Tag Archives: Customer Data

Hospitality Industry Security Update: “Luxury Hotel Computer Breach Impacts Thousands”

“…It’s difficult to know how many customers were impacted, Love added, because people use multiple payment forms – online presencecredit cards, cash, checks and member charges – for amenities including stays in the posh 289-room hotel, food and valet service. Membership accounts, including the items and services charged to them, were not affected, the news release said…”

At least 10,000 customers of The Houstonian Hotel, Club & Spa were exposed in a credit card security breach that lasted nearly six months, officials alerted guests on Tuesday.

The west Houston luxury retreat emailed 10,000 people about the “malicious software attack,” which started on December 28, 2013 and continued until June 20, information technology director Jason Love said.

For more: http://bit.ly/1rbrDDl

Leave a comment

Filed under Crime, Guest Issues, Hotel Industry, Liability, Management And Ownership, Technology, Theft

Hospitality Industry Cybercrime Risks: Criminal Hackers Target Hotels Lacking “Advanced Data Security Safeguards” On Local Credit Card Transactions; “Chip-And-Pin Cards” Coming Soon

“…criminal hackers gravitate to some hotels because, like retail stores and restaurants, hotels do many credit card transactions at a local level, where centralized and highly sophisticated data security safeguards may be lacking…Most hotels are locally owned, though managed by big Cyber Risk Insurance Graphichotel chain companies. For hotel owners, it is expensive to come into full compliance with the tough global data security criteria set by the credit card companies…That includes using complex passwords, being wary of public Wi-Fi, updating antivirus software — and checking credit card statements carefully…”

“…In the United States, credit cards use magnetic strips that are more vulnerable to hacking than the electronic chips embedded in credit cards in Europe and elsewhere. Such cards also require entry of a PIN…these so-called chip-and-PIN cards are headed our way, said Kathy Orner, vice president for information security at Carlson Rezidor, a worldwide hotel company that is among the industry leaders in data security…all of the major credit card issuers plan to start introducing these cards in the United States within two or three years…”

In its 2013 Global Security Report, Trustwave, a data security management firm, says that the top three industries targeted for data breach attacks in 2012, measured by the number of its investigations, were retailing (45 percent), food and beverage (24 percent) and hotels (9 percent). Three years ago, the hotel industry was at the top, but hotels have since made “significant strides” in improving credit card security measures, the report says.

Last year, for example, the Federal Trade Commission sued Wyndham Worldwide, the hotel chain, for what it said was inadequate safeguarding of credit card information that led to three data breaches at hotels in under two years, with “millions of dollars in fraud loss, and the export of hundreds of thousands of consumers’ payment card account information to an Internet domain address registered in Russia.”

The threat is constant, Mr. Roman said. “The best protection is vigilance, and that takes work,” he said.

For more:  http://www.nytimes.com/2013/09/03/business/data-security-begins-with-the-traveler.html

Leave a comment

Filed under Guest Issues, Insurance, Liability, Management And Ownership, Privacy, Risk Management, Technology, Theft

Hospitality Industry Data Security Risks: Hotels Are At Significant Risk Of “Large-Scale Hacking” Of Guest Personal Information, Including Information In Reservation Systems

“Data security is becoming an issue of significant importance in the hospitality industry…(because of) an increase in hacks and malware attacks, which frequently target hotel systems because they’re a rich source of cybercrime in hotelspersonal information… hackers aren’t just targeting data on hotel systems but also the information passed along to reservations systems…credit card theft is much easier — and more likely — through large-scale hacking…another reason hotel guests are vulnerable to having their personal information stolen: They’re easily distracted.”

Several days after Traci Fox visited a small independent resort in the Catskill Mountains, she received an unexpected call from a shoe store. Where did she want it to ship the $400 worth of pricey sneakers that she’d ordered?

Fox believes that her hotel may have compromised her credit card information. At least one government agency shares her concerns. Last summer, the Federal Trade Commission sued Wyndham Hotels, alleging that the company had failed to protect its customers’ personal information. As a result, the FTC claims, hundreds of thousands of credit card numbers fell into the wrong hands, leading to millions of dollars in fraud-related losses. Wyndham denies any wrongdoing and is fighting the suit.

The problem may run deeper than the theft of credit card numbers, however.

The personally identifiable information in your guest profile, such as your home address, your license plate number and your date of birth, which is attached to your reservation, can end up in the hands of a third party that offers little or no warranties about how it will protect your data. “These kinds of areas are more worrisome than some huge Visa bill,” says hotel consultant Marion Roger. “Once your identity has been cloned, you can easily spend years and hundreds of thousands in legal and other fees.”

For more:  http://www.washingtonpost.com/lifestyle/travel/the-navigator-when-you-check-in-your-private-information-may-be-checked-out/2013/03/28/07cb90ca-9599-11e2-bc8a-934ce979aa74_story.html

Leave a comment

Filed under Crime, Guest Issues, Liability, Management And Ownership, Privacy, Risk Management, Technology, Theft

Hospitality Industry Legal Risks: “Data Breach Class-Action Lawsuits” Are Increasing As Judges Widen View To Include “Future Damages”; Average Settlements Of $2500 Per Plaintiff

“…Until a couple of years ago, courts would routinely dismiss lawsuits stemming from data breaches, such as the latest in South Carolina, unless the victims could show specific damages. Judges have since widened their view and are awarding class-action status to lawsuits that can show actual damages or a real possibility of future damages…”

The payout for companies on the losing side of a class-action suit can be substantial. A recent survey of data breach litigation found the average settlement award of $2,500 per plaintiff, with mean attorney fees reaching $1.2 million, according to a study by Temple University Beasley School of Law.

How federal courts define the damages people suffer from data breaches is broadening dramatically, leaving unprepared companies at greater risk of big payouts in class-action lawsuits, lawyers from a prominent law firm say.

Jeffrey Vagle, a lawyer with Pepper Hamilton, described as a “sea change” judges’ thinking. “Courts are starting to pick up on the fact that the data that can get out there can cause serious harm, maybe not immediately, but sometime in the near future,” Vagle said.

Examples include a case in which a laptop containing unencrypted personal data of Starbucks employees was stolen. While there was no evidence that the data was misused, the Ninth Circuit Court ruled in 2010 that the risk alone was enough to warrant a lawsuit, Vagle and colleague Sharon Klein said in a Client Alert published on the law firm’s website.

Data breaches have become a fairly common occurrence among companies of all sizes. Last year, 174 million data records were loss in 855 separate incidents, according to a recent report from Verizon. A 2011 Ponemon Institute survey of 583 IT and IT security professionals in the U.S. found that 90 percent of the organizations they represented had suffered at least one data breach.

To lessen potential damages, Pepper Hamilton recommends beefing up technical and physical security wherever possible. While no technology is 100% hacker proof, courts tend to compare what a company has in place to what is considered best practices for businesses of the same size and in the same industry. Taking all reasonable steps to prevent data theft can lessen damages.

Also, information shouldn’t be linked to individuals, unless absolutely necessary, and a notification policy needs to be in place, so people affected by data breaches are warned as quickly as possible.

A bill pending in Congress would set a national standard for data breach notification, replacing the variety of state laws that exist today. Introduced in June, the Data Security and Breach Notification Act would also set maximum damages and define what is considered a breach.

Irrespective of the bill’s fate, companies need to establish clear policies and procedures for handling data breaches when they occur. Klein recommends a dry run to ensure that everyone understands the steps that need to be taken.

“Many companies still believe that it only happens to the other guy,” Klein said. “And because of that, [they] have not done the blocking and tackling and preventative work upfront.”

For more:  http://m.csoonline.com/article/720128/courts-widening-view-of-data-breach-damages-lawyers-say?goback=.gde_922967_member_180838402

Leave a comment

Filed under Claims, Crime, Guest Issues, Insurance, Liability, Management And Ownership, Risk Management, Theft

Hospitality Industry Information Risks: Federal Trade Commission (FTC) Sues Hotel Operator Over Guest Account Data Theft That Results In Over $10 Million Of Credit Card Fraud

“… fraudulent charges on Wyndham’s consumer accounts totaled more than $10.6 million following three data breaches in less than two years. The breaches occurred in April 2008, March 2009 and in late 2009…”

The Federal Trade Commission said repeated failures to secure consumer data led to hundreds of thousands of consumers’ payment card information being exported to an Internet domain address registered in Russia.

Wyndham, which operates several hotel brands, including the value-oriented Days Inn and Super 8, is one of a large number of organizations that acknowledged in the past three years that they had been hacked by people seeking either financial gain or intellectual property.

Other victims have included entertainment giant Sony, the International Monetary Fund, Google, Lockheed Martin and Citigroup.

For more: http://www.reuters.com/article/2012/06/27/uk-ftc-wyndham-idUSLNE85Q01Q20120627

Leave a comment

Filed under Crime, Guest Issues, Insurance, Liability, Management And Ownership, Privacy, Risk Management, Theft

Hospitality Industry Information Security: Hotel And Restaurant Guests Face Increased Risks Of “Credit Card Cloning”; Stolen Data Rewritten Onto New Cards And Used Instantly

 “…an unscrupulous restaurant waiter with a pocket skimmer might be able to steal information from hundreds of customers a week, selling that information to those with the means to encode fake credit cards. Battery-powered skimmers can be carried in a pocket…copying information as customers swipe cards to pay for gas or withdraw cash…”

The (stolen) information then can be emailed or downloaded over the Internet and rewritten onto any card with a magnetic strip, such as gift cards or hotel keys. While the victim’s credit card is still in his or her possession, someone could be using a perfect replica hundreds of miles away.

The process, called “cloning,” accounts for much of the growth in credit card fraud during the past few years, officials said. According to a Javelin Strategy and Research report, credit card fraud has increased 87 percent since 2010, culminating in aggregate losses of $6 billion nationwide.

Credit card cloning is easy and lucrative, accounting for its popularity, said Sileo, who founded the Web site Thinklikeaspy.com.

People whose cards are skimmed might not know for weeks or months that their information has been stolen. Once someone realizes it, the account usually is closed quickly. Savvy crooks know to rack up major bills just as fast.

Read more here: http://www.kentucky.com/2012/06/24/2236535/financial-crimes-credit-card-cloning.html#storylink=cpy

Leave a comment

Filed under Crime, Guest Issues, Liability, Management And Ownership, Privacy, Risk Management, Theft

Hospitality Industry Information Technology Risks: Hotel And Restaurant “POS Systems” Are The #1 Target Of Criminal Data Breaches

If a criminal can breach a system in the restaurant, they also have access to the front desk, the spa and any other connected system. The risk is even greater when hotels are part of a hotel chain with interconnected systems.

Franchise businesses are particularly at risk primarily because franchises tend to have the same POS system duplicated at all locations. If a cybercriminal can figure out a way to breach one, in all likelihood, they can replicate the attack at other locations.

In 2011, Trustwave SpiderLabs conducted 42 percent more data breach investigations than in the previous year. More than 85 percent of these data breaches occurred in the food and beverage, retail and hospitality industries.

Why the focus on these industries? There are several reasons, but the number one is that they all process credit cards. In our investigations, we found that the vast majority of assets targeted by criminals were point-of-sale software systems (75 percent of cases). Think of the scenario of a hotel that maintains a restaurant, a spa, as well as other services all connected to one POS system.  We’ve investigated cases where the criminal breaches the environment at one location and was in turn able to connect todozens of others through the wide area network used by the hotel chain.

For more:  http://www.forbes.com/sites/ciocentral/2012/04/11/restaurants-beware-hackers-want-your-customer-data/

1 Comment

Filed under Crime, Guest Issues, Liability, Maintenance, Management And Ownership, Privacy, Risk Management, Technology, Theft