Attacks/Breaches
2/5/2014
11:47 AM
Connect Directly
RSS
E-Mail

Hotel Company Investigates Data Breach, Card Fraud

White Lodging, which manages 168 hotels under Hilton, Marriott, and Sheraton brand names, is investigating a suspected credit and debit card breach.

White Lodging-owned JW Marriott Indianapolis. (Credit: Wikimedia Commons.
White Lodging-owned JW Marriott Indianapolis. (Credit: Wikimedia Commons.

Comment  | 
Print  | 
Comments
Newest First  |  Oldest First  |  Threaded View
amanda travis
50%
50%
amanda travis,
User Rank: Apprentice
7/5/2014 | 1:40:00 AM
Re: No perfect security
Thanks for this post. I find it very interesting. A proposed credit card hotline is the latest issue to fuel the fiery debate over the Consumer Financial Protection Bureau. The hotline would essentially take calls from concerned customers, and the agency would compile grievances about charge card companies. It pays to be very careful in choosing sources for this matter to avoid scam.
catvalencia
50%
50%
catvalencia,
User Rank: Apprentice
5/26/2014 | 11:54:15 AM
Re: Dont think its just these properties.
Scams are everywhere. So please watch out for this bogus tricks folks! Always be wary of individuals selling stuff door to door, as a number are rip-off artists. Apart from Girl Scouts attempting to get people hooked on diabolically addicting cookies, there are a number of door-to-door scams out there.
AaronP916
100%
0%
AaronP916,
User Rank: Apprentice
2/6/2014 | 5:06:43 PM
Dont think its just these properties.
I don't think it's solely limited to those properties.  I stayed in two of their other properties in North Austin, and one of theirs in Chandler, AZ.  American Express called to inform me that my card number was stolen and was attempted to charge items in South Africa.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
2/6/2014 | 8:18:56 AM
Re: No perfect security
Great analogy about "teaching to the test." Meeting a compliance reg is only a part of the solution. The real security goal is to ensure that everyone at all levels -- users, techies, security experts, etc. -- understand the organizations's overarching security goals, are grounded in best security practices and are kept up to date on emerging tech trends that add to security risks (like your example of  IP video surveilance cameras). Thanks for the thoughtful response!
jagibbons
50%
50%
jagibbons,
User Rank: Strategist
2/5/2014 | 7:51:19 PM
Re: No perfect security
Being in or out of compliance is evaluated against a set of tests that are designed to provide evidence of various practices. Behing each test there a principle that the test is evaluating. You can pass the test and still be doing things that violate the principle.

Here's a brief example. I can put in video surveillance to make sure my cashiers are skimming credit numbers. That helps me protect credit card data. However, if my video recording actually sees the card numbers that the customer is handing to my cashiers, I now have a copy of that credit card on the video surveillance that may not be as secure as my point of sale units.

The intent, or principle, is about protecting card data. By focusing on one area of protection instead of looking holistically, I can unintentionally violate that principle while achieving 100% compliance on the test. Likewise, I can spend all my time locking down my network to protect our systems, but when that lockdown becomes so draconian that my staff decide to take shortcuts to make their jobs easier, security suffers.

It's like with standardized testing in schools. It's better for all society if kids learn the subject, rather than just learn enough to spit out the answers to a test.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
2/5/2014 | 2:09:26 PM
Re: No perfect security
...if companies are maintaining compliance by focusing on strong security practices that target the intent of the PCI DSS, the likelihood of a breach goes down.

Thats an interesting way to look at PCI-DSS. What do you mean by intent versus strict compliance. 
jagibbons
100%
0%
jagibbons,
User Rank: Strategist
2/3/2014 | 12:33:04 PM
No perfect security
Even if you are indisuptably 100% compliant with the PCI Data Security Standards, you can suffer a breach. There is no such thing as perfect security. However, if companies are maintaining compliance by focusing on strong security practices that target the intent of the PCI DSS, the likelihood of a breach goes down. More importantly, being in compliance and having that be part of the corporate culture should make it easier and less costly to deal with a breach once it is discovered.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, September 16, 2014
Malicious software is morphing to be more targeted, stealthy, and destructive. Are you prepared to stop it?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-5700
Published: 2014-09-22
Multiple cross-site scripting (XSS) vulnerabilities in Baby Gekko before 1.2.2f allow remote attackers to inject arbitrary web script or HTML via the (1) id parameter to admin/index.php or the (2) username or (3) password parameter in blocks/loginbox/loginbox.template.php to index.php. NOTE: some o...

CVE-2014-0484
Published: 2014-09-22
The Debian acpi-support package before 0.140-5+deb7u3 allows local users to gain privileges via vectors related to the "user's environment."

CVE-2014-2942
Published: 2014-09-22
Cobham Aviator 700D and 700E satellite terminals use an improper algorithm for PIN codes, which makes it easier for attackers to obtain a privileged terminal session by calculating the superuser code, and then leveraging physical access or terminal access to enter this code.

CVE-2014-3595
Published: 2014-09-22
Cross-site scripting (XSS) vulnerability in spacewalk-java 1.2.39, 1.7.54, and 2.0.2 in Spacewalk and Red Hat Network (RHN) Satellite 5.4 through 5.6 allows remote attackers to inject arbitrary web script or HTML via a crafted request that is not properly handled when logging.

CVE-2014-3635
Published: 2014-09-22
Off-by-one error in D-Bus 1.3.0 through 1.6.x before 1.6.24 and 1.8.x before 1.8.8, when running on a 64-bit system and the max_message_unix_fds limit is set to an odd number, allows remote attackers to cause a denial of service (dbus-daemon crash) or possibly execute arbitrary code by sending one m...

Best of the Web
Dark Reading Radio