⚠ We would appreciate if you would disable your ad blocker when visiting our site! ⚠

Preparedness: Not Just for Boy Scouts Anymore!

Order a reprint of this story
Close (X)

To reprint an article or any part of an article from Hospitality Upgrade please email geneva@hospitalityupgrade.com. Fee is $250 per reprint. One-time reprint. Fee may be waived under certain circumstances.


April 04, 2016
Data Security
Marion Roger

Most hotel owners and managers alike are becoming increasingly aware that there is much they don’t know when it comes to what happens, what the consequences might be, or even more important, what to do (or not do) when something other than a credit card number is either incorrectly shared or worse, lost or stolen.

Useful insight on data privacy, forensic services and cyber liability insurance best practices has never been more necessary, especially for hospitality and the scores of technology partners serving the industry. Between bad PR, the threat of FTC scrutiny, legal fees and the loss of customer trust, everyone’s 2016 “must learn more about” list is focused on these topics. Why? One thing has become a reality: 2015 signaled the clear transition from stealing card data to stealing the keys for cloning login credentials. Criminals today seek whatever is needed to become someone else to “steal things” digitally. It’s no longer about identity theft in the traditional sense… although becoming someone else to gain benefits (health insurance or IRS refunds for example) is still popular. Rather, as of 2016 and forward, the goal is re-creating identities and credentials for a higher level of ROI, or said another way, increased “profitability.” Why? Simple: with the proper credentials a person can modify payroll or access a company’s account and move funds. 
In mid-February 2016, attackers leveraged duplicate login credentials to compromise approximately 21 million accounts on Alibaba Group’s Taobao e-commerce website. (Don’t know Alibaba?  It’s an online marketplace that's a mix between PayPal, eBay and Amazon.) In 2015 Alibaba had annual revenues of $8.5 billion on more than $300 billion worth of goods sold on its sites.
Here’s why the Alibaba hack matters: the main ingredient necessary for credential creation is often a subset of data we call PII (personally identifiable information). PII is an acronym still vastly misunderstood by the hotel industry that typically defines PII as the usual suspects (a.k.a., social security numbers and birthdates often kept by the HR team).
PII encompasses a lot of data we keep about guests as well as employees: their signature, their home street address (which matches against the address on file with a credit card or the one payroll uses for W2 forms), children’s ages, wedding anniversaries and a lot more. Astonishingly, in 2016 the definition of PII can now be something as simple as the combination of two items: for example, user names and passwords. Those two elements can be attributed as uniquely tied to an identifiable individual and as such, are now defined as PII.
Back to the hack at Alibaba: the attackers used Alibaba’s cloud computing platform to input the stolen data to see whether account holders had duplicated their logins across websites. Guess what? Of the 99 million usernames they entered, the criminals found that 20.59 million were also being used on Taobao. They accessed Taobao, and thanks to stolen usernames and passwords from other websites, the criminals were able to “become someone else” and cash out the funds.
Whether the bad guys are in China, Russia or the United States is irrelevant. A few key ingredients are all they need to steal or see in order to create credentials – user names and passwords are the exact ingredients all hotels keep on file, often in either an un-encrypted or unprotected manner. Many mistakenly think they protect those ingredients if they are PCI compliant. They could not be farther from reality. And that, according to the experts, is why the focus now leaves PCI and migrates to PII. The username and password file you store on guests who use your booking apps or other components of a reservation page online may not even relate to loyalty programs, yet those same names and passwords (attached to their email accounts) may have been used for their bank account or PayPal. 
As organizers of the 2016 National Boot Camps on Data Privacy and Data Security in Hospitality series, we brought a select group of thought leaders in forensic services, data privacy legislation and cyber liability insurance to spend the day with some of our industry’s top CIOs, VPs of IT and data security experts. Three day-long sessions in New York, Atlanta and Miami uncovered dozens of valuable takeaways, but for readers of this issue, here are the most vital insights:
When it comes to forensic investigations and/or outside legal help, calling around to get a contract in place after you have been breached is incredibly expensive, not to mention clearly not in your best interest. Yet rushing a contract and pricing package through legal while a gun is held to your head turns out to be “modus operandi” far too often. Smart companies on both sides of the discussion (hospitality groups or owners as well as the technology firms servicing them for reservations, CRM, payroll, et al) have retainer arrangements prior to a breach. The experts agreed: these firms were more likely avoid breaches in the first place as well as be able to reduce the scope of the damage of a breach once it happens. From a financial perspective, fees for hiring outside experts for investigations, remediation and legal counsel skyrocket when purchasing these services in deadline mode. Both PFIs (PCI forensic investigators) and legal teams agreed: they can and will offer terms much more to your benefit when hired before a breach happens.
The PCI Council requires you to retain a PFI (and it can’t be the one you have a retainer with should you have followed the advice above). It is smart to hire your own. Whether you have one on retainer or not, the PFI brought in to investigate a breach is working for the council, not you. Repeat: technically speaking, they are not your friend, and they will be aggressively looking for evidence to show how and where and when your team blew it so that fines and penalties can be assessed. Many believe having two seems more expensive than necessary but the experts were unanimous: it often pays for itself. If you (smartly) already had another company on retainer (or you hired a second PFI upon being advised there was a breach), you will often find initial fines get substantially reduced… one case cited a more than 30 percent decrease in fines and penalties upon review of the second opinion findings. In addition, your PFI may spot weaknesses the official PFI won’t care about and help with remediation so that you don’t suffer a second breach later. Remember: the official PCI forensic team is looking only for what caused a known breach, and is not on your side with regards to helping negotiate your fines or helping you deal with potential weaknesses that show up.
Whether you proactively (or reactively) retain outside counsel, here’s why you should do it. Even if you have internal legal stars they often don’t have the right expertise or relationships with the state attorneys general. Law firms specializing in data breaches also have PFIs on retainer, allowing you to access the better teams (remember there are only a few accredited PFIs able to do an investigation). Secondly and quite interestingly, when outside counsel hire a PFI, the findings or advice or information from the investigation can be covered by attorney-client privileges. So whether you have a data breach law firm on retainer or not, you will want to work with a law firm that actually only does privacy and data breach, because in the end you will save a lot of time and money. Some cases discussed at the National Boot Camp events found that due to a lack of correct internal legal help, hundreds of thousands of dollars in unnecessary costs relative to notification laws were incurred, not to mention penalties and fines due to delays in notifications.

Imagine: a CEO’s assistant falls for a social engineering scam (wiring $500,000 to a Mexican bank while the CEO is en route to Cabo as per the CEO’s “instructions via email”). This is a crime but it is not cyber crime. Thus the money lost is not insured by cyber liability. Insurance policies covering financial losses due to “crime” can deny the claim of “willful negligence” when reviewing when and how often you train staff about social engineering. Another tip: premiums are increased or decreased based on “a company’s risky behavior” similar to how health and car insurance is written. In other words, proving you do monthly training vs. annual training, you use end point-to-end point encryption for everything (not just card numbers), and you monitor portable devices that are not on the network, lowers premiums tremendously.
One last takeaway: Post breach is the wrong time to realize that you should be keeping logs for 180 days, not 30! And guess what? “Post breach” doesn’t start when an attack is identified, it starts today with truncated logs, it started yesterday with an email or saved file, it started last week with every USB device attached, it started last month with every connected iPhone® and iPod®, it started last year with Facebook, LinkedIn, Dropbox, OneDrive, Google Drive and iCloud, and it will start again tomorrow with something you aren’t even aware exists yet.

Marion Roger, VP Hospitality eResources, is a specialist in the hospitality supply chain landscape who is currently leading an industry initiative to support guest data security and has developed a hotel-focused training curriculum on PII protection.

©2016 Hospitality Upgrade
This work may not be reprinted, redistributed or repurposed without written consent.
For permission requests, call 678.802.5302 or email info@hospitalityupgrade.com.

want to read more articles like this?

want to read more articles like this?

Sign up to receive our twice-a-month Watercooler and Siegel Sez Newsletters and never miss another article or news story.