How Marriott, Hyatt, and Starwood could have avoided a hack

August 30, 2016

Jonathan SanderBy: Jonathan Sander A new breach at a major hotel chain hit the headlines recently claiming “Thousands of Guests' Data May Have Been Hacked at Starwood, Marriott, Hyatt Hotels.” But how new is this? The attack used malware to collect data from point of sale and other secondary systems in the hotels. That means the bad guys may not get everything about you, but they will get credit card data. Though the headlines are fresh, the attacks have been going on for years. It seems attackers are enjoying their stay. The question is why are these hotels such good targets? What is it about them that makes attackers so motivated? And, perhaps most importantly of all, what could be done to make things more secure? When looking at these hotel breaches, it’s good to see them in context. Brian Krebs, long time security expert and reporter, gives a very good summary of the attacks. The first signs of the Starwood related headlines from today actually came in November of 2015. He traces the sustained attack on hotels all the way back into 2013, implies it could be even older, and gives details on how the attacks have been structured. Along the way the bad guys hit well-known brands like White Lodging, Mandarin Oriental, Hilton, Starwood, Sheraton, Westin, Marriott, and even The Trump Hotel Collection. All of them had the same pattern of malware on POS devices collecting card data on systems like gift shops, food venues, bars, and other secondary systems in the hotels. Secondary Systems It may sound odd to talk about “secondary systems” in hotels. At first glance, many may not see the massive technology operation that hotels have become. Behind every chocolate on a pillow, there are IT systems driving things. Every average sized hotel is going to have just as many computers in it as iStock_000012533320_Fullany averaged sized white collar office. We all see the workstations at the front desk. But there are dozens more behind that wall. More on every floor, more in each office throughout, many in staff areas that may be shared between maintenance and other staff, and dozens more humming away automating every checklist and every schedule. Those are just the systems running the main operations. The secondary systems are all those connected to the hotel network but serve the bars, shops, and other hotel functions. And every single one of these is a target. Why are the secondary systems hit so hard? These tend to be less well maintained, often outsourced or bought as is from a vendor, and the only concern is cost. Everyone knows what happens to security when cost is the only consideration in technology deployment – it goes from second thought to none. If I’m an attacker and I know there are dozens or more ill secured endpoints on a network where fresh credit cards are being swiped many times a day and the turnover of targets is guaranteed, why would I not go after that as fiercely as possible? Cost Management As much as the pursuit of low cost seems like a fault here, it may also be the way that these hotels could save themselves. When you look at the cutting edge of hotel management, what you find is that some of the greatest concerns are energy and supply chain. If you have a huge building and you can cut the energy costs by half, that’s a lot of money. If you have thousands of those buildings like a hotel chain, it’s a paramount concern. If you can save .02% on every bar of soap and you go through millions of them, that adds up quick. Hence hotels are supply chain masters. In both cases, the chain’s main offices have centralized these operations in order to get the best scale and make sure the get the most consistent savings across their locations. Now, imagine another top line concern for hotels being at risk: reputation. If breaches like this continue and they are unanswered, we may find ourselves walking across the street to the hotel brand that has had fewer breaches lately. Many of the problems the bad guys have stirred up for these hotels have well-known mitigations. Hotel brands could centralize protection and incident response into a SOC (Security Operations Center). With a centralized center of operations, they could deliver on better governance, analytics, malware mitigation, and identity management. If we’ve learned anything about the bad guys, it’s that presented with a harder target they will likely move on. If hotels can shave the cost of soap to save millions through centralizing, they can likely clean up their act by centralizing security, too. The board and executives should see the reputation damage looming and act on it. Then it’s likely that attackers will pack up, check out, and move on to the next friendly place they can stay for a while. Do you know where the vulnerabilities and access risks are in your organization? To understand whatCTA comprehensive attack intelligence is, you must understand the anatomy of an attack and where you are weakest. Download our newest eBook, "Comprehensive Attack Intelligence" which will take you through the anatomy of an attack as well as the vulnerability and identity risks facing your organization today.  

  • Identity and Access Management
  • Predictive Security Intelligence
  • Vulnerability Management

Ready for a Demo?

Eliminate identity-related breaches with SecureAuth!