The American Hotel & Lodging Association (AH&LA), Hotel Technology Next Generation (HTNG), and Hospitality Financial and Technology Professionals (HFTP) issued a rare joint statement that basically dispels the myth among some franchisees and smaller hospitality establishments that it's up to vendors or credit card brands to properly lock down credit and debit card data.
Hotels and motels are increasingly becoming targeted by cybercriminals trolling for credit and debit card data. Hospitality accounted for 15 percent of the breaches in Verizon's 2010 Data Breach Investigations Report, and 10 percent of data breaches investigated by Trustware's SpiderLabs last year were from the hospitality industry -- more than government (6 percent) and financial services firms (6 percent). While that was actually a decrease from the year before, when hospitality was the No. 1 target with 38 percent of the breaches, Trustwave has warned that the hospitality industry should "remain on high alert." The organized crime group behind the hospitality hacks has basically expanded the scope of its targets to food and beverage (57 percent of the breaches this year) and retail (18 percent), according to Trustwave.
"Our objective is to make our industry hard enough so we are no longer interesting to cybergangs," says Douglas Rice, CEO of HTNG.
Franchises, meanwhile, worry about their brand reputation when one of their franchises suffers a high-profile breach. "And there's the potential for direct fines from [card] issuers. They do view the brands as having some responsibility for merchants operating underneath their brands," Rice says.
The goal is to get franchisees and smaller establishments up to speed on security. "In most cases, the hotel, not the vendor, is responsible for preventing unauthorized people from gaining access to their system. This is the hole that is most frequently exploited by the criminals. Even when a national hotel brand or management company provides network security for the hotel, the local property remains in control of important elements," the trade associations said in the joint statement.
They specify three security steps each hotel should take. The first is to change all default passwords in the network on everything from servers to routers and firewalls. Rice says it's the forgotten machines, like the PC on the engineering manager's desk that uses a weak or default password. "That can be the point of entry," he says. Some 54 percent of breaches logged by Verizon in its recent breach report had used the word "password" as the password, he notes.
The second step is to close holes in remote access points to the network. That includes removing default passwords and strengthening administrative and remote-access credentials, as well as instituting stronger authentication for vendors and staffers. And third, many smaller hotels don't have a network firewall, so the associations are calling for all establishments do get one: "They think, 'Nobody's going to attack us -- we don't need a firewall.' That attitude is fairly pervasive," Rice says.
Rice says the associations hope to raise awareness among franchisees and smaller hotels, as more of a neutral party than their franchise corporation would be, for example. The sometimes-awkward relationship between some franchises and their franchisees doesn't facilitate security, he says, and many large chains are hamstrung by old agreements that limit their oversight. "They are less in a position to persuade them," he says. "So we thought maybe we can chime in and be a separate voice that's not perceived to have a bias."
The hospitality industry's security statement and recommendations will also be published by the American Hotel and Lodging Association, which represents nearly half of the hospitality industry, including smaller, independent establishments less likely to be up on cybersecurity threats or even PCI.
"The weakest link right now is the smaller, independent hotels that haven't taken this seriously to date," Rice says.
But the associations say their security recommendations, which are merely a subset of PCI-DSS, don't constitute an actual security plan, and that hotels should follow PCI as well. "We strongly recommend that hotels take the PCI requirements seriously because the threat is real and because PCI is effective. However, many hotels have told us they find completing the PCI standards very challenging or believe that their vendors have them covered. If this describes your mindset, then it is time for you take ownership of security for your hotel systems. Start work immediately on these three important areas that are entirely under your control; that can be addressed quickly, inexpensively, and effectively; and that can dramatically improve your security," they said in their directive.
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.