A recent hack at Marriott is serving as a wake-up call for hotel security teams.
According to court documents, former Marriott employee Juan Rodriguez was fired from the company August 2016, and was ordered to stay away from the company’s internal systems. However, according to reports, Rodriguez managed to hack into Marriott’s reservation system from his home, chopping room rates down from $159-$499 to $12-$59.
Fortunately for Marriott, Rodriguez failed to mask his IP address and was apprehended shortly after. Marriott lost an estimated $50,000 in the scam, and while Rodriguez is facing three felonies it is unlikely the company will get that money back.
Rodriguez was unable to get away with his crime, but he was successful in his attempt to break into Marriott’s reservation system. This incident raises concerns for operators who let employees go while they have access to important information without changing passwords or updating security information. A cybersecurity best practice is to always avoid becoming the low-hanging fruit, and by making hackers work just a little bit harder your property could avoid a potential digital break-in. While Rodriguez likely had insider knowledge of Marriott’s internal systems and processes, it’s possible that following proper security protocol could have prevented, or deterred, his actions.
At the recent Serviced Apartment Summit Americas event, hosted April 11 at the New York Marriott Downtown, Matthew Baker, senior associate at Katten Law, said data breaches in hotels are increasing in number and sophistication. Baker said one of the biggest threats to hotel security is vulnerabilities found in third-party contractors, and called for better and more thorough vetting before entering into digital partnerships.
“If outside contractors are hacked, your guests and their data are immediately at risk,” Baker said. “By adding contractors, your workforce grows. One infection from a hacker can then potentially travel through an entire network and cripple you.”
Name Your Target
One of the most effective tools hackers use to gain access to a network is through “phishing,” whereby malicious users send emails impersonating reputable companies with the goal of convincing a user to open an attachment or download a file containing malware to infect a machine, often giving the hackers control of it.
Phishing has been such a common fixture of the internet that many users have grown accustomed to avoiding it, which is why hackers are now resorting to “spear phishing,” an updated version of the practice that relies on first capturing information on a target, using it as leverage to gain access to a network. Spear phishing emails often appear to come from friends, family members or business associates, and address the target using their name and other personal information. Because of this, operators are urged to have employees treat emails with extra trepidation.
How do hackers get this information? Often it is purchased on the black market. In the hotel industry alone, information on 619,000 personal accounts were stolen in 2009 when Wyndham Worldwide was hacked. In fact, a large number of hotel companies has been hacked by now, some more than once.
In order to prevent future breaches, Baker said hotels need to adopt solid information technology practices, particularly with regards to updated systems.
“Updates are a major issue for users,” he said. “The majority of systems out there update themselves, but users have to allow for them to take place. If a company can ensure users are updating systems, everyone will be better off.”
Though Baker was unlikely to have heard of Rodriguez’ particular breach during his speech at the SAS event earlier this week, he had another piece of pertinent advice to share: “When your employees leave your company, get them off your tech immediately!”