Tag Archives: Cybercrime

by | April 10, 2011 · 8:12 am

Hospitality Industry Information Security Risks: Hotel Management Should Consider "Cyber Liability Policies" With "Vicarious Liability Provisions" To Insure Guest Information Database Breaches

“…clients with robust cyber liability policies will find coverage under the vicarious liability provisions. …”

Data breaches generally represent enormous problems for companies,” said Alan N. Situn, a shareholder with law firm Greenberg Traurig L.L.P. in New York. “Not only can they be very expensive, but equally important to many companies (is) the reputational damage that they perceive from these types of breaches” if information they provide to a third party is somehow breached.

Hackers tend to hold on to such information “usually about a year, and then use it in the hope that folks have become a little bit more relaxed and not as vigilant,” said Mauricio F. Paez, a partner with law firm Jones Day in New York.

For the most part, the companies that are affected are in a damage- or crisis-management mode, said Robert J. Scott, managing partner with law firm Scott & Scott L.L.P. in Dallas. “They’re emailing their customers; they’re apologizing for the inconvenience, trying to clarify and limit the scope of the magnitude of the problem; and they’re hopeful the leakage of the email doesn’t result” in other problems.

Observers noted that the firms were notifying customers of the data breach even though they were not legally required to do so by state laws, except in North Dakota, unless more damaging personal information, such as Social Security or credit card numbers, had been revealed.

Epsilon customers whose data was breached have been “doing everything they should be doing in terms of being up front and honest with the consumers,” Mr. Scott said.

If the breach results in litigation, the question will arise of “how does that fit into the overall risk management program of the company” that hired the outside marketing company, said Kroll Ontrack’s Mr. Brill, who suggested that affected firms review their risk management programs now.

For more:  http://www.businessinsurance.com/article/20110410/ISSUE01/304109976

2 Comments

Filed under Claims, Guest Issues, Liability, Management And Ownership, Risk Management, Technology

Tagged as , , , , ,

by | April 4, 2011 · 8:22 am

Hospitality Industry Information Security Risks: Large Email Marketing Services Company To Many Hotels Has Data Breach And Guest Email Accounts Are Stolen

In addition to the banks, other impacted companies included hotel brands Ritz-Carlton Rewards and Marriott Rewards, and retail heavyweights Home Shopping Network, Walgreens, Brookstone, New York & Company and Kroger. TiVo is also included in this list.

“…customers should “exercise extreme caution,” as email addresses are all cyber-criminals need to initiate a phishing attack. Users can expect to see more spam, and should be vigilant about email offers that ask for personal information or have links to other sites that ask for personal information.”

Many of these phishing attacks tend to take the form of security alerts—informing users that their accounts have been compromised and they should verify their log-in credentials to reset their accounts—or direct marketing scams promising special deals that require a credit card number.

Epsilon, a large email marketing services company with a roster of A-list clients, reported a data breach that is impacting practically anyone who has ever signed up to receive a retail offer or alert through its email account. The company warned that thieves may use the information to launch a phishing campaign to trick users into disclosing more critical data.

On March 30, Epsilon detected “an unauthorized entry” into its email system. During this time, a subset of clients’ customer data was exposed. Epsilon only has the information of people who opted-in to receive marketing emails, and the theft was limited to email addresses and customer names, according to the company.

“A rigorous assessment determined that no other personal identifiable information associated with those names was at risk. A full investigation is currently underway,” Epsilon said in a terse statement on April 1.

“Epsilon has advised us that the files that were accessed did not include any customer information other than email addresses,” used books retailer AbeBooks wrote in a message to customers on April 3.

For more:  http://www.eweek.com/c/a/Security/Epsilon-Data-Breach-Hits-Banks-Retail-Giants-154971/

Comments Off on Hospitality Industry Information Security Risks: Large Email Marketing Services Company To Many Hotels Has Data Breach And Guest Email Accounts Are Stolen

Filed under Crime, Guest Issues, Maintenance, Management And Ownership, Risk Management, Technology

Tagged as , , , ,

by | March 17, 2011 · 6:27 pm

Hotel Industry Credit Card Security: "Cyber Criminals" Steal Credit Card Data On Hotel Computer Systems That Lack Critical Firewalls

Cyber criminals are systematically attacking systems that store credit card data, including Point-of-Sale and Property Management Systems. The criminal organizations are highly structured and integrated with the world’s organized crime rings.

Detailed forensic analysis by law enforcement agencies and specialized private-sector security practices, as well as by security departments at major hotel groups around the world, leave little doubt that the attacks on hotels are highly targeted and effective.

Many hoteliers believe they are not vulnerable because they use Point-of-Sale and Property Management Systems that have been validated as conforming to the latest PCI security standards. Unfortunately this is far from the case. Even such validated systems can be vulnerable if the hotel operates them in an unsecured manner. Leading forensics firms agree that the most important security measures are those that keep cyber criminals from getting inside the hotel network in the first place. Once inside, there are many ways for them to steal the data, even if the PMS or POS system itself is secure.

  • Eliminate EVERY default password on EVERY machine on your network – server, workstation, router, firewall, and any other device that has a password. The most important machines to check are the ones you think are NOT vulnerable, such as a PC on an engineer’s desk for monitoring building systems, or the PC in the parking garage attendant’s office, or the one in a closet running your keycard system.
  • Eliminate holes in remote access to systems inside your network. Remote access by vendors is an essential part of support for many hotel systems. The data thieves know this, and they know how to use it to get inside your network. They know all the default passwords, and they have even been known to steal master customer lists, complete with current passwords, from vendors.
  • If you were to store stacks of money in plain sight in an exit stairwell, you would expect to be robbed. Operating without an Internet firewall is just as risky. Yet many hotels, especially smaller ones, don’t have a firewall. If you are connected to the Internet without one, then people you don’t know, from around the world and many with malicious intent, are reaching into your network.

For more:  http://www.traveldailynews.com/pages/show_page/42199-Hotel-associations-issue-joint-statement-on-credit-card-security

Comments Off on Hotel Industry Credit Card Security: "Cyber Criminals" Steal Credit Card Data On Hotel Computer Systems That Lack Critical Firewalls

Filed under Crime, Guest Issues, Liability, Management And Ownership, Risk Management, Technology, Theft

Tagged as , , , ,

by | March 16, 2011 · 4:29 pm

Hotel Industry Credit Card Security Risks: Major Hotel Industry Associations Issue "Joint Statements" On Actions To Prevent Cyber-Crime

 Three major hotel industry associations, including the American Hotel & Lodging Association (AH&LA), Hotel Technology Next Generation (HTNG), and Hospitality Financial and Technology Professionals (HFTP) today issued the following joint statement to hotels regarding organized cyber crime attacks on credit card data. It identifies actions that hotels — and not their system vendors — need to take immediately in order to minimize their vulnerabilities and to avoid the potential for hundreds of thousands of dollars in costs and fines that typically result when just a single hotel system is breached.

  • Cyber criminals are systematically attacking systems that store credit card data
  • Criminal organizations are highly structured and integrated with the world’s organized crime rings
  • Attacks on hotels are highly targeted and effective
  • Many hoteliers believe they are not vulnerable because they use Point-of-Sale and Property Management Systems that have been validated as conforming to the latest PCI security standards.
  • The most important security measures are those that keep cyber criminals from getting inside the hotel network in the first place
  • Once inside, there are many ways for them to steal the data, even if the PMS or POS system itself is secure.

The three actions are:

  1. Eliminate EVERY default password on EVERY machine on your network — server, workstation, router, firewall, and any other device that has a password.
  2. Eliminate holes in remote access to systems inside your network
  3. Get a firewall and configure it properly. Operating without an Internet firewall is just as risky. Yet many hotels, especially smaller ones, don’t have a firewall

For more:  http://www.hospitalitynet.org/news/154000320/4050609.html

Comments Off on Hotel Industry Credit Card Security Risks: Major Hotel Industry Associations Issue "Joint Statements" On Actions To Prevent Cyber-Crime

Filed under Crime, Guest Issues, Liability, Management And Ownership, Risk Management, Technology, Training

Tagged as , , , ,

by | March 8, 2011 · 5:07 am

Hospitality Industry Information Technology (IT) Risks: "Network Security and Privacy Liability" Insurance Is Available To Protect First-Party Risks And Third-Party Liability Involved In Cyber-Crime

“…Network Security and Privacy Liability policies are generally designed to address first-party risks and third-party liability–sometimes in the same policies, sometimes separately…”

“…first-party losses. These might include business interruption, which could be caused by a flood or fire in a data center, or malicious hacking by a disgruntled employee or even a cyber-crook half a world away...”

There is also the risk of being sued by third parties for somehow allowing–or failing to prevent–unauthorized access to sensitive information.

When IT goes down, business screeches to a halt. Indeed, for businesses such as online retailers, brokerages and some financial firms, the IT and data assets are the entire business–every bit as critical as the factory and warehouse are to the hard-goods manufacturer, or the vehicle fleet to a trucking company.

As more and more companies–and their insurers–are realizing, this reliance on IT creates a hornet’s nest of risks that can result in crippling losses that conventional, turn-of-the-century P&C insurance coverages won’t respond to. These new issues call for a new category of coverage.

Perhaps even more ominous are the all-new liability exposures inherent in IT operations. A raft of relatively new regulations and legislation makes companies responsible for safeguarding personal and confidential data they collect as part of everyday e-commerce operations.

Companies are liable for customer credit card numbers, financial transactions, medical history, credit information and other sensitive data.

For more:  http://www.propertycasualty360.com/2010/03/15/cyber-coverage-the-new-must-have-in-the-property#

Comments Off on Hospitality Industry Information Technology (IT) Risks: "Network Security and Privacy Liability" Insurance Is Available To Protect First-Party Risks And Third-Party Liability Involved In Cyber-Crime

Filed under Crime, Guest Issues, Liability, Management And Ownership, Risk Management, Technology

Tagged as , , , ,

by | March 2, 2011 · 2:14 pm

Hospitality Industry Information Security: British Courts Jail Operators Of World's Largest Internet Crime "Forum" Which Provided "Hacking Software" And Credit Card Theft Instructions

The site contained manuals such as “14 ways of hacking credit cards” and “running cards on eBay” and information on staying anonymous. It sold hacking software and instructions on how to manufacture crystal meth and explosives.

Nicholas Webber, who masterminded the criminal website Ghostmarket.net, has been jailed for five years.

Three teenagers who founded and operated one of the world’s largest English-language internet crime forums, described in court as “Crimebook”, have been sentenced to up to five years in custody. Police estimate that losses from the thousands of credit details traded over the site, Gh0stMarket.net, amount to £16.2m. The web forum, which had 8,000 members worldwide, has been linked to hundreds of thousands of pounds of registered losses on 65,000 bank accounts.

Nicholas Webber, the site’s owner and founder, was arrested in October 2009 with the site’s administrator, Ryan Thomas, after trying to pay a £1,000 hotel bill using stolen card details. They were then 18 and 17. Webber was jailed for five years on Wednesday and Thomas for four years.

After seizing Webber’s laptop, police discovered details of 100,000 stolen credit cards and a trail back to the Gh0stMarket website. Webber and Thomas jumped bail that December, fleeing to Majorca, but were rearrested when they flew back to Gatwick airport on 31 January 2010.

Southwark crown court was told how public-school-educated Webber, the son of a former Guernsey politician, was using an offshore bank account in Costa Rica to process funds from the frauds. After his initial arrest, Webber threatened on a forum to blow up the head of the police e-crimes unit in retaliation, and used his hacking skills to trace officers’ addresses.

For more:  http://www.guardian.co.uk/uk/2011/mar/02/ghostmarket-web-scam-teenagers

Comments Off on Hospitality Industry Information Security: British Courts Jail Operators Of World's Largest Internet Crime "Forum" Which Provided "Hacking Software" And Credit Card Theft Instructions

Filed under Crime, Guest Issues, Insurance, Liability, Management And Ownership, Technology, Theft

Tagged as , , , , ,

by | February 21, 2011 · 10:52 am

Hospitality Industry Internet Risks: Hotel Management Must Train Employees To "Check Security Software And Certifications On Websites" To Prevent Downloading Internet Viruses

“These Internet scammers are very sophisticated…They’ll send an e-mail that looks like eBay or PayPal, asking for your information. The attorney general speaks often about Internet safety, and he encourages consumers to check the security software and certifications on websites and never store their personal information there. We have an identity theft protection tool on our website, www.Ag.ky.gov…”

Every website you visit tags your computer with a tracking device called a “cookie.” Your every move online — e-mail, downloads, credit-card purchases — is stored on your own computer’s hard drive as a digital footprint, even though you religiously delete and empty your recycle bin.

(A woman) was digitally minding her own business and was accosted by a phony website phishing for her personal information — something all too common on the Internet. As technology insidiously pervades every aspect of life, personal privacy becomes more endangered and difficult to maintain. Erik Eckel, a managing partner at Louisville Geek and Berg’s computer service tech, called her problem “one of the biggest trends we’ve seen.

Users will click on a link on someone’s Facebook page, or travel to a site that’s infected and they receive a pop-up window saying, ‘You’re infected. You want to go ahead and license the software? Only $39.95.’ The pop-up won’t go away, people buy it and then an illegitimate user has their credit-card number.” And then there are hackers, like David Kernel, now serving a yearlong sentence at the Ashland Federal Correctional Institution in Kentucky for invading Republican vice presidential candidate Sarah Palin’s private e-mail account during the 2008 election and sharing her password and telephone number.

Even Kentucky Attorney General Jack Conway was a victim of identity theft, weeks after announcing a special unit on cybercrime.

For more:  http://www.courier-journal.com/article/20110222/FEATURES/302220033/With-latest-Web-perils-it-s-wise-to-be-paranoid?odyssey=tab%7Cmostpopular%7Ctext%7CFEATURES

Comments Off on Hospitality Industry Internet Risks: Hotel Management Must Train Employees To "Check Security Software And Certifications On Websites" To Prevent Downloading Internet Viruses

Filed under Crime, Guest Issues, Labor Issues, Management And Ownership, Risk Management, Technology, Theft

Tagged as , , , ,

by | December 21, 2010 · 5:23 pm

Hospitality Industry Information Security Risk: Study Finds Indentity Fraud Increased by 12% In 2009 To $54 Billion

Javelin Strategy & Research, a group that does studies on identity theft and fraud, released its 2010 Identity Fraud Survey Report toward the beginning of the year. It found that the top two types of personal identification being compromised in a data breach were:
  • Victim’s full name (63%)
  • Physical address (37 percent).
  • Social Security numbers being compromised in data breaches decreased from 38 percent in 2008 to 32 percent in 2009.

It also reported that the number of identity fraud victims in the United States had increased by 12 percent to 11.1 million adults in 2009, the annual fraud amount increased by 12.5 percent to $54 billion.

But the study also found that an increasing number of consumers are fighting back against identity theft and taking necessary precautions to preserve their personal information.

The average fraud resolution time dropped 30 percent to 21 hours, and nearly half of all victims were reported to have filed police reports that ended up doubling the reported arrests, tripling the prosecutions, and doubling the percentage of convictions in 2009.

“The 2010 Identity Fraud Survey Report shows that fraud increased for the second straight year and is at the highest rate since Javelin began this report in 2003,” said James Van Dyke, president and founder of Javelin Strategy & Research.

“The good news is consumers are getting more aggressive in monitoring, detecting and preventing fraud with the help of technology and partnerships with financial institutions, government agencies and resolution services.”

Javelin researchers believe the increase in fraud is due in part to the economic downturn, when historically fraud increases.

Robert Siciliano, a researcher with McAfee Inc., identified the top 10 riskiest places for people to lose their Social Security numbers, with colleges and universities coming in at number one. Banking and financial institutions were second and hospitals were third.

According to identitytheftlabs.com, younger adults and small business owners tend to be the victims of identity theft because they often engage in “risky activities” that can lead to them being victimized more frequently.

Read more: The Daily Home – Fight back against identity theft

2 Comments

Filed under Guest Issues, Liability, Management And Ownership, Risk Management, Theft

Tagged as , , ,

by | December 15, 2010 · 10:01 am

Hospitality Industry Identity Theft: Las Vegas Hotel Industry Is Target Of Cybercriminals Who “Skim Wireless Transmissions” And Intercept Credit Card Data And PIN Numbers On Low-Cost/High Tech Devices

Law enforcement officers learned last week how easy it is to have one’s identity stolen when a cybercrimes expert powered a $30 machine and intercepted some of the wireless transmissions coming from their smart phones as they sat in a UNLV conference room.

“It’s absolutely an arms race,” said Feffer, who also investigates cybercrime for the Los Angeles County district attorney’s office. “You see vulnerabilities in software exploited by criminals. Then you see the software companies patch those vulnerabilities and then the criminals develop new ones. That’s why you have to make sure everything is up-to-date and currently patched. What was good last year is by no means safe this year.”

As cybercriminals seek new ways to outsmart police and the public, crime-fighting agencies are increasingly turning to cyber-experts to show them the latest high-tech equipment used in identity theft scams.

One of those experts is Justin Feffer, who conducts seminars for identity theft detectives nationwide on behalf of the FBI and LifeLock, an Arizona company that specializes in identity theft protection.

“It’s absolutely an arms race,” said Feffer, who also investigates cybercrime for the Los Angeles County district attorney’s office. “You see vulnerabilities in software exploited by criminals. Then you see the software companies patch those vulnerabilities and then the criminals develop new ones. That’s why you have to make sure everything is up-to-date and currently patched. What was good last year is by no means safe this year.”

That’s the reason nearly 100 officers from Metro Police, North Las Vegas, Henderson, the state Gaming Control Board and other agencies attended the conference.

It included a demonstration of skimming devices that criminals use to steal credit and debit card information, including PIN numbers, from card-swiping machines that have become increasingly present at Las Vegas restaurants and retail outlets.

Speaking outside the conference room, LifeLock spokesman Mike Prusinski emphasized the importance of training. “Most of the individuals in that room have absolutely no idea what a skimming device looks like or what the wiring looks like. We’re opening their eyes to these things.”

The interview took place outside the room because the FBI and LifeLock don’t want the public — including the media — to know what law enforcement is learning about the tricks of identity thieves.

Nevada has been a hotbed of identity theft for years. The state last year ranked fifth in the nation with 106 complaints per 100,000 residents — 2,802 complaints total — that were fielded by the Federal Trade Commission. That’s down from 130.2 complaints per 100,000 residents in 2005, when Nevada ranked second. The agency did not explain why the numbers for Nevada are down.

The FTC data paint only a partial picture of the problem because many victims file complaints only with police instead of also with the commission. But the number of identity theft crime reports filed with Metro from January through Nov. 13 — 2,063 — is down from the 2,440 filed during the same period in 2009.

For more:  http://www.lasvegassun.com/news/2010/dec/15/pickpockets-strike-through-ether/

2 Comments

Filed under Guest Issues, Liability, Management And Ownership, Risk Management, Technology, Theft

Tagged as , , ,

by | November 25, 2010 · 7:48 pm

Hotel Industry Cyber-Crime Risks: Hotels Are #1 Target For Credit Card Data Theft As Centralized Processing And Economic Downturn Delay Encryption Software Upgrades

 “Because of the downturn in the economy, a lot of industries have stopped upgrading their software,” he said. “So they’re very open for being hacked at any point.”
A recent study shows the hotel industry is especially open for being hacked.
 
“The main reason is they’re such a central hub for where people run their cards,” Jones said.

 
Recent studies show hackers steal credit card data from hotels more than any other industry. 

“It’s not if it’s going to happen, it’s when it’s going to happen,” said John Sileo, a Denver resident who had his credit card information stolen on a recent business trip. “The Driskill Hotel had an entire database of customer information stolen. Mine was one of them.”

“Because of the downturn in the economy, a lot of industries have stopped upgrading their software,” he said. “So they’re very open for being hacked at any point.”

A recent study shows the hotel industry is especially open for being hacked.

Ryan Jones, a data-security consultant with Trustwave, has been watching a steady increase in hotel hacking.

Trustwave found that out of all the hacking cases they investigated last year, 38 percent involved hotels, well ahead of financial services (banks) at 19 percent and retail at 14 percent.

Destination Hotels and Resorts, headquartered in Englewood, is just one of the major chains that got hacked.

This summer, they told guests at 21 hotels across the country that their credit cards might be compromised.”Because of the downturn in the economy, a lot of industries have stopped upgrading their software,” he said. “So they’re very open for being hacked at any point.”

A recent study shows the hotel industry is especially open for being hacked.

Ryan Jones, a data-security consultant with Trustwave, has been watching a steady increase in hotel hacking.

“The main reason is they’re such a central hub for where people run their cards,” Jones said.

Trustwave found that out of all the hacking cases they investigated last year, 38 percent involved hotels, well ahead of financial services (banks) at 19 percent and retail at 14 percent.

Destination Hotels and Resorts, headquartered in Englewood, is just one of the major chains that got hacked.

This summer, they told guests at 21 hotels across the country that their credit cards might be compromised.

For more:  http://www.thedenverchannel.com/money/25881609/detail.html

Comments Off on Hotel Industry Cyber-Crime Risks: Hotels Are #1 Target For Credit Card Data Theft As Centralized Processing And Economic Downturn Delay Encryption Software Upgrades

Filed under Crime, Guest Issues, Liability, Maintenance, Management And Ownership, Risk Management, Theft

Tagged as , , ,