Tag Archives: Guest Information

Hospitality Industry Information Security: Hotel Kiosk Computer Security Can Be Tested With Free Web Service Tool

“… iKAT (Interactive Kiosk Attack Tool) is a free web service that tries to bypass the protective mechanisms of internet kiosk PCs and gain control of the systems. Such computers can usually be found in hotel lobbies, airport lounges and other public spaces. Kiosk operators can use iKAT to test the resilience of their systems…”

The Linux- or Windows-based kiosk systems are usually protected and only allow specific applications to be launched. The primary aim of iKAT is to start a Windows or Linux shell. To achieve it, iKAT tries to exploit known vulnerabilities in a number of different ways. For example, when opening the iKAT page from a Windows-based kiosk system, users are presented with a “1Click PWN” button – this launches components including Metasploit on the server to scan the kiosk PC for browser exploits. Other avenues include accessing “Open File” or “Print File” dialogs in order to execute cmd.exe.

For more:  http://www.h-online.com/security/news/item/Free-web-service-cracks-internet-kiosks-1321613.html

4 Comments

Filed under Guest Issues, Liability, Management And Ownership, Privacy, Risk Management, Technology

Hospitality Industry Security Risks: Hotel "Cyber Liability Myths Exposed"

Cyber Liability Myths Exposed

By Brad Durbin – Petra Risk Solutions 

 

In today’s e-commerce society, operating your hotel without cyber liability coverage is like attempting to drive your car blindfolded on a  Southern California  freeway during rush-hour traffic. 

Here are three common myths and misconceptions I’ve heard repeatedly when discussing cyber liability insurance coverage with hotel owners and operators. 

Myth #1 – “I use the online reservation system offered by my franchise.  They’ll cover me if their system is hacked and my guest’s personal information is compromised.”

This is by far the most common misconception among hoteliers about their exposure and responsibility for a data breach. It’s easy to see why.  You are using your franchisor’s reservation system, which is offered as part of your franchise agreement.  Why wouldn’t they cover you if their system is hacked? 

The answer is in your contract.  While some franchise agreements are more favorable in this area than others, most contain special provisions regarding the use of their online reservation systems.  These provisions typically state that the hotel will be responsible for defending the franchisor and holding them harmless, regardless of whether the data breach came from within the online reservation system. 

The exposure is even greater for non-franchised properties using third party reservations system providers or wholesalers.  I have yet to come across a contract for these services that could be viewed as favorable for the hotel in the event that the reservation system is breached. 

 Myth #2 – “If a hotel guest’s credit card information is stolen at the property level, my Payment Card Processing company will cover me under their policy.” 

Most hoteliers erroneously assume that their Payment Card Processing Company (PCP) will have their best interest in mind in the event of a data breach.  I’m not sure why.  No business, regardless of how great or longstanding your relationship with them has been, will volunteer to pay significant attorney costs and consumer notification fees for you unless they are contractually obligated to do so.  Not surprisingly, most PCP contracts are heavily weighted in favor of the PCP provider regardless of where the data was taken from or if the PCP company is to blame.

Your liability is even greater for a data breach that can be traced back to the hotel property level.  If this happens, the Payment Card Industry (PCI) mandates that you conduct a forensic accounting audit of all your records.  These audits can cost $20,000 – $25,000 for a single location, limited service property. This amount does not include fines typical for any non-compliance issues discovered during the audit. 

Myth #3 – “Cyber liability coverage is a waste of money.”

Most states have laws requiring you to notify EVERY GUEST in your database upon discovery of a breach (e.g. California Senate Bill 1386).  Analysts estimate that the average cost for this notification is approximately $30 per record.  Multiply this by the number of records in your system, or the number of guests who have stayed at your hotel over the years, and you can see just how financially devastating these claims can become. 

For a typical limited service franchised property with $2,500,000 – $5,000,000 in annual room revenue, a cyber liability policy with a $1,000,000 limit can usually be obtained for less than $7,000 annually… an extremely fair price point considering the risks and hefty costs associated with a data breach.

Final Thoughts

When a hotel data breach occurs, guests won’t know or care that another company may be responsible.  They will come directly to the hotel for a remedy. The ENTIRE FINANCIAL BURDEN for notification costs, legal defense, and monetary settlement of all related claims may be borne directly by the hotel – if it does not have an appropriate cyber liability insurance policy in force.

To protect your hospitality assets, select and obtain cyber liability coverage that will address PCI fines, consumer notification costs, credit monitoring, and any government or regulatory action levied against your business in the event that a data breach is discovered.  Not all cyber policies include coverage for these areas, so it’s important for you to work with a qualified hospitality insurance broker. 

Securing proper cyber liability insurance coverage is a cost effective method for hoteliers to help mitigate the risks associated with owning and operating a hotel in today’s digital society. 

———————————————————————-

Brad Durbin is a Hospitality Insurance Specialist with Petra Risk Solutions. For questions about Hotel Cyber Liability or any other Hospitality Risk Solutions, contact Brad at bradd@petrarisksolutions.com.

Comments Off on Hospitality Industry Security Risks: Hotel "Cyber Liability Myths Exposed"

Filed under Crime, Guest Issues, Insurance, Liability, Management And Ownership, Risk Management, Technology

Hospitality Industry Information Security Risks: Hotel Computer Systems Are Increasingly "Breached" Through "Privileged Users" Who Have Total Access To Sensitive Data

“..security breaches are still happening at an even more significant pace with more damaging results.  In the end, many of these advanced intrusions and data security breaches are focused on taking over access to the accounts and permissions of specific “privileged” users in an organization who have access to sensitive data…”

“…These privileged users are specifically targeted by outside hackers because they have proverbial keys to the kingdom, but in some cases the inside user themselves is intent on stealing or doing damage…” 

One solution that is emerging to this problem is to carefully monitor everything (e.g. every key stroke and every mouse click) that a privileged user does on the network, while also putting more granular limits on what they can do.  Basically “trust but verify,” with the goal being detecting any anomalies in a privileged user’s computing usage (e.g. why is this person downloading the source code at 3 a.m.?).  This is not uncommon as it relates to other privileged users in other jobs — the “Eye in the Sky” in the casinos in Las Vegas is equally monitoring the gamblers for cheating but is also monitoring the dealers, and at a bank the CCTV is not only looking for robbers but the teller slipping some money in their pocket.

Instructive of the value of this new approach is that immediately after its breach, the RSA division of EMC acquired private company Netwitness for a reported large premium.  Netwitness is known for analyzing user activity monitoring at the network layer.  In addition, the latest security vendor to file for an IPO, Imperva, has as its core solution the ability to monitor database access and usage by Database Administrators, another type of privileged user.

For more:  http://blogs.forbes.com/tomkemp/2011/07/05/as-hacks-proliferate-new-security-technology-emerges-to-monitor-privileged-it-users/

Comments Off on Hospitality Industry Information Security Risks: Hotel Computer Systems Are Increasingly "Breached" Through "Privileged Users" Who Have Total Access To Sensitive Data

Filed under Crime, Guest Issues, Insurance, Labor Issues, Liability, Management And Ownership, Privacy, Risk Management, Technology, Theft

Hospitality Industry Information Security Risks: New "Informative Fraud Databases" Explain And Expose The Latest Scams Designed To Steal Credit Card Data

“…what about when the hotel desk calls your room because of a problem processing your credit card? Would you know better than to give the “receptionist” your number?…”

That’s just one of the 350-plus scams exposed and explained in Scam Detector for iOS, an informative fraud database that can help you avoid getting ripped off.

The app doesn’t “detect” scams so much as educate you about them. The data is divided into five categories: Auto, Face to Face, Internet, Telephone, and Travel. Within Internet you’ll find five sub-categories: Social Networking, Financials, Employment Online, Houses & Properties, and Online Auctions & Tech.

In other words, it covers all the bases–and reveals a lot of scams I guarantee you’ve never heard of. For example, you know the guy standing in line behind you at the register, the one who looks like he’s texting on his phone? He might actually be snapping photos, trying to get a readable shot of your credit card as it passes back and forth between you and the cashier.

Read more: http://reviews.cnet.com/8301-19512_7-20071984-233/scam-detector-app-saves-you-from-getting-ripped-off/#ixzz1Ppb87YjR

Comments Off on Hospitality Industry Information Security Risks: New "Informative Fraud Databases" Explain And Expose The Latest Scams Designed To Steal Credit Card Data

Filed under Crime, Guest Issues, Liability, Risk Management, Technology, Theft

Hospitality Industry Computer Data Risks: New Orleans Hotels Investigation Finds "Pubic Business Center" Computers Retain "Sensitive Information" In Temporary And Recycle Bin Folders

“…the Louisiana Technology Council says …many hotels make little or no attempt to protect your private information on their public PCs…in business centers…”

“That information will live on that computer until such time that it’s deleted,” said Lewis. “You and I both know that it’s really never deleted. It can be recovered and if someone comes in with software, they may be able to get that data off the PC.”

Eyewitness News sent an intern into about a dozen New Orleans area hotels to search for documents and other information left on public computers after the user logged off. Among the things we found: invoices; insurance papers; tickets to a show at the Lakefront Arena; a certificate from the Texas Department of Insurance and even someone’s monthly pay statement.

Most of the documents contained people’s names, addresses and other sensitive information about the user. “I was amazed that you were able to print out some very confidential and private information from a business center location,” said Lewis.

“If somebody wants to open up a new credit card and in this day and age of identity theft, having that kind of information out there is real frightening,” said attorney Daren Sarphie.

He says in March, the client got a disturbing phone call from a guest at the International House Hotel in downtown New Orleans. The guest told him all of the his private information, including Social Security number, birth date, home address and phone number was contained on a document stored on the hotel computer for all to see.

“The person that accessed, that found this file had just gone to hotel to book plane reservations to go back home to Dallas and in the process, he’s just playing around on the computer and he accessed this directory and is able to pull up all kinds of stuff, said Sarphie.

“You’d think that the hotels at least would have a system in place that they would erase the hard drive on a weekly basis or a daily basis to make sure there are no temporary files saved on that computer,” said Sarphie.

The information we found was easy to access on the computers. Most of it was stored in the PC’s temporary Internet files, saved in the documents folder or waiting to be deleted in the computer’s recycle bin.

The owner of the International House Hotel says it is his hotel policy to purge the public computer’s desk top of any documents and public files every 24-hours. But, he says it is a public computer and people need to be mindful to log out of personal accounts and delete personal documents before leaving the computer.

For more:  http://www.wwltv.com/news/Keeping-It-Safe-On-Hotel-Computers-121350324.html

Comments Off on Hospitality Industry Computer Data Risks: New Orleans Hotels Investigation Finds "Pubic Business Center" Computers Retain "Sensitive Information" In Temporary And Recycle Bin Folders

Filed under Crime, Guest Issues, Liability, Management And Ownership, Privacy, Risk Management, Technology

Hospitality Industry Information Security Risks: Hotel Management Must "Encrypt All Confidential Guest Data" To Decrease "Public Exposure Of Data"

“…99% of businesses around the globe at present no longer store confidential information on their systems and 75% continuously complied with PCI requirements…”

“…encrypting confidential information will “shrink the card data environment,” thus a minimal to zero possibility of public exposure of these data…”

To prevent fraud, she proposed three ways for the card industry:

  • Widespread distribution of ‘smarter’ payment devices is one, where EVM (chip-and-pin) cards will be used
  • Smarter networks to stem the cyber crime before or when it happens
  • A cardholder authentication method such as two-factor authentication

“Visa’s global fraud rate recently hit a historic low – at just over 5 cents for every $100 transacted, down more than two-thirds from the levels of 20 years ago,” she added.

She urged the card industry to step up a bit more its security measures as most consumers believe cyber criminals are ahead of what’s already in place. According to Richey, 61% of consumers are of the opinion that the security measures of the card industry are one step behind cyber criminals.

Rather than keeping pace with cyber crime which would only exhaust resources, Richey proposed getting smarter as a better solution in combating fraud and protecting card data.

“We need to use all the intelligence we have at our disposal. I think that the opportunities to get smarter and fight fraud are all around us,” she said.

Richey, on the other hand, recognized the fact that these suggestions will be costly and will require tremendous resources.

For more:  http://inaudit.com/audit/it-audit/cyber-crime-vincible-through-smarter-technologies-visa-5856/

Comments Off on Hospitality Industry Information Security Risks: Hotel Management Must "Encrypt All Confidential Guest Data" To Decrease "Public Exposure Of Data"

Filed under Crime, Guest Issues, Liability, Management And Ownership, Privacy, Risk Management, Technology, Theft

Hospitality Industry Information Security Risks: Hotel Management Should Consider "Cyber Liability Policies" With "Vicarious Liability Provisions" To Insure Guest Information Database Breaches

“…clients with robust cyber liability policies will find coverage under the vicarious liability provisions. …”

Data breaches generally represent enormous problems for companies,” said Alan N. Situn, a shareholder with law firm Greenberg Traurig L.L.P. in New York. “Not only can they be very expensive, but equally important to many companies (is) the reputational damage that they perceive from these types of breaches” if information they provide to a third party is somehow breached.

Hackers tend to hold on to such information “usually about a year, and then use it in the hope that folks have become a little bit more relaxed and not as vigilant,” said Mauricio F. Paez, a partner with law firm Jones Day in New York.

For the most part, the companies that are affected are in a damage- or crisis-management mode, said Robert J. Scott, managing partner with law firm Scott & Scott L.L.P. in Dallas. “They’re emailing their customers; they’re apologizing for the inconvenience, trying to clarify and limit the scope of the magnitude of the problem; and they’re hopeful the leakage of the email doesn’t result” in other problems.

Observers noted that the firms were notifying customers of the data breach even though they were not legally required to do so by state laws, except in North Dakota, unless more damaging personal information, such as Social Security or credit card numbers, had been revealed.

Epsilon customers whose data was breached have been “doing everything they should be doing in terms of being up front and honest with the consumers,” Mr. Scott said.

If the breach results in litigation, the question will arise of “how does that fit into the overall risk management program of the company” that hired the outside marketing company, said Kroll Ontrack’s Mr. Brill, who suggested that affected firms review their risk management programs now.

For more:  http://www.businessinsurance.com/article/20110410/ISSUE01/304109976

2 Comments

Filed under Claims, Guest Issues, Liability, Management And Ownership, Risk Management, Technology

Hospitality Industry Information Security Risks: Large Email Marketing Services Company To Many Hotels Has Data Breach And Guest Email Accounts Are Stolen

In addition to the banks, other impacted companies included hotel brands Ritz-Carlton Rewards and Marriott Rewards, and retail heavyweights Home Shopping Network, Walgreens, Brookstone, New York & Company and Kroger. TiVo is also included in this list.

“…customers should “exercise extreme caution,” as email addresses are all cyber-criminals need to initiate a phishing attack. Users can expect to see more spam, and should be vigilant about email offers that ask for personal information or have links to other sites that ask for personal information.”

Many of these phishing attacks tend to take the form of security alerts—informing users that their accounts have been compromised and they should verify their log-in credentials to reset their accounts—or direct marketing scams promising special deals that require a credit card number.

Epsilon, a large email marketing services company with a roster of A-list clients, reported a data breach that is impacting practically anyone who has ever signed up to receive a retail offer or alert through its email account. The company warned that thieves may use the information to launch a phishing campaign to trick users into disclosing more critical data.

On March 30, Epsilon detected “an unauthorized entry” into its email system. During this time, a subset of clients’ customer data was exposed. Epsilon only has the information of people who opted-in to receive marketing emails, and the theft was limited to email addresses and customer names, according to the company.

“A rigorous assessment determined that no other personal identifiable information associated with those names was at risk. A full investigation is currently underway,” Epsilon said in a terse statement on April 1.

“Epsilon has advised us that the files that were accessed did not include any customer information other than email addresses,” used books retailer AbeBooks wrote in a message to customers on April 3.

For more:  http://www.eweek.com/c/a/Security/Epsilon-Data-Breach-Hits-Banks-Retail-Giants-154971/

Comments Off on Hospitality Industry Information Security Risks: Large Email Marketing Services Company To Many Hotels Has Data Breach And Guest Email Accounts Are Stolen

Filed under Crime, Guest Issues, Maintenance, Management And Ownership, Risk Management, Technology

Hospitality Industry Information Technology (IT) Risks: "Network Security and Privacy Liability" Insurance Is Available To Protect First-Party Risks And Third-Party Liability Involved In Cyber-Crime

“…Network Security and Privacy Liability policies are generally designed to address first-party risks and third-party liability–sometimes in the same policies, sometimes separately…”

“…first-party losses. These might include business interruption, which could be caused by a flood or fire in a data center, or malicious hacking by a disgruntled employee or even a cyber-crook half a world away...”

There is also the risk of being sued by third parties for somehow allowing–or failing to prevent–unauthorized access to sensitive information.

When IT goes down, business screeches to a halt. Indeed, for businesses such as online retailers, brokerages and some financial firms, the IT and data assets are the entire business–every bit as critical as the factory and warehouse are to the hard-goods manufacturer, or the vehicle fleet to a trucking company.

As more and more companies–and their insurers–are realizing, this reliance on IT creates a hornet’s nest of risks that can result in crippling losses that conventional, turn-of-the-century P&C insurance coverages won’t respond to. These new issues call for a new category of coverage.

Perhaps even more ominous are the all-new liability exposures inherent in IT operations. A raft of relatively new regulations and legislation makes companies responsible for safeguarding personal and confidential data they collect as part of everyday e-commerce operations.

Companies are liable for customer credit card numbers, financial transactions, medical history, credit information and other sensitive data.

For more:  http://www.propertycasualty360.com/2010/03/15/cyber-coverage-the-new-must-have-in-the-property#

Comments Off on Hospitality Industry Information Technology (IT) Risks: "Network Security and Privacy Liability" Insurance Is Available To Protect First-Party Risks And Third-Party Liability Involved In Cyber-Crime

Filed under Crime, Guest Issues, Liability, Management And Ownership, Risk Management, Technology

Hospitality Industry Information Security: British Courts Jail Operators Of World's Largest Internet Crime "Forum" Which Provided "Hacking Software" And Credit Card Theft Instructions

The site contained manuals such as “14 ways of hacking credit cards” and “running cards on eBay” and information on staying anonymous. It sold hacking software and instructions on how to manufacture crystal meth and explosives.

Nicholas Webber, who masterminded the criminal website Ghostmarket.net, has been jailed for five years.

Three teenagers who founded and operated one of the world’s largest English-language internet crime forums, described in court as “Crimebook”, have been sentenced to up to five years in custody. Police estimate that losses from the thousands of credit details traded over the site, Gh0stMarket.net, amount to £16.2m. The web forum, which had 8,000 members worldwide, has been linked to hundreds of thousands of pounds of registered losses on 65,000 bank accounts.

Nicholas Webber, the site’s owner and founder, was arrested in October 2009 with the site’s administrator, Ryan Thomas, after trying to pay a £1,000 hotel bill using stolen card details. They were then 18 and 17. Webber was jailed for five years on Wednesday and Thomas for four years.

After seizing Webber’s laptop, police discovered details of 100,000 stolen credit cards and a trail back to the Gh0stMarket website. Webber and Thomas jumped bail that December, fleeing to Majorca, but were rearrested when they flew back to Gatwick airport on 31 January 2010.

Southwark crown court was told how public-school-educated Webber, the son of a former Guernsey politician, was using an offshore bank account in Costa Rica to process funds from the frauds. After his initial arrest, Webber threatened on a forum to blow up the head of the police e-crimes unit in retaliation, and used his hacking skills to trace officers’ addresses.

For more:  http://www.guardian.co.uk/uk/2011/mar/02/ghostmarket-web-scam-teenagers

Comments Off on Hospitality Industry Information Security: British Courts Jail Operators Of World's Largest Internet Crime "Forum" Which Provided "Hacking Software" And Credit Card Theft Instructions

Filed under Crime, Guest Issues, Insurance, Liability, Management And Ownership, Technology, Theft