Tag Archives: Data Breaches

Hospitality Industry Cyber Crime Risks: Boston Restaurant Group Was Source Of Major Credit Card Payment System Breach; “Sophisticated, Outside Attack”

“…The (restaurant group) believes that it was a sophisticated, outside attack…Boston Police and the US Secret Service are Hospitality Industry Identity Theftinvestigating…This is the second major breach of the Briar Group’s payment systems. In 2009, malware, or malicious software, was apparently installed on Briar’s computers, allowing thieves to access credit and debit card information. The chain paid a $110,000 to the state to settle allegations that it failed to protect diners’ personal information after that security breach.

A local restaurant chain confirmed Friday that its computer systems were breached, putting the credit-card information of thousands of customers at risk, including visitors who attended two major conventions in Boston.

The Briar Group, which owns 10 restaurants and bars in Boston, including two at the Westin hotel connected to the Boston Convention & Exhibition Center, said its computer systems were infiltrated sometime between October and early November. It said customer names, credit-card numbers, expiration dates, and security information were captured from the cards’ magnetic strips.

The company isn’t sure how many customers were affected, but every month thousands visit Briar’s locations, said Diana C. Pisciotta, a spokeswoman for the chain.

The American Public Health Association hosted 13,000 conventioneers in Boston in early November, and the American Society of Human Genetics brought 8,000 attendees to a conference in October. Both reported that hundreds of people reported unauthorized charges on their accounts after visiting Boston.

For more: http://www.bostonglobe.com/business/2013/12/27/local-restaurant-chain-source-data-breach-that-compromised-card-info-conventioneers/wPhKKndyN4hshrU47J2rwO/story.html

Comments Off on Hospitality Industry Cyber Crime Risks: Boston Restaurant Group Was Source Of Major Credit Card Payment System Breach; “Sophisticated, Outside Attack”

Filed under Crime, Guest Issues, Liability, Maintenance, Management And Ownership, Risk Management, Technology, Theft

Hospitality Industry Cybercrime Risks: Criminal Hackers Target Hotels Lacking “Advanced Data Security Safeguards” On Local Credit Card Transactions; “Chip-And-Pin Cards” Coming Soon

“…criminal hackers gravitate to some hotels because, like retail stores and restaurants, hotels do many credit card transactions at a local level, where centralized and highly sophisticated data security safeguards may be lacking…Most hotels are locally owned, though managed by big Cyber Risk Insurance Graphichotel chain companies. For hotel owners, it is expensive to come into full compliance with the tough global data security criteria set by the credit card companies…That includes using complex passwords, being wary of public Wi-Fi, updating antivirus software — and checking credit card statements carefully…”

“…In the United States, credit cards use magnetic strips that are more vulnerable to hacking than the electronic chips embedded in credit cards in Europe and elsewhere. Such cards also require entry of a PIN…these so-called chip-and-PIN cards are headed our way, said Kathy Orner, vice president for information security at Carlson Rezidor, a worldwide hotel company that is among the industry leaders in data security…all of the major credit card issuers plan to start introducing these cards in the United States within two or three years…”

In its 2013 Global Security Report, Trustwave, a data security management firm, says that the top three industries targeted for data breach attacks in 2012, measured by the number of its investigations, were retailing (45 percent), food and beverage (24 percent) and hotels (9 percent). Three years ago, the hotel industry was at the top, but hotels have since made “significant strides” in improving credit card security measures, the report says.

Last year, for example, the Federal Trade Commission sued Wyndham Worldwide, the hotel chain, for what it said was inadequate safeguarding of credit card information that led to three data breaches at hotels in under two years, with “millions of dollars in fraud loss, and the export of hundreds of thousands of consumers’ payment card account information to an Internet domain address registered in Russia.”

The threat is constant, Mr. Roman said. “The best protection is vigilance, and that takes work,” he said.

For more:  http://www.nytimes.com/2013/09/03/business/data-security-begins-with-the-traveler.html

Comments Off on Hospitality Industry Cybercrime Risks: Criminal Hackers Target Hotels Lacking “Advanced Data Security Safeguards” On Local Credit Card Transactions; “Chip-And-Pin Cards” Coming Soon

Filed under Guest Issues, Insurance, Liability, Management And Ownership, Privacy, Risk Management, Technology, Theft

Hospitality Industry Information Risks: “Cyber-Risk Insurance” Protects Businesses Against “Data Breaches”

…CFOs are looking for insurance against cyber threats. In the past few years,  cyber-risk coverage has become one of the fastest- Cyber Risk Insurance Graphicgrowing businesses for insurers…Businesses, government agencies, hospitals and schools in  the U.S. reported 343 data breaches this year through July, reports CFOJ’s  Maxwell Murphy. That exceeds the number reported in all of 2006 and puts 2013 on  pace for 588 breaches, the most since 2010…”

Data breaches have been on the rise after a dip in the past two years, and experts say the publicly disclosed breaches of computer networks may be only a  fraction of the total.

Cybersecurity used to be something that Ciena CFO James Moylan Jr. delegated. But now he spends as much as 10% of his time making sure  Ciena and its technologies are protected from hackers, cutthroat competitors and other potential cybercriminals. “With all the things that have been in the  news—hackers and, frankly, the Chinese—it’s all caused us to think about” how to cut the potential cost of a data breach, he says. The average cost of a breach  is about $188 per stolen record, and the average loss per incident is $9.4 million, according to a study last week from the Ponemon Institute.

For more:  http://stream.wsj.com/story/latest-headlines/SS-2-63399/SS-2-300092/

Comments Off on Hospitality Industry Information Risks: “Cyber-Risk Insurance” Protects Businesses Against “Data Breaches”

Filed under Crime, Guest Issues, Insurance, Liability, Management And Ownership, Risk Management, Theft

Hospitality Industry Data Security Risks: Hotels Are At Significant Risk Of “Large-Scale Hacking” Of Guest Personal Information, Including Information In Reservation Systems

“Data security is becoming an issue of significant importance in the hospitality industry…(because of) an increase in hacks and malware attacks, which frequently target hotel systems because they’re a rich source of cybercrime in hotelspersonal information… hackers aren’t just targeting data on hotel systems but also the information passed along to reservations systems…credit card theft is much easier — and more likely — through large-scale hacking…another reason hotel guests are vulnerable to having their personal information stolen: They’re easily distracted.”

Several days after Traci Fox visited a small independent resort in the Catskill Mountains, she received an unexpected call from a shoe store. Where did she want it to ship the $400 worth of pricey sneakers that she’d ordered?

Fox believes that her hotel may have compromised her credit card information. At least one government agency shares her concerns. Last summer, the Federal Trade Commission sued Wyndham Hotels, alleging that the company had failed to protect its customers’ personal information. As a result, the FTC claims, hundreds of thousands of credit card numbers fell into the wrong hands, leading to millions of dollars in fraud-related losses. Wyndham denies any wrongdoing and is fighting the suit.

The problem may run deeper than the theft of credit card numbers, however.

The personally identifiable information in your guest profile, such as your home address, your license plate number and your date of birth, which is attached to your reservation, can end up in the hands of a third party that offers little or no warranties about how it will protect your data. “These kinds of areas are more worrisome than some huge Visa bill,” says hotel consultant Marion Roger. “Once your identity has been cloned, you can easily spend years and hundreds of thousands in legal and other fees.”

For more:  http://www.washingtonpost.com/lifestyle/travel/the-navigator-when-you-check-in-your-private-information-may-be-checked-out/2013/03/28/07cb90ca-9599-11e2-bc8a-934ce979aa74_story.html

Comments Off on Hospitality Industry Data Security Risks: Hotels Are At Significant Risk Of “Large-Scale Hacking” Of Guest Personal Information, Including Information In Reservation Systems

Filed under Crime, Guest Issues, Liability, Management And Ownership, Privacy, Risk Management, Technology, Theft

Hospitality Industry Information Security Risks: Hotels, Restaurants And Retailers Accounted For 78% Of “Data Breaches By Cyber-Criminals” In 2012; “Weak Or Guessable Passwords” Is Most Common Vulnerability

“…Almost one-third of all victims had critical systems administered by a third party…Attackers had no trouble exploiting that weakness, with vulnerable remote-access systems accounting for the method of entry in 47 cybercrime in hotelspercent of the cases…in most cases, users – not software vulnerabilities – were to blame. Almost 90 percent of systems had weak or easily guessable passwords, with “Password1″ continuing to be the most common, according to Trustwave’s report…”

An analysis of breach data for 2012 found that retailers and the hospitality industry continued to command the most interest from cyber-criminals, accounting for 78 percent of the breaches documented by security services firm Trustwave.

The businesses are typically easy targets, having outsourced the administration of important servers and business data to firms that focus more on keeping the systems functioning than on security, says Christopher Pogue, director of digital forensics and incident response for Trustwave’s SpiderLabs.

“An integrator may have 1,000 customers and may do remote administration for all of them using, not 1,000 passwords, but maybe two or three,” Pogue said. “That leaves a vulnerability that can be exploited by attackers.”

For more:  http://www.techweekeurope.co.uk/news/retailer-hotel-crime-107589

Comments Off on Hospitality Industry Information Security Risks: Hotels, Restaurants And Retailers Accounted For 78% Of “Data Breaches By Cyber-Criminals” In 2012; “Weak Or Guessable Passwords” Is Most Common Vulnerability

Filed under Crime, Liability, Maintenance, Management And Ownership, Privacy, Risk Management, Technology, Theft

Hospitality Industry Legal Risks: "Data Breach Class-Action Lawsuits" Are Increasing As Judges Widen View To Include "Future Damages"; Average Settlements Of $2500 Per Plaintiff

“…Until a couple of years ago, courts would routinely dismiss lawsuits stemming from data breaches, such as the latest in South Carolina, unless the victims could show specific damages. Judges have since widened their view and are awarding class-action status to lawsuits that can show actual damages or a real possibility of future damages…”

The payout for companies on the losing side of a class-action suit can be substantial. A recent survey of data breach litigation found the average settlement award of $2,500 per plaintiff, with mean attorney fees reaching $1.2 million, according to a study by Temple University Beasley School of Law.

How federal courts define the damages people suffer from data breaches is broadening dramatically, leaving unprepared companies at greater risk of big payouts in class-action lawsuits, lawyers from a prominent law firm say.

Jeffrey Vagle, a lawyer with Pepper Hamilton, described as a “sea change” judges’ thinking. “Courts are starting to pick up on the fact that the data that can get out there can cause serious harm, maybe not immediately, but sometime in the near future,” Vagle said.

Examples include a case in which a laptop containing unencrypted personal data of Starbucks employees was stolen. While there was no evidence that the data was misused, the Ninth Circuit Court ruled in 2010 that the risk alone was enough to warrant a lawsuit, Vagle and colleague Sharon Klein said in a Client Alert published on the law firm’s website.

Data breaches have become a fairly common occurrence among companies of all sizes. Last year, 174 million data records were loss in 855 separate incidents, according to a recent report from Verizon. A 2011 Ponemon Institute survey of 583 IT and IT security professionals in the U.S. found that 90 percent of the organizations they represented had suffered at least one data breach.

To lessen potential damages, Pepper Hamilton recommends beefing up technical and physical security wherever possible. While no technology is 100% hacker proof, courts tend to compare what a company has in place to what is considered best practices for businesses of the same size and in the same industry. Taking all reasonable steps to prevent data theft can lessen damages.

Also, information shouldn’t be linked to individuals, unless absolutely necessary, and a notification policy needs to be in place, so people affected by data breaches are warned as quickly as possible.

A bill pending in Congress would set a national standard for data breach notification, replacing the variety of state laws that exist today. Introduced in June, the Data Security and Breach Notification Act would also set maximum damages and define what is considered a breach.

Irrespective of the bill’s fate, companies need to establish clear policies and procedures for handling data breaches when they occur. Klein recommends a dry run to ensure that everyone understands the steps that need to be taken.

“Many companies still believe that it only happens to the other guy,” Klein said. “And because of that, [they] have not done the blocking and tackling and preventative work upfront.”

For more:  http://m.csoonline.com/article/720128/courts-widening-view-of-data-breach-damages-lawyers-say?goback=.gde_922967_member_180838402

Comments Off on Hospitality Industry Legal Risks: "Data Breach Class-Action Lawsuits" Are Increasing As Judges Widen View To Include "Future Damages"; Average Settlements Of $2500 Per Plaintiff

Filed under Claims, Crime, Guest Issues, Insurance, Liability, Management And Ownership, Risk Management, Theft

Hospitality Industry Information Risks: Federal Trade Commission (FTC) Sues Hotel Operator Over Guest Account Data Theft That Results In Over $10 Million Of Credit Card Fraud

“… fraudulent charges on Wyndham’s consumer accounts totaled more than $10.6 million following three data breaches in less than two years. The breaches occurred in April 2008, March 2009 and in late 2009…”

The Federal Trade Commission said repeated failures to secure consumer data led to hundreds of thousands of consumers’ payment card information being exported to an Internet domain address registered in Russia.

Wyndham, which operates several hotel brands, including the value-oriented Days Inn and Super 8, is one of a large number of organizations that acknowledged in the past three years that they had been hacked by people seeking either financial gain or intellectual property.

Other victims have included entertainment giant Sony, the International Monetary Fund, Google, Lockheed Martin and Citigroup.

For more: http://www.reuters.com/article/2012/06/27/uk-ftc-wyndham-idUSLNE85Q01Q20120627

Comments Off on Hospitality Industry Information Risks: Federal Trade Commission (FTC) Sues Hotel Operator Over Guest Account Data Theft That Results In Over $10 Million Of Credit Card Fraud

Filed under Crime, Guest Issues, Insurance, Liability, Management And Ownership, Privacy, Risk Management, Theft

Hospitality Industry Information Technology Risks: Hotel And Restaurant "POS Systems" Are The #1 Target Of Criminal Data Breaches

If a criminal can breach a system in the restaurant, they also have access to the front desk, the spa and any other connected system. The risk is even greater when hotels are part of a hotel chain with interconnected systems.

Franchise businesses are particularly at risk primarily because franchises tend to have the same POS system duplicated at all locations. If a cybercriminal can figure out a way to breach one, in all likelihood, they can replicate the attack at other locations.

In 2011, Trustwave SpiderLabs conducted 42 percent more data breach investigations than in the previous year. More than 85 percent of these data breaches occurred in the food and beverage, retail and hospitality industries.

Why the focus on these industries? There are several reasons, but the number one is that they all process credit cards. In our investigations, we found that the vast majority of assets targeted by criminals were point-of-sale software systems (75 percent of cases). Think of the scenario of a hotel that maintains a restaurant, a spa, as well as other services all connected to one POS system.  We’ve investigated cases where the criminal breaches the environment at one location and was in turn able to connect todozens of others through the wide area network used by the hotel chain.

For more:  http://www.forbes.com/sites/ciocentral/2012/04/11/restaurants-beware-hackers-want-your-customer-data/

2 Comments

Filed under Crime, Guest Issues, Liability, Maintenance, Management And Ownership, Privacy, Risk Management, Technology, Theft

Hospitality Industry Information Technology Risks: Hotel And Restaurant "POS Systems" Are The #1 Target Of Criminal Data Breaches

If a criminal can breach a system in the restaurant, they also have access to the front desk, the spa and any other connected system. The risk is even greater when hotels are part of a hotel chain with interconnected systems.

Franchise businesses are particularly at risk primarily because franchises tend to have the same POS system duplicated at all locations. If a cybercriminal can figure out a way to breach one, in all likelihood, they can replicate the attack at other locations.

In 2011, Trustwave SpiderLabs conducted 42 percent more data breach investigations than in the previous year. More than 85 percent of these data breaches occurred in the food and beverage, retail and hospitality industries.

Why the focus on these industries? There are several reasons, but the number one is that they all process credit cards. In our investigations, we found that the vast majority of assets targeted by criminals were point-of-sale software systems (75 percent of cases). Think of the scenario of a hotel that maintains a restaurant, a spa, as well as other services all connected to one POS system.  We’ve investigated cases where the criminal breaches the environment at one location and was in turn able to connect todozens of others through the wide area network used by the hotel chain.

For more:  http://www.forbes.com/sites/ciocentral/2012/04/11/restaurants-beware-hackers-want-your-customer-data/

2 Comments

Filed under Crime, Guest Issues, Liability, Maintenance, Management And Ownership, Privacy, Risk Management, Technology, Theft