News for the Hospitality Executive
to Avoid the
Next Data Breach
Aaron Titus, Chief Privacy
Officer, Identity Finder
July 18, 2011
“We’ve had a breach.” It’s a sentence nobody wants to hear, but breaches in the hospitality industry are unfortunately common, with many hotel chains losing credit card data. As a hotel, your most valuable asset is your guests’ trust. Breaches directly undermine trust, resulting in an average customer churn rate of 3.6 percent. Some recent high-profile breaches include the Radisson, and Westin to name a few.
Breaches don’t just happen to large chains; the recent spate of so-called “Anti-Sec” hacking incidents demonstrate that any organization, large or small, can be a target. If you ever think you’re safe because you’re too small to be noticed by a hacker, just remember: if thieves only stole from big companies, corner stores would never be robbed.
Hotels of all sizes face a storm of factors making them vulnerable to breaches. First, guests provide personal information through multiple channels. These include online websites (e.g. Orbitz, Hotels.com, or Travelocity), phone calls, postal mail, email and face-to-face interactions with the concierge. Each channel of personal information is a potential source of a data breach, and must be individually protected.
Second, hotel managers, third parties, credit card processors and employees often have access to a wide range of guests’ personal information. Despite your best efforts, guest credit card numbers that have been emailed to employees can remain on mail and backup servers for years. Negligent or even well-meaning employees may save an Excel spreadsheet containing guests’ home addresses and loyalty program information and forget about it. Each piece of forgotten data is a breach waiting to happen.
Third, many hotels and motels today offer computers for guest use, leaving not only the hotel/motel network (usually connected) but also stand alone computers extremely vulnerable to hackers, viruses and most importantly, hidden customer data that can be stored within the bits and bytes of computer hard drives.
9 things your hotel can do to prevent your next breach:
Minimize Data Collection
Data minimization is a fundamental principle of data security. This principle primarily means: If you don’t need it, don’t collect it. After all, you can’t breach information you don’t have it. Because of the high costs associated with data breaches, credit card data and other sensitive personal information should be collected sparingly and protected as though it is gold.
Understand and Comply with PCI-DSS
The Payment Card Industry Data Security Standard (or PCI-DSS) is a series of requirements for securing credit card data and involves all people, processes and technology that store, process, or transmit cardholder data. This includes merchants, processors, acquirers, issuers, service providers and others.
The first step in complying with PCI-DSS is discovering and defining your Cardholder Data Environment (CDE), all of the places, systems, people, and hardware that cardholder information could touch. All of these places are subject to PCI audit, so you must verify that no cardholder data exists outside your Cardholder Data Environment.
I have personally helped more than 150 companies recover from data breaches, and I have discovered that every single breach had one thing in common: Not a single company understood what information was on their network, nor were they aware of how many computers contained sensitive personal information. Knowing more about your Cardholder Data Environment is required by PCI-DSS and decreases your likelihood of a future breach. Not knowing the extent of your CDE is a source of liability.
Find and Digitally Shred Unneeded Information
According to the Privacy Rights Clearinghouse, breaches occur in several common patterns. The following graphic classifies most documented breaches since 2005 into major types:
A recent white paper by Identity Finder analyzed each breach and found that between 65 percent and 76 percent of the time, the breached information was stored or “at rest” when the breach occurred.
These findings are consistent with nationalidwatch.org, which has discovered and documented more than 115 breaches from a range of industries. Each breach has a common theme: Old, forgotten data was accidentally exposed or lost. Old, forgotten data is dangerous data. In each case, the organization was completely unaware which computers and public servers had copies of personal information, until it was too late.
This “Data Blindness” is why your organization needs to actively scan your computers, servers and networks for sensitive personal information and PCI data; you’ll be surprised what you find, and where you find it. Once you know where these assets reside, you can take action to shred, redact, or protect the information.
Simplify Your Reports
It is tempting to include more information than necessary in internal reports; that’s what happened when an employee at the Corona-Norco Unified School District accidentally posted an internal report online last September. Even though social security numbers were not necessary for the report, the employee included SSNs by default. Every time a social security number or PCI data appears in a report, you must invest additional resources to protect the report. In other words, sloppy reports cost money. Had the report simply omitted this unnecessary information, this exposure would never have occurred.
Dozens and potentially hundreds of employees of large hotels and its affiliates have access to PCI data and even Human Resource (HR) data. A single employee who exercises bad judgment can cost the company millions of dollars. Consequently, access to PCI and HR data should be granted on a “need to know” basis, and access should be reviewed regularly.
Split Up Your Network
Usually found in an attic of any large building is a “Fire Wall”, a specially designed fire-resistant barrier. The purpose of the wall isn’t to prevent fires, but to limit the damage when fire happens. Electronic firewalls perform the same function online: they limit the spread of viruses, malware, and attacks, but don’t prevent them and are physically separated by internal networks, generally by department or some other logical structure. If your Sales department doesn’t need access to employees’ social security numbers, then separate the Sales office’s network from the HR department. If your hotel provides complementary wireless networks to hotel guests, make sure that network is segregated from your payment systems network. By separating your internal networks, you can limit damage caused by a breach, virus, or malicious insider.
Encrypt. No, Seriously. Encrypt.
If information is truly sensitive, then you should encrypt it while at rest and in motion. In fact, some state laws mandate encryption under certain circumstances. Remember that roughly 70 percent of breaches occur when stored data is lost or stolen. Several whole-disk encryption solutions exist at reasonable cost. Proper encryption will make PCI data unusable; rendering the information useless to a thief.
When transmitting encrypted information off-site (such as Hotels.com or your corporate sales department), the encryption key should be sent in a separate communication, otherwise an attacker who has access to the email will be able to defeat the encryption. By default, email is not encrypted.
It’s Your Network: Know What’s Going On
Every month, you spend hundreds or thousands of dollars using a credit or debit card. Chances are you read your statements to detect unauthorized activity on your accounts and to keep track of where your money goes.
In contrast, every month your hotel exchanges data worth thousands or millions of dollars over your networks. Yet, often hotels never review their network logs, or “statements” for unauthorized activity. Many don’t know exactly where this valuable information goes. In addition to maintaining server logs and data trails, make sure your security professionals actively review this data. Proper logging and analysis will allow your company to better quantify risk, fix vulnerabilities and even track down the perpetrators of an attack.
Security is not Just an “IT” Thing
Even the best IT security cannot prevent a careless mistake from an employee. Hotels bear the heavy responsibility of training all staff in the proper handling of PCI data, especially in an age of Facebook, Twitter, text messaging and smart phones. Though technology solutions are often essential, security is not a product. Security is fundamentally a human system, which uses technological tools.
Create a culture of privacy and security by evaluating employees on their adherence to privacy and security practices during each performance review. If your organization requires employees to transmit PCI data, make sure that the employees have a secure method (that is, not email) to transfer information. Also, make sure that tools are easy to use and your employees are trained and encouraged to use them.
PCI data is as valuable as gold and as dangerous as uranium. Although your organization will never be able to completely eliminate the risk of a breach, taking these “9 Common-sense Steps” will significantly reduce your potential liability.
About Aaron Titus
Aaron Titus is the Chief Privacy Officer for Identity Finder, and an attorney specializing in Internet, Technology and Privacy law. Aaron has spent four years as the Privacy Fellow for the Washington DC policy institute Liberty Coalition. There he helped develop Privacy Commons: An emerging framework for creating complete, informative, enforceable, and easy to adopt privacy policies. He also developed NationalIDWatch.org, empowering individuals to recover from identity breach and theft. As an attorney he has consulted organizations on legal requirements, risk identification, risk management, and developing a corporate culture of privacy. Aaron Titus’ work has been covered in countless newspapers and news media outlets, including the Washington Post, New York Times, Forbes, the Wall Street Journal, The Associated Press, ABC, and MSNBC. In May 2010 he testified before the Senate Committee on Homeland Security and Government Affairs. Aaron Titus received his J.D. from the George Washington School of Law, and his undergraduate degree in Architecture from the University of Utah.