It’s time for HITEC, and there are so many cool things to see and discuss other than information security. Entertainment solutions that work with your guests’ streaming services. High-performance wireless products that can provide a stellar online experience. Guest messaging and engagement platforms that enable actionable real-time data on your customers’ experiences before, during and after their stay. Mobile check-in. Mobile room keys. Operational applications that bring real innovation and competitive advantage to your hospitality business. Voice-activated guestrooms. Robots that deliver room service orders. Any one of these subjects is the basis for an infinitely more interesting conversation than information security. But recent events and media reports keep bringing us back to this subject. To quote Dr. Seuss: “It may not seem very important, I know, but it is, so I’m bothering telling you so.”
 
In a quarterly report, Sabre announced the “unauthorized access by a third party” of its SynXis Central Reservations service, used by more than 36,000 hotel properties. According Sabre, the scope and methods of the compromise are not yet known. Sabre stated in a follow-up press release that “the unauthorized access has been shut off and there is no evidence of continued unauthorized activity. There is no reason to believe that any other Sabre systems beyond SynXis Central Reservations have been affected.” Sabre reports that it is working with law-enforcement, notifying affected customers, and hired cybersecurity firm Mandiant to conduct a forensic investigation. While Sabre has not released further details, it is the consensus among information security experts in several published articles that compromised credentials – user login IDs and passwords – are the most likely avenue of compromise. Not surprisingly, there is already a class action liability investigation of the Sabre breach. One of the questions sure to be asked in any litigation will be whether Sabre could have made better use of technology solutions such as point-to-point encryption (P2PE) or tokenization.
 
Certainly, InterContinental Hotels Group (IHG) is a believer in the importance of P2PE. In December 2016, KrebsOnSecurity.com broke the news that IHG was investigating a potential data breach due to multiple common point-of-purchase investigations regarding fraudulent transactions on credit card accounts used legitimately at various IHG properties. It took until February 2017 for IHG to acknowledge the breach, at which time it reported that about a dozen properties were involved from September 29 to December 29, 2016. In April, IHG released data by state on the properties involved, but no summary was provided. According to Krebs, a Danish researcher named Christian Sonne analyzed the state lookup tool, and determined that slightly more than a dozen properties were involved:
 
1,175 properties across the U.S. and Puerto Rico in the following brands, Holiday Inn Express (781), Holiday Inn (176), Candlewood Suites (120), Staybridge Suites (54), Crowne Plaza (30), Hotel Indigo (11), Holiday Inn Resort (3).
 
IHG emphasized in its statements that hotels which had adopted the Secure Payment Solution (SPS), which includes P2PE, were not affected. The company further stated that hotels that adopted SPS after September 29 had no further compromise of data. I continue to advocate tokenization and P2PE as the most effective method to reduce the risk of a credit card data breach, it looks like I’m in good company.
 
It is also no surprise that the IHG breach was linked to the front desk property management system (PMS), a type of point-of-sale system (POS) in the terminology of the 2017 Verizon DBIR. In the recently released 10th edition of this landmark annual information security report, Verizon published the analytical findings on data from 65 organizations involved in breach investigations, encompassing 42,068 incidents and 1,935 breaches from 84 countries. And guess what: 
 
Of the 206 hospitality breaches analyzed, 87 percent involved POS systems, and all those breaches utilized either malware, hacking or both. Threat actors were almost all (96 percent) external players, usually criminal organizations. The truly depressing statistic is breach timelines.  Verizon quotes The Eagles on this point, from the song, Hotel California: “You can check out any time you like, but you can never leave.” On average, time-to-compromise is measured in seconds, time-to-exfiltrate – get stolen data out – is days, but times to discovery and containment are still measured in months. Detection of breaches in hospitality rarely occurs from internal security: 85 percent were detected by external fraud investigations, followed by 4 percent from law enforcement. In the IHG case, the compromise began September 29, but was not detected until mid-December, and not shut down until December 29. And the detection was made by card-issuing banks, not IHG. The Verizon DBIR further states, “The hospitality industry continues to be inhospitable, at least when it comes to POS breaches, which continue to be as ubiquitous and unsatisfying as the continental breakfast.”
 
One other major finding reported by Verizon is that ransomware attacks have doubled from the previous year, and are now the fifth most common malware category, up from 22nd in 2014. Ransomware is now categorized as a “prevalent” type of malware. On May 10, Hospitality Upgrade’s TechTalk column reported “Nine in 10 global cyber security and risk experts believe that cyber risk is systemic and that simultaneous attacks on multiple companies are likely in 2017, according to a study issued by American International Group, Inc. (AIG).” This was followed in a couple of days by the worldwide outbreak of the WannaCry/WannaCrypt ransomware attacks, which leveraged previously identified vulnerabilities in unpatched computers (including Windows XP, for which Microsoft issued an unusual post-support security patch). 
 
Now can we PLEASE talk about all the other cool stuff at HITEC?
 
Ron Hardin is an independent technology consultant. He can be reached at www.ronhardin.tech.