Search

×

‘Mind-boggling’ data security risks: A call to action

In the aftermath of Marriott International’s massive Starwood reservation system data breach, the largest such breach of 2018, cybersecurity experts warn that protecting customer information and technology systems will only get harder.

“The issues of guest personal data is obviously on everyone’s minds recently because of the Starwood/Marriott breach, but this is actually only a small subset of the challenges that a property faces from a security point of view,” says Ed Moyle, general manager and chief content officer at Prelude Institute, which trains cybersecurity analysts. 

“In terms of the sheer volume of specialized, connected, ‘purpose-built’ equipment — everything from televisions to in-room streaming to telephones to plumbing and HVAC — there are very few industries that even come close,” he says. 

Getty Images
Getty Images

Contributed by Ellis Booker

Marriott estimated in March that the breach involved about 18.5 million encrypted passport numbers and about 5.25 million unencrypted passport numbers. About 9.1 million encrypted payment card numbers were involved, of which approximately 385,000 were unexpired as of September 2018. “Thus far, we have not received any substantiated claims of loss from fraud attributable to the incident,” CEO Arne Sorenson said in testimony to the U.S. Senate at that time.

“One would hope the Marriott episode was a call to action, that it would result in action,” says John Burns, president of Hospitality Technology Consulting. “I have not seen that.”

At the end of last year, Burns called on industry groups to take specific actions on a declared timetable. “All of us in the lodging industry – and I include in this term not only traditional hotel operators but also shared accommodation representatives and vacation rental aggregators – to devise and lead implementation of more stringent guest data security standards,” he wrote. Among other things, Burns recommend that Hospitality Technology – Next Generation (HTNG), which already operates its Chief Information Security Officers Forum, and Hospitality Finance and Technology Professionals (HFTP) “immediately form the senior-level Joint Emergency Guest Data Security Workgroup.”

Noting that he hasn’t heard that any of his recommendations have been embraced, Burns says he remains “hopeful rather than optimistic.”

Systems, people, devices

What are the immediate and long-range security vulnerabilities for property owners? According to security experts, there are at least three dimensions: systems, people and devices. 

First are existing enterprise IT systems, particularly legacy ones that may be inadequate from a technology – or access-policy – standpoint. This appears to have been the case in the hack of Starwood database, which was phased out at the end of 2018 in favor of Marriott’s own system.

Employees are part of the problem. “(O)ur industry is blessed and cursed with very hospitable professionals,” wrote Michael Blake, CEO of HTNG, the technology solutions association for the hospitality industry, wrote in a blog post in January. “These folks are fundamentally accommodating, making them perfect targets for social engineering attacks by cyber criminals.”

Blake’s recommendation: recurring cybersecurity training for everyone. He also stressed the need to hire a chief information security officer if the organization lacks such an executive.

The final, and arguably most problematic, cybersecurity attack vector is also the newest: a profusion of devices in the Internet of Things (IoT).  

IHS Markit predicts the installed base of IoT devices rising from 27 billion in 2017 to 73 billion in 2025. However, as businesses deploy more and more IoT systems from an ever-expanding number of vendors, their security exposure increases. More than half of the global organizations that responded to a Kaspersky Lab survey last year agreed with the claim that “the increased risks associated with connectivity and the integration of IoT ecosystems are a major cybersecurity challenge.”

“It’s a mind-boggling number of access points, most of them operated by people for whom security is not a top concern,” says Burns about the diverse, fragmented infrastructure managed by many property owners.

Both Burns and Moyle focus on the need for robust data governance as a mechanism for managing the technology elements within the ecosystem – in particular those that interact with guests – as well as segmenting what these systems do. “Given the complexity, a workmanlike and systematic approach to data governance isn’t just a ‘nice to have,’ it’s foundational,” he says.

Comment