Attacks/Breaches
2/5/2014
11:47 AM
Connect Directly
RSS
E-Mail

Hotel Company Investigates Data Breach, Card Fraud

White Lodging, which manages 168 hotels under Hilton, Marriott, and Sheraton brand names, is investigating a suspected credit and debit card breach.

White Lodging-owned JW Marriott Indianapolis. (Credit: Wikimedia Commons.
White Lodging-owned JW Marriott Indianapolis. (Credit: Wikimedia Commons.

Comment  | 
Print  | 
Comments
Newest First  |  Oldest First  |  Threaded View
amanda travis
50%
50%
amanda travis,
User Rank: Apprentice
7/5/2014 | 1:40:00 AM
Re: No perfect security
Thanks for this post. I find it very interesting. A proposed credit card hotline is the latest issue to fuel the fiery debate over the Consumer Financial Protection Bureau. The hotline would essentially take calls from concerned customers, and the agency would compile grievances about charge card companies. It pays to be very careful in choosing sources for this matter to avoid scam.
catvalencia
50%
50%
catvalencia,
User Rank: Apprentice
5/26/2014 | 11:54:15 AM
Re: Dont think its just these properties.
Scams are everywhere. So please watch out for this bogus tricks folks! Always be wary of individuals selling stuff door to door, as a number are rip-off artists. Apart from Girl Scouts attempting to get people hooked on diabolically addicting cookies, there are a number of door-to-door scams out there.
AaronP916
100%
0%
AaronP916,
User Rank: Apprentice
2/6/2014 | 5:06:43 PM
Dont think its just these properties.
I don't think it's solely limited to those properties.  I stayed in two of their other properties in North Austin, and one of theirs in Chandler, AZ.  American Express called to inform me that my card number was stolen and was attempted to charge items in South Africa.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
2/6/2014 | 8:18:56 AM
Re: No perfect security
Great analogy about "teaching to the test." Meeting a compliance reg is only a part of the solution. The real security goal is to ensure that everyone at all levels -- users, techies, security experts, etc. -- understand the organizations's overarching security goals, are grounded in best security practices and are kept up to date on emerging tech trends that add to security risks (like your example of  IP video surveilance cameras). Thanks for the thoughtful response!
jagibbons
50%
50%
jagibbons,
User Rank: Strategist
2/5/2014 | 7:51:19 PM
Re: No perfect security
Being in or out of compliance is evaluated against a set of tests that are designed to provide evidence of various practices. Behing each test there a principle that the test is evaluating. You can pass the test and still be doing things that violate the principle.

Here's a brief example. I can put in video surveillance to make sure my cashiers are skimming credit numbers. That helps me protect credit card data. However, if my video recording actually sees the card numbers that the customer is handing to my cashiers, I now have a copy of that credit card on the video surveillance that may not be as secure as my point of sale units.

The intent, or principle, is about protecting card data. By focusing on one area of protection instead of looking holistically, I can unintentionally violate that principle while achieving 100% compliance on the test. Likewise, I can spend all my time locking down my network to protect our systems, but when that lockdown becomes so draconian that my staff decide to take shortcuts to make their jobs easier, security suffers.

It's like with standardized testing in schools. It's better for all society if kids learn the subject, rather than just learn enough to spit out the answers to a test.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
2/5/2014 | 2:09:26 PM
Re: No perfect security
...if companies are maintaining compliance by focusing on strong security practices that target the intent of the PCI DSS, the likelihood of a breach goes down.

Thats an interesting way to look at PCI-DSS. What do you mean by intent versus strict compliance. 
jagibbons
100%
0%
jagibbons,
User Rank: Strategist
2/3/2014 | 12:33:04 PM
No perfect security
Even if you are indisuptably 100% compliant with the PCI Data Security Standards, you can suffer a breach. There is no such thing as perfect security. However, if companies are maintaining compliance by focusing on strong security practices that target the intent of the PCI DSS, the likelihood of a breach goes down. More importantly, being in compliance and having that be part of the corporate culture should make it easier and less costly to deal with a breach once it is discovered.
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0619
Published: 2014-10-23
Untrusted search path vulnerability in Hamster Free ZIP Archiver 2.0.1.7 allows local users to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse dwmapi.dll that is located in the current working directory.

CVE-2014-2230
Published: 2014-10-23
Open redirect vulnerability in the header function in adclick.php in OpenX 2.8.10 and earlier allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the (1) dest parameter to adclick.php or (2) _maxdest parameter to ck.php.

CVE-2014-7281
Published: 2014-10-23
Cross-site request forgery (CSRF) vulnerability in Shenzhen Tenda Technology Tenda A32 Router with firmware 5.07.53_CN allows remote attackers to hijack the authentication of administrators for requests that reboot the device via a request to goform/SysToolReboot.

CVE-2014-7292
Published: 2014-10-23
Open redirect vulnerability in the Click-Through feature in Newtelligence dasBlog 2.1 (2.1.8102.813), 2.2 (2.2.8279.16125), and 2.3 (2.3.9074.18820) allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the url parameter to ct.ashx.

CVE-2014-8071
Published: 2014-10-23
Multiple cross-site scripting (XSS) vulnerabilities in OpenMRS 2.1 Standalone Edition allow remote attackers to inject arbitrary web script or HTML via the (1) givenName, (2) familyName, (3) address1, or (4) address2 parameter to registrationapp/registerPatient.page; the (5) comment parameter to all...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.