Tag Archives: Cybercrime

by | August 15, 2011 · 5:31 am

Hospitality Industry Information Security: Hotels And Resorts Are Targeted For Cyber Attacks Because Of Faulty "Data Collection Practices"

“…The report said the largest share of cyber attacks — 38% — were aimed at hotels, resorts and tour companies…”

“… large hotel chains are most vulnerable because hotel management companies may not be able to monitor how data is collected and stored at dozens or even hundreds of properties throughout the world. Independent contractors who work for individual hotels can also open the door to hackers and computer viruses…”

A business traveler who books hotel rooms via the Internet, may be at higher risk of being victimized by computer hackers and identity thieves.

Insurance claims for data theft worldwide jumped 56% last year, with a bigger number of those attacks targeting the hospitality industry, according to a new report by Willis Group Holdings, a British insurance firm.

That could spell trouble for business travelers who submit credit card numbers and other personal information to hotel websites, said Laurie Fraser, global markets leisure practice leader for Willis.

For more:  http://www.latimes.com/business/la-fi-travel-briefcase-20110815,0,65581.story

Comments Off on Hospitality Industry Information Security: Hotels And Resorts Are Targeted For Cyber Attacks Because Of Faulty "Data Collection Practices"

Filed under Crime, Guest Issues, Insurance, Liability, Management And Ownership, Privacy, Risk Management, Technology, Theft

Tagged as , , , ,

by | August 5, 2011 · 6:38 am

Hospitality Industry Information Security Risks: "Cyber Attack Claims" Increase 56% Mainly Through "Rogue Employees, Malicious Attacks, And Mistakes By Outsourcing Firms"

“…The vast quantities of personal, identifiable information collected by the leisure and hospitality industry have made the sector a chief target for cyber attacks, according to Willis…with reports of a 56% rise in cyber claims over the past year….”

“…Rogue employees, malicious attacks, and mistakes by outsourcing firms appear to be the main culprits, with hackers getting ever-more sophisticated in their attempts to drain corporate databases of customers’ personal details…”

Willis warns that some breaches can cost in excess of $100 million and with more stringent data protection legislation coming into force, companies’ financial exposure to this type of crime will increase further.

“Recent breakthroughs include the introduction of identity theft solutions and Payment Card Industry fines coverage, which helps to protect companies from penalties linked to the mismanagement of credit card data.”

For more:  http://www.insurancedaily.co.uk/2011/08/03/hospitality-and-leisure-attract-cyber-attacks/

Comments Off on Hospitality Industry Information Security Risks: "Cyber Attack Claims" Increase 56% Mainly Through "Rogue Employees, Malicious Attacks, And Mistakes By Outsourcing Firms"

Filed under Claims, Guest Issues, Insurance, Labor Issues, Liability, Management And Ownership, Risk Management, Technology, Theft

Tagged as , , , , ,

by | July 26, 2011 · 10:25 am

Hospitality Industry Security Risks: Hotel "Cyber Liability Myths Exposed"

Cyber Liability Myths Exposed

By Brad Durbin – Petra Risk Solutions 

 

In today’s e-commerce society, operating your hotel without cyber liability coverage is like attempting to drive your car blindfolded on a  Southern California  freeway during rush-hour traffic. 

Here are three common myths and misconceptions I’ve heard repeatedly when discussing cyber liability insurance coverage with hotel owners and operators. 

Myth #1 – “I use the online reservation system offered by my franchise.  They’ll cover me if their system is hacked and my guest’s personal information is compromised.”

This is by far the most common misconception among hoteliers about their exposure and responsibility for a data breach. It’s easy to see why.  You are using your franchisor’s reservation system, which is offered as part of your franchise agreement.  Why wouldn’t they cover you if their system is hacked? 

The answer is in your contract.  While some franchise agreements are more favorable in this area than others, most contain special provisions regarding the use of their online reservation systems.  These provisions typically state that the hotel will be responsible for defending the franchisor and holding them harmless, regardless of whether the data breach came from within the online reservation system. 

The exposure is even greater for non-franchised properties using third party reservations system providers or wholesalers.  I have yet to come across a contract for these services that could be viewed as favorable for the hotel in the event that the reservation system is breached. 

 Myth #2 – “If a hotel guest’s credit card information is stolen at the property level, my Payment Card Processing company will cover me under their policy.” 

Most hoteliers erroneously assume that their Payment Card Processing Company (PCP) will have their best interest in mind in the event of a data breach.  I’m not sure why.  No business, regardless of how great or longstanding your relationship with them has been, will volunteer to pay significant attorney costs and consumer notification fees for you unless they are contractually obligated to do so.  Not surprisingly, most PCP contracts are heavily weighted in favor of the PCP provider regardless of where the data was taken from or if the PCP company is to blame.

Your liability is even greater for a data breach that can be traced back to the hotel property level.  If this happens, the Payment Card Industry (PCI) mandates that you conduct a forensic accounting audit of all your records.  These audits can cost $20,000 – $25,000 for a single location, limited service property. This amount does not include fines typical for any non-compliance issues discovered during the audit. 

Myth #3 – “Cyber liability coverage is a waste of money.”

Most states have laws requiring you to notify EVERY GUEST in your database upon discovery of a breach (e.g. California Senate Bill 1386).  Analysts estimate that the average cost for this notification is approximately $30 per record.  Multiply this by the number of records in your system, or the number of guests who have stayed at your hotel over the years, and you can see just how financially devastating these claims can become. 

For a typical limited service franchised property with $2,500,000 – $5,000,000 in annual room revenue, a cyber liability policy with a $1,000,000 limit can usually be obtained for less than $7,000 annually… an extremely fair price point considering the risks and hefty costs associated with a data breach.

Final Thoughts

When a hotel data breach occurs, guests won’t know or care that another company may be responsible.  They will come directly to the hotel for a remedy. The ENTIRE FINANCIAL BURDEN for notification costs, legal defense, and monetary settlement of all related claims may be borne directly by the hotel – if it does not have an appropriate cyber liability insurance policy in force.

To protect your hospitality assets, select and obtain cyber liability coverage that will address PCI fines, consumer notification costs, credit monitoring, and any government or regulatory action levied against your business in the event that a data breach is discovered.  Not all cyber policies include coverage for these areas, so it’s important for you to work with a qualified hospitality insurance broker. 

Securing proper cyber liability insurance coverage is a cost effective method for hoteliers to help mitigate the risks associated with owning and operating a hotel in today’s digital society. 

———————————————————————-

Brad Durbin is a Hospitality Insurance Specialist with Petra Risk Solutions. For questions about Hotel Cyber Liability or any other Hospitality Risk Solutions, contact Brad at bradd@petrarisksolutions.com.

Comments Off on Hospitality Industry Security Risks: Hotel "Cyber Liability Myths Exposed"

Filed under Crime, Guest Issues, Insurance, Liability, Management And Ownership, Risk Management, Technology

Tagged as , , , , , ,

by | July 25, 2011 · 10:29 am

Hospitality Industry Cybercrime Risks: Hotel Management Must Insure Against "Illegal Use" Of Internet Access By Individuals Engaging In "Online Piracy"

“Small businesses that offer Internet access, such as a coffee shop or a hotel or even a car mechanic with a waiting area, should be aware of the industry’s crackdown on piracy and take steps to ensure their customers aren’t using the service to steal content,”

 “…people don’t want to pirate music from home because they’re afraid of getting caught, so they’ll use the WiFi connection of a (outside business)…”

The National Federation of Independent Business, a non-profit small-business association, issued a warning to Main Street entrepreneurs who offer Internet access to their customers: Take steps now to avoid allegations of online piracy. Record labels, movie studios and other industry groups recently struck a deal where participating Internet providers will issue warnings to customers whose accounts are allegedly used to steal content.

Under the deal, customers whose accounts are allegedly used for piracy will receive at least five alerts from their Internet provider. Upon sending the fifth notice, the Internet provider may implement certain “mitigation measures” to stop the alleged piracy, including reducing Internet speeds or redirecting traffic to a special landing page until the customer contacts the Internet provider to discuss the issue.

“Internet service providers wouldn’t have to pull the plug on a customer after the sixth notice, but that’s a possibility, and that’s where businesses have to watch out,” said Beth Milito, senior executive counsel for the NFIB. “Small businesses rely on their Internet connections the same way they do the telephone. It’s how they communicate with customers and vendors. It’s where they do business.”

  • One easy way to discourage abuse for businesses offering WiFi is to prevent people who aren’t customers from using their Internet connection by requiring a password. “For example, they could print a password on the receipt and change it periodically, to prevent non-customers from using the service,” Milito said.
  • Businesses can also block access to certain Websites and types of Websites, she added. “This requires a little bit of know-how on the part of the small-business owner, and it may accidentally block access to legitimate Websites, but it also can discourage people from using a business’s network to steal content,” she said. “With more and more people carrying smartphones and even tablets, free WiFi can help a small business attract and keep customers, but unless a business owner uses commonsense and takes precautions, those customers could come at a hefty price.”

For more:  http://www.eweek.com/c/a/Midmarket/Security-an-Issue-for-Businesses-Offering-Free-WiFi-253920/

Comments Off on Hospitality Industry Cybercrime Risks: Hotel Management Must Insure Against "Illegal Use" Of Internet Access By Individuals Engaging In "Online Piracy"

Filed under Crime, Insurance, Liability, Management And Ownership, Risk Management, Theft

Tagged as , ,

by | July 5, 2011 · 8:22 am

Hospitality Industry Information Security Risks: Hotel Computer Systems Are Increasingly "Breached" Through "Privileged Users" Who Have Total Access To Sensitive Data

“..security breaches are still happening at an even more significant pace with more damaging results.  In the end, many of these advanced intrusions and data security breaches are focused on taking over access to the accounts and permissions of specific “privileged” users in an organization who have access to sensitive data…”

“…These privileged users are specifically targeted by outside hackers because they have proverbial keys to the kingdom, but in some cases the inside user themselves is intent on stealing or doing damage…” 

One solution that is emerging to this problem is to carefully monitor everything (e.g. every key stroke and every mouse click) that a privileged user does on the network, while also putting more granular limits on what they can do.  Basically “trust but verify,” with the goal being detecting any anomalies in a privileged user’s computing usage (e.g. why is this person downloading the source code at 3 a.m.?).  This is not uncommon as it relates to other privileged users in other jobs — the “Eye in the Sky” in the casinos in Las Vegas is equally monitoring the gamblers for cheating but is also monitoring the dealers, and at a bank the CCTV is not only looking for robbers but the teller slipping some money in their pocket.

Instructive of the value of this new approach is that immediately after its breach, the RSA division of EMC acquired private company Netwitness for a reported large premium.  Netwitness is known for analyzing user activity monitoring at the network layer.  In addition, the latest security vendor to file for an IPO, Imperva, has as its core solution the ability to monitor database access and usage by Database Administrators, another type of privileged user.

For more:  http://blogs.forbes.com/tomkemp/2011/07/05/as-hacks-proliferate-new-security-technology-emerges-to-monitor-privileged-it-users/

Comments Off on Hospitality Industry Information Security Risks: Hotel Computer Systems Are Increasingly "Breached" Through "Privileged Users" Who Have Total Access To Sensitive Data

Filed under Crime, Guest Issues, Insurance, Labor Issues, Liability, Management And Ownership, Privacy, Risk Management, Technology, Theft

Tagged as , , ,

by | June 21, 2011 · 5:50 am

Hospitality Industry Information Security: "Cyberinsurance" Has Evolved Into A "Must-Have" Insurance Policy For Hotel Management As Coverage Includes "Forensics"

“…some insureds get charged $1,000 an hour by a forensics firm. It’s paying the individual walking by your house burning down with a bucket of water…” 

“…used to really focus our underwriting attention on how well they could prevent the breach, but we’ve added another phase to it,” says Whetstone. “Not only can you prevent it, but if it happens, how quickly can you respond? Do you have a plan in place? Kind of like a disaster recovery plan or a business continuity plan. It’s the same with this incident response plan.”

“…cyberinsurance is a “must-have” for most firms today…”

Demand for cyberinsurance was rising even before the most recent highly-publicized parade of breaches at major corporations and organizations. After the news of the first major Sony hack but before the subsequent reports involving Sony, Citicorp, the International Monetary Fund and others, Insurance Journal spoke with an expert to gauge how the insurance market for this coverage is doing.

James Whetstone, senior vice president and U.S. technology and privacy manager for insurer Hiscox Specialty, is a former technology geek and broker turned underwriter.

Hiscox is one of the original underwriters of the coverage. Whetstone says there are almost 30 carriers now offering cyber liability coverage, some more seriously than others. He says these times of claims are when an insurer’s commitment to a market can be tested, citing what he calls the “naive” capacity that exists.

The coverage has evolved quickly– Whetstone compares the product’s acceptance to that of employment practices liability (EPL) coverage– to where cyberinsurance is a “must-have” for most firms today.

The underwriting has also changed. “We used to really focus our underwriting attention on how well they could prevent the breach, but we’ve added another phase to it,” says Whetstone. “Not only can you prevent it, but if it happens, how quickly can you respond? Do you have a plan in place? Kind of like a disaster recovery plan or a business continuity plan. It’s the same with this incident response plan.”

For more:  http://www.insurancejournal.com/news/national/2011/06/20/203166.htm

Comments Off on Hospitality Industry Information Security: "Cyberinsurance" Has Evolved Into A "Must-Have" Insurance Policy For Hotel Management As Coverage Includes "Forensics"

Filed under Claims, Guest Issues, Insurance, Liability, Management And Ownership, Risk Management, Technology, Theft

Tagged as , , , , ,

by | June 20, 2011 · 7:44 am

Hospitality Industry Information Security Risks: New "Informative Fraud Databases" Explain And Expose The Latest Scams Designed To Steal Credit Card Data

“…what about when the hotel desk calls your room because of a problem processing your credit card? Would you know better than to give the “receptionist” your number?…”

That’s just one of the 350-plus scams exposed and explained in Scam Detector for iOS, an informative fraud database that can help you avoid getting ripped off.

The app doesn’t “detect” scams so much as educate you about them. The data is divided into five categories: Auto, Face to Face, Internet, Telephone, and Travel. Within Internet you’ll find five sub-categories: Social Networking, Financials, Employment Online, Houses & Properties, and Online Auctions & Tech.

In other words, it covers all the bases–and reveals a lot of scams I guarantee you’ve never heard of. For example, you know the guy standing in line behind you at the register, the one who looks like he’s texting on his phone? He might actually be snapping photos, trying to get a readable shot of your credit card as it passes back and forth between you and the cashier.

Read more: http://reviews.cnet.com/8301-19512_7-20071984-233/scam-detector-app-saves-you-from-getting-ripped-off/#ixzz1Ppb87YjR

Comments Off on Hospitality Industry Information Security Risks: New "Informative Fraud Databases" Explain And Expose The Latest Scams Designed To Steal Credit Card Data

Filed under Crime, Guest Issues, Liability, Risk Management, Technology, Theft

Tagged as , , ,

by | June 7, 2011 · 7:56 am

Hospitality Industry Computer Risks: Cybercrime Risks Remain Perilous As "Malicious Software Or Malware" Increases To 6 Million Programs In First Three Months Of 2011

The amount of new malicious software, or “malware,” unleashed on the internet during the first three months of this year hit six million programs, according to a report last week by McAfee, the computer antivirus maker. “It’s been a busy start to 2011 for cybercriminals,” Vincent Weafer, senior vice president of McAfee Labs, said in a statement.

A 2009 study by computer antivirus maker McAfee and SAIC, a technology security firm, estimated that computer crime cost companies $1 trillion across the globe, but analysts say the actual total is sure to be higher as computer security breaches are underreported.

“I think all the service providers are victims of this type of issue, it’s just whether the company has a public interface to warn users of this type of problem is the big question,” Andrew Lih, author and professor at the University of Southern California, told CNN.

“Google has been pretty good at being forthcoming in having this kind of dialogue with its users,” Lih said. “It’s very possible to probable that these other service providers, from Yahoo to Microsoft to any of these other ones, have had these types of attacks, it’s just that Google has been very public in trying to combat this.”

For more:  http://business.blogs.cnn.com/2011/06/07/the-hidden-cost-of-cybercrime/

Comments Off on Hospitality Industry Computer Risks: Cybercrime Risks Remain Perilous As "Malicious Software Or Malware" Increases To 6 Million Programs In First Three Months Of 2011

Filed under Guest Issues, Labor Issues, Maintenance, Management And Ownership, Risk Management, Technology, Theft

Tagged as , , , ,

by | May 7, 2011 · 7:21 am

Hospitality Industry Computer Data Risks: New Orleans Hotels Investigation Finds "Pubic Business Center" Computers Retain "Sensitive Information" In Temporary And Recycle Bin Folders

“…the Louisiana Technology Council says …many hotels make little or no attempt to protect your private information on their public PCs…in business centers…”

“That information will live on that computer until such time that it’s deleted,” said Lewis. “You and I both know that it’s really never deleted. It can be recovered and if someone comes in with software, they may be able to get that data off the PC.”

Eyewitness News sent an intern into about a dozen New Orleans area hotels to search for documents and other information left on public computers after the user logged off. Among the things we found: invoices; insurance papers; tickets to a show at the Lakefront Arena; a certificate from the Texas Department of Insurance and even someone’s monthly pay statement.

Most of the documents contained people’s names, addresses and other sensitive information about the user. “I was amazed that you were able to print out some very confidential and private information from a business center location,” said Lewis.

“If somebody wants to open up a new credit card and in this day and age of identity theft, having that kind of information out there is real frightening,” said attorney Daren Sarphie.

He says in March, the client got a disturbing phone call from a guest at the International House Hotel in downtown New Orleans. The guest told him all of the his private information, including Social Security number, birth date, home address and phone number was contained on a document stored on the hotel computer for all to see.

“The person that accessed, that found this file had just gone to hotel to book plane reservations to go back home to Dallas and in the process, he’s just playing around on the computer and he accessed this directory and is able to pull up all kinds of stuff, said Sarphie.

“You’d think that the hotels at least would have a system in place that they would erase the hard drive on a weekly basis or a daily basis to make sure there are no temporary files saved on that computer,” said Sarphie.

The information we found was easy to access on the computers. Most of it was stored in the PC’s temporary Internet files, saved in the documents folder or waiting to be deleted in the computer’s recycle bin.

The owner of the International House Hotel says it is his hotel policy to purge the public computer’s desk top of any documents and public files every 24-hours. But, he says it is a public computer and people need to be mindful to log out of personal accounts and delete personal documents before leaving the computer.

For more:  http://www.wwltv.com/news/Keeping-It-Safe-On-Hotel-Computers-121350324.html

Comments Off on Hospitality Industry Computer Data Risks: New Orleans Hotels Investigation Finds "Pubic Business Center" Computers Retain "Sensitive Information" In Temporary And Recycle Bin Folders

Filed under Crime, Guest Issues, Liability, Management And Ownership, Privacy, Risk Management, Technology

Tagged as , , , ,

by | April 28, 2011 · 6:25 pm

Hospitality Industry Information Security Risks: Hotel Management Must "Encrypt All Confidential Guest Data" To Decrease "Public Exposure Of Data"

“…99% of businesses around the globe at present no longer store confidential information on their systems and 75% continuously complied with PCI requirements…”

“…encrypting confidential information will “shrink the card data environment,” thus a minimal to zero possibility of public exposure of these data…”

To prevent fraud, she proposed three ways for the card industry:

  • Widespread distribution of ‘smarter’ payment devices is one, where EVM (chip-and-pin) cards will be used
  • Smarter networks to stem the cyber crime before or when it happens
  • A cardholder authentication method such as two-factor authentication

“Visa’s global fraud rate recently hit a historic low – at just over 5 cents for every $100 transacted, down more than two-thirds from the levels of 20 years ago,” she added.

She urged the card industry to step up a bit more its security measures as most consumers believe cyber criminals are ahead of what’s already in place. According to Richey, 61% of consumers are of the opinion that the security measures of the card industry are one step behind cyber criminals.

Rather than keeping pace with cyber crime which would only exhaust resources, Richey proposed getting smarter as a better solution in combating fraud and protecting card data.

“We need to use all the intelligence we have at our disposal. I think that the opportunities to get smarter and fight fraud are all around us,” she said.

Richey, on the other hand, recognized the fact that these suggestions will be costly and will require tremendous resources.

For more:  http://inaudit.com/audit/it-audit/cyber-crime-vincible-through-smarter-technologies-visa-5856/

Comments Off on Hospitality Industry Information Security Risks: Hotel Management Must "Encrypt All Confidential Guest Data" To Decrease "Public Exposure Of Data"

Filed under Crime, Guest Issues, Liability, Management And Ownership, Privacy, Risk Management, Technology, Theft

Tagged as , , ,