Protecting the Hospitality Sector With Security Intelligence
January 29, 2020 • The Recorded Future Team
The hospitality sector has always been a popular target for cyberattacks.
For the past decade, hardly a month has gone by without a hotel, airline, or other hospitality breach to remember it by. In the last year alone, two huge breaches stand out — Marriott and British Airways — both of which were among the largest data breaches in history.
In Marriott’s case, around 500 million guest records were compromised. The infected system — a legacy booking system belonging to the Starwood hotel chain, which was acquired by Marriott in 2016 — had been compromised for four years before it was finally detected in late 2018. When the dust settled, the breach had cost Marriott $28 million.
That’s nothing compared to the British Airways breach, which also exposed around 500 million passenger records and saw the company fined an incredible $229 million.
The Stats Behind Hospitality Threats
Many industries have one or two “mega breaches” to point to, but few have quite such a history of cyberattacks.
A decade ago in 2009, hospitality was — by some reports — the most widely attacked industry of all. And while other industries have now surpassed it, a 2019 report by Trustwave still ranks hospitality as the third most-breached industry, accounting for 10% of all breaches.
And when a breach occurs, the consequences can be substantial. According to Ponemon’s 2019 Cost of a Data Breach Report, the average hospitality data breach costs $1.99 million to contain, at a cost per record of $123. These high costs are due in part to the time needed to adequately respond to a breach. On average, it takes 200 days to identify a hospitality data breach and a further 75 days to contain it.
By most accounts, attacks targeting the hospitality industry are mostly aimed at stealing payment card data. However, there have also been cases where state-sponsored hacking groups are thought to have targeted the industry to obtain intelligence. In the case of the Marriott breach, Chinese state-sponsored hackers are thought to have targeted the group in an attempt to collect personal data about U.S. Government employees.
Unsurprisingly, Verizon’s 2019 Data Breach Investigations Report cites POS devices as the most heavily targeted aspect of hospitality infrastructure. Hospitality companies often have hundreds or even thousands of POS devices, which are typically accessed by a constantly churning workforce, making them very difficult to secure. In line with this, email-based malware was identified as one of the most common threat vectors used to target the industry.
Why Is Hospitality So Hard to Secure?
There are many reasons why hospitality companies have a harder time securing their assets than similarly sized organizations in different industries:
1. They often have large, complex networks.
A typical hospitality company has a huge number of endpoints, many of which are in publicly accessible areas. They also utilize a wide variety of automated systems for functions like heating and ventilation, which are another potential entry point for attackers.
And, of course, most hospitality companies have very large customer databases, which by necessity are usually accessed directly by a booking system. Any compromise to the booking system will place the database at risk, which is exactly what happened with the Marriott breach.
2. Customers are onsite — and attackers could be too.
Both hotels and airlines have customers onsite at all times, giving attackers the opportunity to get direct access to possible entry points. Many even provide free WiFi services, alongside private, secured WiFi for staff and business use. Of course, there’s nothing “wrong” with this, but it requires extra layers of security to ensure no unauthorized access is allowed to sensitive areas of a network.
3. Staff churn.
When you have high staff numbers and high churn, it becomes difficult to ensure that staff members are properly trained to handle cyber threats. Even worse, it’s common practice in the hospitality industry to use group email accounts (e.g., Reception, Customer Services, etc.) that are shared by a constantly changing group of staff members. This makes it almost impossible to enforce proper password hygiene procedures, so it’s small wonder that credentials for these accounts are often leaked via the dark web.
Franchising is common in the hospitality industry — particularly for hotels — and franchise owners take at least some responsibility for security. Unfortunately, most franchise owners have little understanding of cyber risk and don’t always take the proper precautions to protect sensitive assets.
5. Third-party risk.
Hospitality companies often have large third-party ecosystems, including a wide variety of partners, suppliers, and technology providers. The transfer or possession of sensitive data or digital assets can open hospitality companies up to a huge amount of risk. It can be very difficult to determine the risk profile of a third party — particularly since each organization’s profile will change over time — and many companies in the hospitality industry simply don’t have a good way to measure how much risk they are accepting when selecting and building relationships with third parties.
Security Intelligence for the Hospitality Sector
Protecting the hospitality industry from cyber threats isn’t an easy job. Security professionals in the industry are tasked with defending highly complex networks with many endpoints against a constant barrage of attacks and a constantly churning workforce. On top of all of that, they have limited security resources to work with.
Naturally, then, extracting maximum value from the resources available is an essential part of their job. This is where security intelligence excels.
Comprehensive security intelligence helps security teams identify unknown threats to the organization, and make informed decisions about how and where to allocate time and resources for maximum effect. By investing in security intelligence, hospitality companies can:
- Respond Rapidly to Security Incidents: SIEMs, EDRs, and other security technologies produce massive quantities of alerts each day — far more than SOC and incident response analysts can cope with. As a result, analysts waste huge amounts of time responding to, categorizing, and ultimately discarding false positive alerts, while many legitimate alerts are never triaged. Threat intelligence provides the context analysts need to quickly distinguish between valuable alerts and false positives, drastically improving their ability to respond to genuine cyber threats.
- Block Online Brand Abuse and Impersonation: In the internet age, brand abuse and impersonation is rife. Real-time intelligence and alerting helps hospitality companies rapidly identify and remove brand threats such as typosquatted domains, spoof social media accounts, and phishing sites.
- Manage Third-Party Risk: Using threat intelligence, hospitality companies can easily build risk profiles for existing and potential partners, and maintain them in real-time to keep track of their third-party ecosystem. This enables accurate tracking of third-party and cyber risk, giving companies the opportunity to resolve or end risky business relationships before damage is caused.
- Reduce Breach Containment Times: As we’ve already seen, it takes hospitality companies 275 days on average to identify and contain a threat. And, as we know, the longer it takes to contain a breach, the more it costs to do so. Threat intelligence can help security teams drastically reduce the time needed to identify and contain a breach by alerting them the moment stolen assets (e.g., guest or passenger data) are made available for sale via the dark web.
- Better Allocate Security Resources: Resource allocation is critical to the success of any security function. Security intelligence helps CISOs and other security leaders in the hospitality sector identify their most pressing threats, and accurately gauge cyber risk. In turn, this helps them make informed decisions about which initiatives to prioritize, which technologies to invest in, and who to hire to maximize the efficiency and effectiveness of the security function.
Securing Complex Networks With Intelligence
The hospitality sector faces a significant challenge where it comes to security. Protecting large quantities of sensitive customer data across complex, geographically diverse networks is far from an easy job.
That’s why, in the wake of the Marriott and British Airways breaches, many hospitality companies have started using threat intelligence to help them identify and respond to serious cyber threats.
If your organization isn’t one of those, there’s something you can do. Sign up for our free Cyber Daily newsletter, and you’ll receive the top cybersecurity intelligence direct to your inbox each morning. That includes:
- Top targeted industries
- Most active threat actors
- Most exploited vulnerabilities
- Trending malware
- The latest suspicious IPs
- And much more
Subscribe today and use this intelligence to keep your organization — and your customers’ data and money — safe from cyber threats.