While government, healthcare, and financial organizations remain among the most preferred prey of cybercriminals, the hospitality sector is emerging as a growing target for e-crime and, in a more unsettling turn, nation-state adversary groups as well.
International hotel chains, in particular, offer ripe picking for financial crimes, from stealing identities to pilfering credit card numbers via point-of-sale (POS) transactions. State-affiliated adversaries have also developed a deep interest in the hospitality sector, whether for tracking persons of interest while they are traveling, or to enable access to these potential victims when they use electronic devices outside the confines of protected networks.
Why is this sector becoming a key target for cybercriminal organizations and nation-state threat actors?
Rather simply, hotels present a vast array of people that represent potential targets. These include business travelers, large conferences with thousands of attendees, government officials, and even those in the technology or academic fields that may be traveling with valuable information assets. In addition, the variety of types of hotels and hotel chains, which may not be employing the most modern security practices, also makes the industry a soft target.
Throughout 2017 and continuing this year, data has revealed a rise in attacks by financially motivated adversaries focused on POS devices, an operational model that often results in the resale of stolen credit cards in criminal marketplaces. Personally identifying information such as passport scans or loyalty card information holds value on the dark web, too.
While every industry has challenges with maintaining best practices with security and implementing the most modern tools to secure networks, the hospitality sector deals with some unique circumstances. Locations can be widely dispersed, with transient workforces, and a high level of outsourcing, especially for technology needs. Hotels are also highly dependent on third-party vendors for their operations, which introduces a likelihood for attackers to search for weak points in the vendor or supply chain environment.
Finally, hotels and retail are facing significant pressure to improve the customer experience, primarily with technology that’s similar to what consumers are used to in their homes. Visitors want reliable, fast WiFi, they want to be able to use multiple personal devices in their rooms or to pay for services via personal apps. If a hotel elects to pursue speed and experience at the expense of investing in security, they’re leaving the door wide open for attackers to compromise information held by the hotel itself but also access to guests directly. This becomes critical to the hospitality sector with the introduction of privacy and security regulations under the General Data Protection Regulation (GDPR), which becomes official on May 25, which requires businesses to be prepared to report data breaches quickly and demonstrate that they have prevention and detection efforts in place to protect consumers’ information.
There are documented examples of certain adversary groups targeting WiFi networks as a way to penetrate back into the network on the machine of the user. Nation-state adversaries have maintained a deep interest in the sector, which may be for the purposes of tracking persons of interest while they are traveling or to enable access to these potential victims when they use equipment outside of normal corporate networks.
One type of spear-phishing attack, designated Carbon Spider by CrowdStrike, was especially prominent in the sector in 2017. This attack utilizes spear-phishing emails with subject lines that reference customer details, invoices or payment information for a booking. The body of the email then explains that this information is contained within a document attached to the email, with instructions on how to unlock the protected document. The emails are usually directed to customer-facing personnel within the victim organization, and open-source reporting has documented that quite often these emails will be followed by telephone conversations to enable successful exploitation. The primary objective of these operations is to deploy specialized tools which scrape PoS credit card data from the temporary memory where it is stored.
One of the more concerning developments taking place across sectors is growing use of malware-free attacks, or attacks that went undetected by traditional antivirus software. Overall, a recent CrowdStrike report found that in 2017, 39 percent of attacks involved no malware. In the hospitality sector, it was even higher, with 45 percent of attacks being malware-free. This indicates that the industry is not only a prime target, it is relying on legacy technologies that don’t provide the real-time visibility and risk management required to combat today’s attacks.
Checking in with modern security
Extortion and weaponization of data have become mainstream among cybercriminals, heavily impacting sectors like hospitality. Data from CrowdStrike research shows that “breakout time” – the time it takes an intruder to begin moving laterally to other systems in the network – is an average of one hour and 58 minutes. The largest hotel chains are implementing better security with emphasis on faster detection, but more in the industry need to develop a sense of urgency with faster detection rates and faster responses to global threats. Every hotel is dealing with highly sensitive information and a high number of transactions, and has its reputation at stake with every threat.
Business leaders in hospitality need to start by thinking about what threats would target the data of their guests. As an organization, creating a security culture means the frontline of defense is the employees in that hotel. Employees must recognize the value of the information they’re capturing on a daily basis, and protecting the digital identity of guests just as they would with physical security, like locked doors. With hotels modernizing the customer experience with things like Internet of Things-connected vending machines or new ways to process payments, each of those devices need to be secure.
Finally, vendor relationships and employee access controls must be carefully considered, as these are often points of weakness in the security profile.