibilities for encryption listed in the report cover everything from the authentication of data during the transaction to the secure storage of information on a mobile device. Click on “Mobile” to read report.

“The Smelly Cat Coffee Shop in Charlotte is one of the nation’s top users of the Square card reader. The business uses the device for all of its credit card transactions…(the restaurant) says customers’ card info is safe because the program doesn’t allow cashiers to see customers’ information when they swipe…”

Mobile credit card readers like the Square and Intuit devices are growing in popularity around the country. The devices offer merchants the ability to accept credit card payments anywhere and are often less expensive than traditional card swiping technology.

But the Federal Trade Commission and consumer watchdog groups are urging consumers to be vigilant about protecting their financial information when using the devices. The FTC recently released a report on the growing popularity of mobile payment devices. The report did not name any specific threats that come from using mobile card devices.  The agency is urging consumers, as well as merchants, to make sure that financial data is protected in each transaction.

The Better Business Bureau said consumers should make sure they trust the merchants they allow to swipe their debit and credit cards using the devices. It is buyer beware. According to Janet Hart of the BBB, people should be careful how, when, and where they use their credit card; because, there is the chance data could be misused.

Staff at the shop said they have not had any negative reactions from customers using the device at the store.

“It’s a similar security that you would find on a receipt, on a printed receipt, that a waiter or waitress would be exposed to in a restaurant,” said Burleson. However, advocates said consumers should use the same caution when using the mobile readers that they would use when ordinarily swiping their credit cards.

For more:  http://centralny.ynn.com/content/top_stories/654110/mobile-card-readers-spike-in-popularity–groups-urge-concern-over-possible-id-theft/

Comments Off on Hospitality Industry Payment Security: More Restaurants And Hotels Are Using “Mobile Credit Card Readers” To Increase Efficiency; FTC Report Cites Financial Information Security Issues

Filed under Crime, Guest Issues, Liability, Management And Ownership, Privacy, Risk Management, Technology

Hospitality Industry Data Security Risks: Hotels Are At Significant Risk Of “Large-Scale Hacking” Of Guest Personal Information, Including Information In Reservation Systems

“Data security is becoming an issue of significant importance in the hospitality industry…(because of) an increase in hacks and malware attacks, which frequently target hotel systems because they’re a rich source of cybercrime in hotelspersonal information… hackers aren’t just targeting data on hotel systems but also the information passed along to reservations systems…credit card theft is much easier — and more likely — through large-scale hacking…another reason hotel guests are vulnerable to having their personal information stolen: They’re easily distracted.”

Several days after Traci Fox visited a small independent resort in the Catskill Mountains, she received an unexpected call from a shoe store. Where did she want it to ship the $400 worth of pricey sneakers that she’d ordered?

Fox believes that her hotel may have compromised her credit card information. At least one government agency shares her concerns. Last summer, the Federal Trade Commission sued Wyndham Hotels, alleging that the company had failed to protect its customers’ personal information. As a result, the FTC claims, hundreds of thousands of credit card numbers fell into the wrong hands, leading to millions of dollars in fraud-related losses. Wyndham denies any wrongdoing and is fighting the suit.

The problem may run deeper than the theft of credit card numbers, however.

The personally identifiable information in your guest profile, such as your home address, your license plate number and your date of birth, which is attached to your reservation, can end up in the hands of a third party that offers little or no warranties about how it will protect your data. “These kinds of areas are more worrisome than some huge Visa bill,” says hotel consultant Marion Roger. “Once your identity has been cloned, you can easily spend years and hundreds of thousands in legal and other fees.”

For more:  http://www.washingtonpost.com/lifestyle/travel/the-navigator-when-you-check-in-your-private-information-may-be-checked-out/2013/03/28/07cb90ca-9599-11e2-bc8a-934ce979aa74_story.html

Comments Off on Hospitality Industry Data Security Risks: Hotels Are At Significant Risk Of “Large-Scale Hacking” Of Guest Personal Information, Including Information In Reservation Systems

Filed under Crime, Guest Issues, Liability, Management And Ownership, Privacy, Risk Management, Technology, Theft

Hospitality Industry Cybercrime Risks: Hotel And Restaurant “Connected Point-Of-Sale (POS) Systems” Attacked By New Malware Called “Dexter”; Steals Credit Card Data And Transmits It “Encrypted” Back To Attacker

“…Just before the 2012 festive period, a new piece of malware surfaced and was found in hundreds of POS systems in hotels, restaurants, retailers and private parking providers. The malware was discovered by Israel-based security cybercrime in hotelsfirm Seculert: ‘Dexter’ (which comes from the string ‘BKDR_DEXTR.A’) is a data-theft tool used to target and attack POS systems. The program, which is Microsoft Windows-based, uses common techniques to search the memory of running processes to identify credit-card track data, but with the uniqueness of the attacker having full control…”

Connected point-of-sale (POS) systems – that’s the checkout to you and me – are the most recent targets of the cybercriminal, and a specially-crafted malware, dubbed Dexter, is further indication that now all kinds of connected devices may be vulnerable to attack.

Seculert CTO and co-founder Aviv Raff explains that while the company is as yet uncertain as to who is behind Dexter, the author is fluent in English: Dexter mainly targeted English-speaking countries. The malware was located in 40 different countries, but notably 42 per cent of POS systems targeted were in North America and 19 per cent UK-based. “Instead of going through the trouble of infecting tens of thousands of consumer PCs or physically installing a skimmer, an attacker can achieve the same results by targeting just a few POS systems with specially crafted malware,” Raff says.

The malware injects itself into the iexplore.exe file in Windows servers, through rewriting in the registry key. It then’ pinches sensitive credit-card data from the server, before transferring it through a remote command and control system. Windows-based POS systems are used increasingly in the industry, and according to Seculert’s findings, 51 per cent of targeted POS systems use the outdated Windows XP. The high percentage indicates Windows-based machines that process unencrypted track data are viable targets.

Microsoft Windows XP may be the ‘preferred’ choice for POS systems, especially among smaller retailers who feel that they cannot afford to upgrade, but with the operating system to be discontinued in 2014, the question is over what support will be offered for remaining XP users and if they will be able to handle the upgrade to Windows 7 or 8.

“Dexter only has three purposes in life,” says Trustwave’s security researcher Josh Grunzweig. “To always be running on the victims’ machine, to find any card, or track, data in any running program on the victim, and to communicate with the attacker who is controlling it.”

The latter is what makes the malware stand out and impresses Grunzweig. “I can’t remember the last time I saw a piece of malware that targeted POS systems that had a nice command and control structure to it,” adds Grunzweig.

He explains the hacker maintains control of the attack by using normal communication methods, but with the skill to hide what it was sending by encoding the data. This involved sending out a message to the attacker, by default, every five minutes and also checks the victim to see if there is any track data running every 60 seconds.

The magnetic strip on a credit card contains three tracks and the malware attempts to extract data from memory relating to tracks one and two, containing numeric or alphanumeric data that can be used to clone the card that was used in a transaction. If Dexter finds any of this track data, it alerts the attacker in the next message sent and the process is repeated. The attacker has the control to change the times and install additional malware or even remove Dexter altogether.

“The most unusual thing about Dexter is the small amount of public attention it has received,” says Trustwave’s Josh Grunzweig. “The issues that make POS-specific malware difficult to discuss in the industry also affects the ability of antivirus companies; without samples they are unable to provide detailed protections for specific threats.”

For more:  http://eandt.theiet.org/magazine/2013/03/turn-on-log-in-checkout.cfm

Comments Off on Hospitality Industry Cybercrime Risks: Hotel And Restaurant “Connected Point-Of-Sale (POS) Systems” Attacked By New Malware Called “Dexter”; Steals Credit Card Data And Transmits It “Encrypted” Back To Attacker

Filed under Claims, Guest Issues, Liability, Management And Ownership, Privacy, Risk Management, Technology, Theft

Hospitality Industry Social Media Management: Hotel Management Must Have Policies In Place To Deal With An “Online Reputation Crisis” Including “Act Quickly, Publish Official Response, Remove Content And Rally Supporters”

Given the rapid-fire pace at which content can spread via social networks, hotels have never been more vulnerable. A seemingly minor issue can quickly escalate into a full-blown crisis, causing serious damage to Hospitality Industry Social Media Managementreputation.

After a power outage at a Texas hotel last summer, a paralyzed American war veteran called the front desk to request help from his room. For reasons not entirely clear, the clerk allegedly laughed at the request and mocked him. The guest got down by throwing his wheelchair and bags down three flights of stairs and sliding down on his backside. Then he went to straight to the media.

The incident incited a public furor that quickly spread to social networks. The hotel, its employees and the entire brand came under attack, with expressions of outrage and calls for a brand-wide boycott. Despite a solid reputation, it seemed nothing the brand could do—issue a refund and a public apology, dismiss the employee, implement staff training—would appease detractors.

  • Be prepared – Given the risks involved, a social media policy with a crisis management component must be a priority. Outline the steps to take in the event of a crisis, the people responsible, and the role social media will play in messaging. Keep a list of emergency contacts at hand, including your social media administrator.
  • Act quickly – When a crisis hits, there’s no time for bureaucracy. You must respond quickly and decisively. But first you must assess what’s at stake. Include senior management in decisions, and if appropriate seek advice from a PR firm or lawyer.
  • Publish an official response -  An official response is a critical step. It should be honest and sincere, should speak to your company’s credentials, and should be authored by a senior executive. Post it to one channel—your website or blog, a video—and direct all inquiries there.
  • Rally supporters – Call on your community of fans to help get your messaging out. Their words will have more impact and reach than official brand messages.
  • Don’t fuel the fire – Buchmeyer tells me of another incident in which a client attempted to quell a spate of angry comments on its Facebook page by deleting them and blocking detractors. This only resulted in escalating the situation. Monitor conversations and respond as appropriate, but resist the urge to sanitize. In some cases it may be better to “go dark” on social media rather than draw attention to the issue and further provoke detractors. This is especially true in the case of a tragedy or natural disaster, when communications should be restricted to community support and keeping guests informed.
  • Get the content removed – Getting damaging content taken down can be challenging, especially if it has spread to multiple channels. Go to the source and ask them to remove it, but don’t be heavy handed. At the same time, appeal to the host site to have it removed. Litigation is an option if the content is libelous, but use it as a last resort. Engage in charitable causes and community work that will garner positive content to displace the negative.
  • Reputation management—a company wide function – The media loves a scandal, and exposés of security, sanitation and safety issues are popular topics that can be highly damaging to business. Employees must be aware that social media has raised the stakes. The consequences of guest mistreatment, negligence and lapses in quality, service and security can be severe. Management must play its part by providing the training, empowerment and support necessary to ensure standards are understood and upheld.

For more:  http://www.hospitalitynet.org/news/154000320/4059521.html

Comments Off on Hospitality Industry Social Media Management: Hotel Management Must Have Policies In Place To Deal With An “Online Reputation Crisis” Including “Act Quickly, Publish Official Response, Remove Content And Rally Supporters”

Filed under Guest Issues, Labor Issues, Liability, Management And Ownership, Privacy, Risk Management, Technology, Training

Hospitality Industry Information Security Risks: Hotels, Restaurants And Retailers Accounted For 78% Of “Data Breaches By Cyber-Criminals” In 2012; “Weak Or Guessable Passwords” Is Most Common Vulnerability

“…Almost one-third of all victims had critical systems administered by a third party…Attackers had no trouble exploiting that weakness, with vulnerable remote-access systems accounting for the method of entry in 47 cybercrime in hotelspercent of the cases…in most cases, users – not software vulnerabilities – were to blame. Almost 90 percent of systems had weak or easily guessable passwords, with “Password1″ continuing to be the most common, according to Trustwave’s report…”

An analysis of breach data for 2012 found that retailers and the hospitality industry continued to command the most interest from cyber-criminals, accounting for 78 percent of the breaches documented by security services firm Trustwave.

The businesses are typically easy targets, having outsourced the administration of important servers and business data to firms that focus more on keeping the systems functioning than on security, says Christopher Pogue, director of digital forensics and incident response for Trustwave’s SpiderLabs.

“An integrator may have 1,000 customers and may do remote administration for all of them using, not 1,000 passwords, but maybe two or three,” Pogue said. “That leaves a vulnerability that can be exploited by attackers.”

For more:  http://www.techweekeurope.co.uk/news/retailer-hotel-crime-107589

Comments Off on Hospitality Industry Information Security Risks: Hotels, Restaurants And Retailers Accounted For 78% Of “Data Breaches By Cyber-Criminals” In 2012; “Weak Or Guessable Passwords” Is Most Common Vulnerability

Filed under Crime, Liability, Maintenance, Management And Ownership, Privacy, Risk Management, Technology, Theft