How hoteliers can mitigate data breaches

As hackers go after business computer systems in search of data to steal, sell or hold for ransom, security teams are finding high- and low-tech solutions to block the attacks. 

The latest "Verizon 2020 Data Breach Investigations Report" analyzed more than 32,0000 security incidents, the company said, of which 3,950 were confirmed breaches—almost double the number of breaches analyzed in last year’s report. Report co-author Suzanne Widup, senior information security professional at Verizon, saw a wide range of methods used to access computers—and noticed that as soon as security professionals learn how to block one kind of hack, criminals would try another.

Types of attacks

Hackers employ a range of methods to access data. For example, memory-scraping (also known as RAM-scraping) malware scans the memory of digital devices like point-of-sale systems to collect information. Hackers have had “a lot of success” in levering this kind of malware to secure credit card numbers from point-of-sale machines, Widup said.

For C2 (Command and Control) hacking, thieves build what is called a botnet, turning individual systems into their bots that then contact the command and control system—“sort of like the mothership,” Widup said. From there, they get instructions on what to do with the infected computer’s data.

A remote access Trojan hack, meanwhile, inserts a piece of malicious software into a machine that gives users remote access into the system that's been infected. “Usually it masquerades as a legitimate program, and that's where the Trojan part comes in,” Widup explained.

But as soon as security and IT professionals learn about each of these kinds of attacks, hackers need to change their routines. Between the 2019 and 2020 reports, respondents reported a 44 percent decline in RAM scraping year over year. “That's quite a significant difference,” Widup said, acknowledging that while they may not know the reason for the downturn, they can assume it is because some kind of control has been implemented to prevent the hack. “But the rise of the Trojan and the remote-access Trojans ... means that [hackers] are finding other ways to get around the mitigations that the software vendors and and the security people put in place,” she cautioned. 

Widup expressed particular concern over the rise of ransomware attacks. “Usually they're trying to get the credit card data—well, if they can get ransomware on the system, then they don't have to go and find the data. They can just charge a ransom for someone to get their access to the system back.” Beyond that, ransomware authors are now taking a copy of the data before they trigger the encryption, and then threaten to release that copy to the public. “That's pretty concerning as well.”

An ounce of prevention

Preventing hacks, Widup said, can be as simple as making sure all of a hotel’s company computers and business devices are used only for their intended purposes. Some organizations allow workers to use point-of-sale computers as an all-purpose machine, she noted, and if employees check personal email and social media accounts, malicious software can get in. “All it takes is someone falling for a phishing email to their personal [account] and off we go,” she said. 

Similarly, remote access to a businesses’ computers needs to be carefully limited. Some businesses, for example, permit remote access programs for vendors to access computers. If a vendor’s password is formulaic or follows a pattern, she cautioned, it becomes easy to determine what other passwords might be. 

To prevent ransomware attacks from causing the worst damage, Widup recommends backing up all data regularly to a backup server that is separate from the main system. “You need to test your backups and make sure that it can restore to a good point,” she said. “If they also get your backup, you're in a lot of trouble.”

As hotels increasingly offer free Wi-Fi to lure in day visitors to the lobby or as a guest amenity, Widup emphasized the need to compartmentalize networks for different purposes. “You don't want [it to be] like the Wild West out there, where anyone can connect to your corporate network,” she said. And as mobile devices become vital tools for a broader range of the hotel staff, from the concierge to the housekeeper, Widup advised limiting each device’s access to the corporate network through firewalls. “Make sure that you've designed them and built [the networks] correctly so that they don't have holes that will allow people to cross between.”

And with so many hotels working with only a skeleton crew thanks to furloughs, teams will need to monitor their networks remotely. While cutting staff in an economic downtown is inevitable, a hotel cannot cut so many team members that it is left exposed to attacks. “It's just a matter of not relaxing your vigilance,” Widup advised. “If you have to train people across multiple disciplines, that's an approach. If you have [fewer] people, then at least have more knowledge.”

Ultimately, Widup believes education to be the best defense against hackers. When employees can recognize phishing attempts, they can protect a business’ most valuable assets. Of course, she added, human error is eternal, and mistakes will happen. “Nobody has employees who don't commit errors,” she said. With proper training, a hotel’s team can detect and mitigate problems quickly, minimizing damage to both their data and their reputation.