Tag Archives: Cybersecurity

by | August 15, 2011 · 5:31 am

Hospitality Industry Information Security: Hotels And Resorts Are Targeted For Cyber Attacks Because Of Faulty "Data Collection Practices"

“…The report said the largest share of cyber attacks — 38% — were aimed at hotels, resorts and tour companies…”

“… large hotel chains are most vulnerable because hotel management companies may not be able to monitor how data is collected and stored at dozens or even hundreds of properties throughout the world. Independent contractors who work for individual hotels can also open the door to hackers and computer viruses…”

A business traveler who books hotel rooms via the Internet, may be at higher risk of being victimized by computer hackers and identity thieves.

Insurance claims for data theft worldwide jumped 56% last year, with a bigger number of those attacks targeting the hospitality industry, according to a new report by Willis Group Holdings, a British insurance firm.

That could spell trouble for business travelers who submit credit card numbers and other personal information to hotel websites, said Laurie Fraser, global markets leisure practice leader for Willis.

For more:  http://www.latimes.com/business/la-fi-travel-briefcase-20110815,0,65581.story

Comments Off on Hospitality Industry Information Security: Hotels And Resorts Are Targeted For Cyber Attacks Because Of Faulty "Data Collection Practices"

Filed under Crime, Guest Issues, Insurance, Liability, Management And Ownership, Privacy, Risk Management, Technology, Theft

Tagged as , , , ,

by | August 13, 2011 · 7:35 am

Hospitality Industry Information Security: Hotel Kiosk Computer Security Can Be Tested With Free Web Service Tool

“… iKAT (Interactive Kiosk Attack Tool) is a free web service that tries to bypass the protective mechanisms of internet kiosk PCs and gain control of the systems. Such computers can usually be found in hotel lobbies, airport lounges and other public spaces. Kiosk operators can use iKAT to test the resilience of their systems…”

The Linux- or Windows-based kiosk systems are usually protected and only allow specific applications to be launched. The primary aim of iKAT is to start a Windows or Linux shell. To achieve it, iKAT tries to exploit known vulnerabilities in a number of different ways. For example, when opening the iKAT page from a Windows-based kiosk system, users are presented with a “1Click PWN” button – this launches components including Metasploit on the server to scan the kiosk PC for browser exploits. Other avenues include accessing “Open File” or “Print File” dialogs in order to execute cmd.exe.

For more:  http://www.h-online.com/security/news/item/Free-web-service-cracks-internet-kiosks-1321613.html

4 Comments

Filed under Guest Issues, Liability, Management And Ownership, Privacy, Risk Management, Technology

Tagged as , , , ,

by | August 5, 2011 · 6:38 am

Hospitality Industry Information Security Risks: "Cyber Attack Claims" Increase 56% Mainly Through "Rogue Employees, Malicious Attacks, And Mistakes By Outsourcing Firms"

“…The vast quantities of personal, identifiable information collected by the leisure and hospitality industry have made the sector a chief target for cyber attacks, according to Willis…with reports of a 56% rise in cyber claims over the past year….”

“…Rogue employees, malicious attacks, and mistakes by outsourcing firms appear to be the main culprits, with hackers getting ever-more sophisticated in their attempts to drain corporate databases of customers’ personal details…”

Willis warns that some breaches can cost in excess of $100 million and with more stringent data protection legislation coming into force, companies’ financial exposure to this type of crime will increase further.

“Recent breakthroughs include the introduction of identity theft solutions and Payment Card Industry fines coverage, which helps to protect companies from penalties linked to the mismanagement of credit card data.”

For more:  http://www.insurancedaily.co.uk/2011/08/03/hospitality-and-leisure-attract-cyber-attacks/

Comments Off on Hospitality Industry Information Security Risks: "Cyber Attack Claims" Increase 56% Mainly Through "Rogue Employees, Malicious Attacks, And Mistakes By Outsourcing Firms"

Filed under Claims, Guest Issues, Insurance, Labor Issues, Liability, Management And Ownership, Risk Management, Technology, Theft

Tagged as , , , , ,

by | July 26, 2011 · 10:25 am

Hospitality Industry Security Risks: Hotel "Cyber Liability Myths Exposed"

Cyber Liability Myths Exposed

By Brad Durbin – Petra Risk Solutions 

 

In today’s e-commerce society, operating your hotel without cyber liability coverage is like attempting to drive your car blindfolded on a  Southern California  freeway during rush-hour traffic. 

Here are three common myths and misconceptions I’ve heard repeatedly when discussing cyber liability insurance coverage with hotel owners and operators. 

Myth #1 – “I use the online reservation system offered by my franchise.  They’ll cover me if their system is hacked and my guest’s personal information is compromised.”

This is by far the most common misconception among hoteliers about their exposure and responsibility for a data breach. It’s easy to see why.  You are using your franchisor’s reservation system, which is offered as part of your franchise agreement.  Why wouldn’t they cover you if their system is hacked? 

The answer is in your contract.  While some franchise agreements are more favorable in this area than others, most contain special provisions regarding the use of their online reservation systems.  These provisions typically state that the hotel will be responsible for defending the franchisor and holding them harmless, regardless of whether the data breach came from within the online reservation system. 

The exposure is even greater for non-franchised properties using third party reservations system providers or wholesalers.  I have yet to come across a contract for these services that could be viewed as favorable for the hotel in the event that the reservation system is breached. 

 Myth #2 – “If a hotel guest’s credit card information is stolen at the property level, my Payment Card Processing company will cover me under their policy.” 

Most hoteliers erroneously assume that their Payment Card Processing Company (PCP) will have their best interest in mind in the event of a data breach.  I’m not sure why.  No business, regardless of how great or longstanding your relationship with them has been, will volunteer to pay significant attorney costs and consumer notification fees for you unless they are contractually obligated to do so.  Not surprisingly, most PCP contracts are heavily weighted in favor of the PCP provider regardless of where the data was taken from or if the PCP company is to blame.

Your liability is even greater for a data breach that can be traced back to the hotel property level.  If this happens, the Payment Card Industry (PCI) mandates that you conduct a forensic accounting audit of all your records.  These audits can cost $20,000 – $25,000 for a single location, limited service property. This amount does not include fines typical for any non-compliance issues discovered during the audit. 

Myth #3 – “Cyber liability coverage is a waste of money.”

Most states have laws requiring you to notify EVERY GUEST in your database upon discovery of a breach (e.g. California Senate Bill 1386).  Analysts estimate that the average cost for this notification is approximately $30 per record.  Multiply this by the number of records in your system, or the number of guests who have stayed at your hotel over the years, and you can see just how financially devastating these claims can become. 

For a typical limited service franchised property with $2,500,000 – $5,000,000 in annual room revenue, a cyber liability policy with a $1,000,000 limit can usually be obtained for less than $7,000 annually… an extremely fair price point considering the risks and hefty costs associated with a data breach.

Final Thoughts

When a hotel data breach occurs, guests won’t know or care that another company may be responsible.  They will come directly to the hotel for a remedy. The ENTIRE FINANCIAL BURDEN for notification costs, legal defense, and monetary settlement of all related claims may be borne directly by the hotel – if it does not have an appropriate cyber liability insurance policy in force.

To protect your hospitality assets, select and obtain cyber liability coverage that will address PCI fines, consumer notification costs, credit monitoring, and any government or regulatory action levied against your business in the event that a data breach is discovered.  Not all cyber policies include coverage for these areas, so it’s important for you to work with a qualified hospitality insurance broker. 

Securing proper cyber liability insurance coverage is a cost effective method for hoteliers to help mitigate the risks associated with owning and operating a hotel in today’s digital society. 

———————————————————————-

Brad Durbin is a Hospitality Insurance Specialist with Petra Risk Solutions. For questions about Hotel Cyber Liability or any other Hospitality Risk Solutions, contact Brad at bradd@petrarisksolutions.com.

Comments Off on Hospitality Industry Security Risks: Hotel "Cyber Liability Myths Exposed"

Filed under Crime, Guest Issues, Insurance, Liability, Management And Ownership, Risk Management, Technology

Tagged as , , , , , ,

by | July 14, 2011 · 7:14 am

Hospitality Industry Guest Credit Card Security: Tips For Securing Hotel Computer Systems Against Credit Card Data Theft (Video)

[youtube=http://www.youtube.com/watch?v=iCmZ9DlrI9o]

Sue Zloth, is a member of the HFTP PCI Compliance Roundtable, provides key tips for securing guests’ credit card data at the 2011 Hospitality Industry Technology Exposition and Conference (HITEC) conference.

  • Change default passwords on all new information systems
  • Do not allow remote access into hotel computer systems
  • Minimize areas where credit card data is stored

Comments Off on Hospitality Industry Guest Credit Card Security: Tips For Securing Hotel Computer Systems Against Credit Card Data Theft (Video)

Filed under Crime, Guest Issues, Liability, Maintenance, Management And Ownership, Risk Management, Technology, Theft, Training

Tagged as , , , ,

by | June 21, 2011 · 5:50 am

Hospitality Industry Information Security: "Cyberinsurance" Has Evolved Into A "Must-Have" Insurance Policy For Hotel Management As Coverage Includes "Forensics"

“…some insureds get charged $1,000 an hour by a forensics firm. It’s paying the individual walking by your house burning down with a bucket of water…” 

“…used to really focus our underwriting attention on how well they could prevent the breach, but we’ve added another phase to it,” says Whetstone. “Not only can you prevent it, but if it happens, how quickly can you respond? Do you have a plan in place? Kind of like a disaster recovery plan or a business continuity plan. It’s the same with this incident response plan.”

“…cyberinsurance is a “must-have” for most firms today…”

Demand for cyberinsurance was rising even before the most recent highly-publicized parade of breaches at major corporations and organizations. After the news of the first major Sony hack but before the subsequent reports involving Sony, Citicorp, the International Monetary Fund and others, Insurance Journal spoke with an expert to gauge how the insurance market for this coverage is doing.

James Whetstone, senior vice president and U.S. technology and privacy manager for insurer Hiscox Specialty, is a former technology geek and broker turned underwriter.

Hiscox is one of the original underwriters of the coverage. Whetstone says there are almost 30 carriers now offering cyber liability coverage, some more seriously than others. He says these times of claims are when an insurer’s commitment to a market can be tested, citing what he calls the “naive” capacity that exists.

The coverage has evolved quickly– Whetstone compares the product’s acceptance to that of employment practices liability (EPL) coverage– to where cyberinsurance is a “must-have” for most firms today.

The underwriting has also changed. “We used to really focus our underwriting attention on how well they could prevent the breach, but we’ve added another phase to it,” says Whetstone. “Not only can you prevent it, but if it happens, how quickly can you respond? Do you have a plan in place? Kind of like a disaster recovery plan or a business continuity plan. It’s the same with this incident response plan.”

For more:  http://www.insurancejournal.com/news/national/2011/06/20/203166.htm

Comments Off on Hospitality Industry Information Security: "Cyberinsurance" Has Evolved Into A "Must-Have" Insurance Policy For Hotel Management As Coverage Includes "Forensics"

Filed under Claims, Guest Issues, Insurance, Liability, Management And Ownership, Risk Management, Technology, Theft

Tagged as , , , , ,

by | June 7, 2011 · 7:56 am

Hospitality Industry Computer Risks: Cybercrime Risks Remain Perilous As "Malicious Software Or Malware" Increases To 6 Million Programs In First Three Months Of 2011

The amount of new malicious software, or “malware,” unleashed on the internet during the first three months of this year hit six million programs, according to a report last week by McAfee, the computer antivirus maker. “It’s been a busy start to 2011 for cybercriminals,” Vincent Weafer, senior vice president of McAfee Labs, said in a statement.

A 2009 study by computer antivirus maker McAfee and SAIC, a technology security firm, estimated that computer crime cost companies $1 trillion across the globe, but analysts say the actual total is sure to be higher as computer security breaches are underreported.

“I think all the service providers are victims of this type of issue, it’s just whether the company has a public interface to warn users of this type of problem is the big question,” Andrew Lih, author and professor at the University of Southern California, told CNN.

“Google has been pretty good at being forthcoming in having this kind of dialogue with its users,” Lih said. “It’s very possible to probable that these other service providers, from Yahoo to Microsoft to any of these other ones, have had these types of attacks, it’s just that Google has been very public in trying to combat this.”

For more:  http://business.blogs.cnn.com/2011/06/07/the-hidden-cost-of-cybercrime/

Comments Off on Hospitality Industry Computer Risks: Cybercrime Risks Remain Perilous As "Malicious Software Or Malware" Increases To 6 Million Programs In First Three Months Of 2011

Filed under Guest Issues, Labor Issues, Maintenance, Management And Ownership, Risk Management, Technology, Theft

Tagged as , , , ,

by | May 7, 2011 · 7:21 am

Hospitality Industry Computer Data Risks: New Orleans Hotels Investigation Finds "Pubic Business Center" Computers Retain "Sensitive Information" In Temporary And Recycle Bin Folders

“…the Louisiana Technology Council says …many hotels make little or no attempt to protect your private information on their public PCs…in business centers…”

“That information will live on that computer until such time that it’s deleted,” said Lewis. “You and I both know that it’s really never deleted. It can be recovered and if someone comes in with software, they may be able to get that data off the PC.”

Eyewitness News sent an intern into about a dozen New Orleans area hotels to search for documents and other information left on public computers after the user logged off. Among the things we found: invoices; insurance papers; tickets to a show at the Lakefront Arena; a certificate from the Texas Department of Insurance and even someone’s monthly pay statement.

Most of the documents contained people’s names, addresses and other sensitive information about the user. “I was amazed that you were able to print out some very confidential and private information from a business center location,” said Lewis.

“If somebody wants to open up a new credit card and in this day and age of identity theft, having that kind of information out there is real frightening,” said attorney Daren Sarphie.

He says in March, the client got a disturbing phone call from a guest at the International House Hotel in downtown New Orleans. The guest told him all of the his private information, including Social Security number, birth date, home address and phone number was contained on a document stored on the hotel computer for all to see.

“The person that accessed, that found this file had just gone to hotel to book plane reservations to go back home to Dallas and in the process, he’s just playing around on the computer and he accessed this directory and is able to pull up all kinds of stuff, said Sarphie.

“You’d think that the hotels at least would have a system in place that they would erase the hard drive on a weekly basis or a daily basis to make sure there are no temporary files saved on that computer,” said Sarphie.

The information we found was easy to access on the computers. Most of it was stored in the PC’s temporary Internet files, saved in the documents folder or waiting to be deleted in the computer’s recycle bin.

The owner of the International House Hotel says it is his hotel policy to purge the public computer’s desk top of any documents and public files every 24-hours. But, he says it is a public computer and people need to be mindful to log out of personal accounts and delete personal documents before leaving the computer.

For more:  http://www.wwltv.com/news/Keeping-It-Safe-On-Hotel-Computers-121350324.html

Comments Off on Hospitality Industry Computer Data Risks: New Orleans Hotels Investigation Finds "Pubic Business Center" Computers Retain "Sensitive Information" In Temporary And Recycle Bin Folders

Filed under Crime, Guest Issues, Liability, Management And Ownership, Privacy, Risk Management, Technology

Tagged as , , , ,

by | April 28, 2011 · 6:25 pm

Hospitality Industry Information Security Risks: Hotel Management Must "Encrypt All Confidential Guest Data" To Decrease "Public Exposure Of Data"

“…99% of businesses around the globe at present no longer store confidential information on their systems and 75% continuously complied with PCI requirements…”

“…encrypting confidential information will “shrink the card data environment,” thus a minimal to zero possibility of public exposure of these data…”

To prevent fraud, she proposed three ways for the card industry:

  • Widespread distribution of ‘smarter’ payment devices is one, where EVM (chip-and-pin) cards will be used
  • Smarter networks to stem the cyber crime before or when it happens
  • A cardholder authentication method such as two-factor authentication

“Visa’s global fraud rate recently hit a historic low – at just over 5 cents for every $100 transacted, down more than two-thirds from the levels of 20 years ago,” she added.

She urged the card industry to step up a bit more its security measures as most consumers believe cyber criminals are ahead of what’s already in place. According to Richey, 61% of consumers are of the opinion that the security measures of the card industry are one step behind cyber criminals.

Rather than keeping pace with cyber crime which would only exhaust resources, Richey proposed getting smarter as a better solution in combating fraud and protecting card data.

“We need to use all the intelligence we have at our disposal. I think that the opportunities to get smarter and fight fraud are all around us,” she said.

Richey, on the other hand, recognized the fact that these suggestions will be costly and will require tremendous resources.

For more:  http://inaudit.com/audit/it-audit/cyber-crime-vincible-through-smarter-technologies-visa-5856/

Comments Off on Hospitality Industry Information Security Risks: Hotel Management Must "Encrypt All Confidential Guest Data" To Decrease "Public Exposure Of Data"

Filed under Crime, Guest Issues, Liability, Management And Ownership, Privacy, Risk Management, Technology, Theft

Tagged as , , ,

by | April 10, 2011 · 8:12 am

Hospitality Industry Information Security Risks: Hotel Management Should Consider "Cyber Liability Policies" With "Vicarious Liability Provisions" To Insure Guest Information Database Breaches

“…clients with robust cyber liability policies will find coverage under the vicarious liability provisions. …”

Data breaches generally represent enormous problems for companies,” said Alan N. Situn, a shareholder with law firm Greenberg Traurig L.L.P. in New York. “Not only can they be very expensive, but equally important to many companies (is) the reputational damage that they perceive from these types of breaches” if information they provide to a third party is somehow breached.

Hackers tend to hold on to such information “usually about a year, and then use it in the hope that folks have become a little bit more relaxed and not as vigilant,” said Mauricio F. Paez, a partner with law firm Jones Day in New York.

For the most part, the companies that are affected are in a damage- or crisis-management mode, said Robert J. Scott, managing partner with law firm Scott & Scott L.L.P. in Dallas. “They’re emailing their customers; they’re apologizing for the inconvenience, trying to clarify and limit the scope of the magnitude of the problem; and they’re hopeful the leakage of the email doesn’t result” in other problems.

Observers noted that the firms were notifying customers of the data breach even though they were not legally required to do so by state laws, except in North Dakota, unless more damaging personal information, such as Social Security or credit card numbers, had been revealed.

Epsilon customers whose data was breached have been “doing everything they should be doing in terms of being up front and honest with the consumers,” Mr. Scott said.

If the breach results in litigation, the question will arise of “how does that fit into the overall risk management program of the company” that hired the outside marketing company, said Kroll Ontrack’s Mr. Brill, who suggested that affected firms review their risk management programs now.

For more:  http://www.businessinsurance.com/article/20110410/ISSUE01/304109976

2 Comments

Filed under Claims, Guest Issues, Liability, Management And Ownership, Risk Management, Technology

Tagged as , , , , ,