The hospitality sector has suffered another high-profile breach, with compromises at both Hard Rock Hotels & Casinos and Loews Hotels. For seven months, attackers had unauthorized access to a third-party reservation system, which allowed them to attain unencrypted credit card payment information, as well as guest names, addresses and phone numbers.
Last week, some Google employees discovered that their information had been breached, thanks to a hack of Sabre’s SynXis hotel and travel reservation system that had been publicized in May. Now, it appears that same breach also impacted the hotels.
Sabre alerted both hotel chains in early June that an unauthorized party gained access to account credentials that permitted unauthorized access to the information. That access was active from August 10, 2016 to this past March 9, 2017.
Hard Rock said that several properties were affected during the time period: Hard Rock Hotel & Casino Biloxi, Hard Rock Hotel Cancun, Hard Rock Hotel Chicago, Hard Rock Hotel Goa, Hard Rock Hotel & Casino Las Vegas, Hard Rock Hotel Palm Springs, Hard Rock Hotel Panama Megapolis, Hard Rock Hotel & Casino Punta Cana, Hard Rock Hotel Rivera Maya, Hard Rock Hotel San Diego and Hard Rock Hotel Vallarta.
For its part, Loews said that less than 15% of the average daily bookings were viewed by the hackers.
These players aren’t strangers to data breaches. Hard Rock’s Las Vegas property was the victim of card-scraping malware used at the point of sale to access customer payment-card data at restaurants and retail outlets between Sept. 2014 to April 2015, and then again between October 27, 2015 and March 21, 2016. And Sabre admitted a breach in August 2015 that affected American Airlines.
Stephen Boyer, founder and CTO of BitSight, told Infosecurity that the hospitality and travel sector should always be on high alert as it’s an incredibly attractive target for hackers.
"These aren't banks, but they have large volumes of credit card transactions flowing through their systems,” he said. “Cyber-criminals continue to target organizations that have data (especially credit card data) that can be monetized. Control gaps and vulnerabilities that expose that card data will be exploited by motivated and skilled criminal groups using principally well understood and preventable methods.”
As such, the incidents showcase a lack of proper security approaches, according to some.
“The breaches highlight the critical need for better data protection across all industries—particularly those that utilize personally identifiable information (PII) data, such as hospitality and retail,” said Ermis Sfakiyanudis, cybersecurity expert and CEO of Trivalent, via email. “Not only does this breach serve as an example of the dangers third-party companies can pose to enterprise data that is not properly protected, it also opens up a larger discussion around traditional encryption. With the onslaught of high-profile breaches so far this year, encryption alone has proven it is no longer enough to protect sensitive information, especially against next level threats like ransomware. The only way to get ahead of data breaches is to address them as a likely probability, rather than an impossibility.”