For the second time this week, a hotel company is on the hot seat because of internet security issues. In the latest incident, Pyramid Hotel Group was notified by vpnMentor' research team a breach had occurred in the Group's security platform. The breach, which was closed on May 29, was publicized in a report on vpnMentor's website, and exposed information about Pyramid's operating systems, security policies, internal networks and application logs.
"Pyramid was notified on May 28 of a security event that could have affected some of our hotels," reported Pyramid Hotel Group in a statement provided to Hotel Management. "We contacted our security vendor, which advised that no sensitive data was compromised or had been exposed, and confirmed that the server was immediately secured upon notification preventing further access. Pyramid is continuing to investigate this issue."
vpnMentor dated the breach to April 19. Pyramid Hotel Group uses an open-source intrusion detection system called Wazuh and vpnMentor suggested something may have happened during system setup, reconfiguration or maintenance that impacted the server Wazuh was located on, creating the breach.
It was unclear if between the time of the initial breach and its closure if anyone was able to access any of Pyramid's security platform information. If so, the report said, they would have been able to gather information about affected hotels' security and discover any weak points. Able to see what the security team saw, theoretically they would have been able to learn how the system alerted security and adjust their strategy based on that information.
Though Pyramid Hotel Group has closed this breach, Jason Glassberg, co-founder of Casaba Security, predicted threats still remain. "There's no one piece of information there that would allow you to break into a system, but taken as a whole, you're able to build quite an informative picture of the entire nature of their systems," he said. If someone got in, he predicted it would be "open season" on the company, when it comes to potential future attacks. "People are going to start hitting them left, right, upside down, just to be able to see if they can find a breach."
Aside from surveilling hotels’ security teams and processes, the report said the vpnMentor team that discovered the leak found it could affect guest-facing operations. "Our team found multiple devices that control hotel locking mechanisms, electronic in-room safes and other physical security-management systems. Especially in the wrong hands, this drives home the very real danger here of when cybersecurity flaws threaten real-world security."
According to vpnMentor, the affected hotels included Tarrytown House Estate in Tarrytown, N.Y.; Carton House Luxury Hotel in Maynooth, Ireland; Aloft Hotels in Florida; the Temple Bar Hotel in Dublin and other properties in Pyramid's portfolio.
The report listed some of the details the leak included, such as:
- Server application programming interface key and password
- Device names
- Internet protocol addresses of incoming connections to the system and geolocation
- Firewall and open ports information
- Malware alerts
- Restricted applications
- Login attempts
- Brute force attack detection
- Local computer name and addresses, including alerts of which of them has no antivirus installed
- Virus and malware detected on various machines
- Application errors
- Server names and operating system details
- Information identifying cybersecurity policies
- Employees’ full names and usernames
The news of the Pyramid Hotel Group incident follows that of a breach of Drury Hotels’ third-party technology service provider. The provider, still unidentified, told Drury someone accessed certain transaction records from some third-party online booking sites between Dec. 29, 2017, and March 13, 2019.
In November, the Radisson hotel chain notified customers of a data breach after its Radisson Rewards program was compromised in a security incident. Radisson Rewards first detected the breach on Oct. 1 and revoked access to the unauthorized party, the company reported.
According to Radisson Hotel Group no credit card or password information was compromised. Instead, information accessed was restricted to member names, addresses, email addresses, company names, phone numbers, Radisson Rewards member numbers and frequent-flyer numbers.
In addition, a number of other hotel companies have experienced data breaches in the past few years. In 2017, Sabre Corp. disclosed an unauthorized party had accessed its central reservations system, potentially exposing consumers’ payment-card data and personal information. Last year, Marriott International and Orbitz both disclosed breaches, the first involving the personal and financial information of up to half a billion customers and the second exposing information on 880,000 payment cards.