On August 24, the U.S. Court of Appeals upheld a lower court’s ruling that the Federal Trade Commission (FTC) has data protection authority. Specifically, the case was FTC suing Wyndham Hotel Group for failing to adequately safeguard its computer network and allowing hackers to access customer information.
What does this new ruling mean for the hospitality industry? The devil is always in the details, of course, and for this new decision the details have yet to be defined, including what constitutes “adequate” security, who will enforce it and the penalties.
For now though, just how big of an industry problem is cybersecurity? Research on the Dark Web shows it’s a huge problem for hotels and the customers they serve, and given the new ruling, the time to get a handle on it is now.
This hotel room just fell off the back of a truck…
Loyalty programs and memberships work because travelers are always looking for the best deal. But travelers can pick up really ‘special’ hotel deals on the Dark Web.
For travelers who aren’t “ethically challenged” and don’t mind picking up a few new web browsing skills and a bitcoin account, there are plenty of black market deals that cheat hospitality brands, their partner companies, and other travelers for fun and profit.
Now, this all may sound unbelievable to the majority of consumers, but, in fact, its de rigeur in the busy marketplace that is the Internet’s black market, The Dark Web.
The Dark Web, while only a tiny part of the overall Internet, is traditionally thought of as a busy marketplace for illegal drugs, ill-gotten prescription pharmaceuticals, pornography and politically subversive activities. It’s the haven of “hacktivists” and criminals.
But, for those who study the Dark Web and collect its data, it is that and a lot more. In fact, the Dark Web is thought of by many as a glimpse into what may become fairly mainstream, accepted ways of trading in the very near future.
In any given week on the Dark Web, browsers can find all manner of things being offered for sale or trade that affect a hospitality company’s business. The things that are regularly offered for sale have real impacts on bottom lines: financials, reputation, customer loyalty and brand.
What can be found on the Dark Web on almost any given day:
- Sensitive customer data and corporate documents
- Access points inside your network, web and mobile applications
- Hijacked loyalty program accounts from unsuspecting customers
- Fraudulent membership points/balances/voucher codes
- Hotel network/Wi-Fi exploits
- Software vulnerabilities for things like common hotel point-of-sale systems
- Phishing campaigns aimed at major chain customers bases
- Fraudulent websites designed to lure hotel customers
- Crimeware instruction in “how to” do fraud and exploit
- All of the above for hire/as-a-service
In July 2015 alone, there were hundreds of hospitality-related goods and services for sale. Big brand names and many more are all there, as well as smaller regional, budget and boutique properties.
So why is hospitality such a big target?
To cybercriminals, hotels, motels, casinos, resorts and spas, and their ancillary support businesses are like an eternal spring. There are hundreds of millions of customers staying and paying at any given moment. Hospitality is consumer focused. Thus, it’s cybercrime focused, too.
Hospitality is one of the largest adopters of technology and technological conveniences in the business world. Web and mobile apps abound, as does the data they trade in. That means networks and accounts and data are everywhere, from Wi-Fi to point-of-sale.
All these moving parts means the waterfront of possible threats is infinitely long. Take the volume and variety into account and that means functions like cyber defense and fraud prevention (which are difficult at best across all industries) are even harder to do effectively. Put simply, when you start out behind, it’s hard to catch up.
Much like companies in other sectors, hospitality acquires and implements cybersecurity in a mostly traditional way. They look at what others are buying, whom they’re hiring and then do the same. Firewalls, IDS/IPS, SIEM and all the traditional “defense-in-depth” approaches are common.
The problem (as with other less frenetic industry sectors,) is this isn’t working against a broader, multi-dimensional and constantly evolving threat landscape. In fact, due to hospitality’s unique data and volume issues, as well as its inherent need to stay competitive via customer conveniences and volume-driven cost controls, traditional cyber practices are a kind of Maginot Line of defense: they seem real and big enough, but in reality, are superficial and easily circumnavigated.
Across the sector, the big and the small companies all suffer from myriad challenges:
- Only top 1% of sector companies possess adequately mature cybersecurity functions
- Customers, customers, customers and more customers
- Veritable worlds of data in motion and at rest
- Lots of technology, everywhere
- Very little use of big data analytics for cyber defense prevention
- Understaffed, overworked and no real budget
- Prioritization of customer conveniences over security
- Threat “tunnel vision:” watching the front doors, back doors wide open
- Little-to-no comprehensive cyber intelligence to inform defense tactics
- No dynamic mapping of risk profiles to cyber threats
- Insignificant cybersecurity budgets vs. the size of the threat
And why is the Dark Web such a significant threat?
Just as with the real Maginot Line in World War II, the Dark Web represents a set of threats largely unexpected, using unforeseen tactics and coming from the least expected angles. In other words, Dark Web cybercrime goes around, over and under most traditional defenses.
What’s more, most companies regardless of the industry, traditionally prioritize tactical cyber defenses above all else and completely ignore any kind of formal intelligence gathering designed to make those defenses better tuned to the variety of threats. It’s like spending a defense budget building a big wall around a fort not knowing the enemy has airplanes or tunneling machines, too.
What to do instead? Consider Dark Web threats more “active.” It’s one thing to know about a certain kind of malware on the rise against an industry sector, but quite another to know someone’s selling access to customer credit card data that is being harvested from a point-of-sale terminal inside a resort. Anyone can directly and immediately act on that point-of-sale issue to fix the hole.
Dark Web threats represent some of the highest impact threats to a hospitality business. Hospitality is highly competitive. There are lots of choices out there, so things like customer loyalty and the brand’s reputation are linked directly to perception. Right now, some of the top Dark Web activities in hospitality revolve directly around compromised loyalty programs, customer accounts and customer data. Look to see what’s been compromised and plug that hole immediately.
As more and more consumer-focused crime arrives at their front doorsteps via other parties such as the places they stay when they travel and the services they use to get there, the building of a “secure brand” is paramount. And that’s a process that inherently involves gaining intelligence on your own risks. The problem now is very few in hospitality are taking that seriously.
By Jason Polancich, founder and chief architect, SurfWatch Labs, Sterling, Virginia