Three major hotel industry associations, including the American Hotel & Lodging Association (AH&LA), Hotel Technology Next Generation (HTNG), and Hospitality Financial and Technology Professionals (HFTP) today issued the following joint statement to hotels regarding organized cyber crime attacks on credit card data. It identifies actions that hotels – and not their system vendors – need to take immediately in order to minimize their vulnerabilities and to avoid the potential for hundreds of thousands of dollars in costs and fines that typically result when just a single hotel system is breached.
The three associations play pivotal roles in educating hoteliers and hotel IT professionals on critical issues, and in analyzing and addressing them, and represent critical constituencies of General Managers, Controllers, and IT executives at brands, management companies, and hotels. “Our decision to address this jointly is directly related to the magnitude of the threat,” said Joe McInerney, CEO of AH&LA. “We don’t want to dilute the message by saying different things; we all agree on the key steps hotels need to take,” said Frank I. Wolfe, CAE, CEO of HFTP. “Credit card crime is the top issue for hotel company chief information officers (CIOs) today, but they can’t address it effectively without the help of every General Manager and Controller,” said Douglas Rice, CEO of HTNG.
This alert is not intended in any way to suggest that hotels should not adhere to the Payment Card Industry Data Security Standards (PCI-DSS), which is the best way to avoid being breached. But these standards are complex and often misunderstood, and take time and money to implement. Hotels that have not yet started their PCI compliance can use this information to help focus their initial efforts. Those who think that they don’t need to do anything about PCI because their vendor provides a PCI compliant system will learn that this is not possible, and that there are key actions they still need to manage themselves.
STATEMENT ON CREDIT CARD SECURITY
Cyber criminals are systematically attacking systems that store credit card data, including Point-of-Sale and Property Management Systems. The criminal organizations are highly structured and integrated with the world’s organized crime rings. Detailed forensic analysis by law enforcement agencies and specialized private-sector security practices, as well as by security departments at major hotel groups around the world, leave little doubt that the attacks on hotels are highly targeted and effective.
Many hoteliers believe they are not vulnerable because they use Point-of-Sale and Property Management Systems that have been validated as conforming to the latest PCI security standards. Unfortunately this is far from the case. Even such validated systems can be vulnerable if the hotel operates them in an unsecured manner. Leading forensics firms agree that the most important security measures are those that keep cyber criminals from getting inside the hotel network in the first place. Once inside, there are many ways for them to steal the data, even if the PMS or POS system itself is secure.
In most cases, the hotel, not the vendor, is responsible for preventing unauthorized people from gaining access to their system. This is the hole that is most frequently exploited by the criminals. Even when a national hotel brand or management company provides network security for the hotel, the local property remains in control of important elements.
We urge every General Manager and every Controller to understand that there are three specific actions that they – not their vendors – must take in order to reduce their hotel’s vulnerability to credit card theft. These actions alone will not guarantee your hotel will not be breached. They may not stop a breach that is already in progress. But according to the Verizon Business/US Secret Service report from 2010, 96 percent of breaches would have been stopped had these measures been in place.
Many brands and management companies do not perform these functions for hotels. Those that do, generally do not (often cannot) do them all. Your corporate IT department should be able to tell you, very specifically, which things they have done; you will need to address the others.
The three actions are:
* Eliminate EVERY default password on EVERY machine on your network – server, workstation, router, firewall, and any other device that has a password. The most important machines to check are the ones you think are NOT vulnerable, such as a PC on an engineer’s desk for monitoring building systems, or the PC in the parking garage attendant’s office, or the one in a closet running your keycard system.
To do this right, have your IT manager or a network consultant map out your network electronically. They should identify every attached device, and then physically try to log in to each one using the manufacturer’s default login credentials (easily obtainable via an Internet search). If that login and password work, change them. In 53 percent of newsworthy attacks investigated by forensics firm Verizon Business in 2009, the thieves gained entry to the network by using the word “password” as the password. Don’t make it this easy for them. Task your IT Manager to do this, or hire a network consultant.
* Eliminate holes in remote access to systems inside your network. Remote access by vendors is an essential part of support for many hotel systems. The data thieves know this, and they know how to use it to get inside your network. They know all the default passwords, and they have even been known to steal master customer lists, complete with current passwords, from vendors.
At the very least, make sure that the administrative and remote-access passwords on all your systems have been changed. Better still, for each vendor that needs remote access, put in place a process that ensures that each time they connect, you know that it is really them (not someone who has stolen their password list), and have approved their connection. While there are many good technology solutions, you can also institute a manual policy of issuing one-time passwords that are changed after each use. If the vendor wants to connect, have your staff call them back on their regular support line with the password. Give the list of passwords only to trusted staff, and store them under lock and key with instructions for changing them. Change the password as soon as the vendor is done.
* If you were to store stacks of money in plain sight in an exit stairwell, you would expect to be robbed. Operating without an Internet firewall is just as risky. Yet many hotels, especially smaller ones, don’t have a firewall. If you are connected to the Internet without one, then people you don’t know, from around the world and many with malicious intent, are reaching into your network. A recent University of Maryland study counted more than 2,200 attacks on an average Internet-connected computer every day – equating to one every 39 seconds. If that computer is in your hotel, and if their intent is to steal credit card data, they will probably succeed.
If you don’t have a firewall, buy one and install it. Even a consumer-grade firewall, available for $100 USD or less, provides a lot more protection than nothing. Get a firewall and configure it properly to prevent the criminals from reaching your machines easily. It should allow only those types of traffic you need, and only to or from Internet addresses that you trust.
This is not a complete security plan. The Payment Card Industry Data Security Standards (PCI-DSS) outline many actions that you should take to secure your systems, and provide more details on these and other actions. We strongly recommend that hotels take the PCI requirements seriously, because the threat is real and because PCI is effective.
However, many hotels have told us they find completing the PCI standards very challenging, or believe that their vendors have them covered. If this describes your mindset, then it is time for you take ownership of security for your hotel systems. Start work immediately on these three important areas that are entirely under your control; that can be addressed quickly, inexpensively, and effectively; and that can dramatically improve your security.