cyber threat report: 2019wow.intsights.com/rs/071-zwd-900/images/cyber threat... · 2019-10-05 ·...

2019CYBER THREAT REPORT:

GAMING, LEISURE & HOSPITALITY INDUSTRY

MARCH 2019

www.intsights.com

About the AuthorHadar Rosenberg is a Threat Intelligence Research Analyst at IntSights, focused on finding new threat actors, learning their tactics and understanding key trends in the threat landscape. She lived in China for 5 years and speaks fluent Chinese. Hadar researches criminal activity across the dark web to uncover key intelligence from unique sources. She believes the Asian cyber ecosystem is still mostly unknown and finds it very interesting to explore this secret underworld.

About IntSightsIntSights is redefining cyber security with the industry’s first and only enterprise threat management platform that transforms tailored threat intelligence into automated security operations. Our groundbreaking data-mining algorithms and unique cyber reconnaissance capabilities continuously monitor an enterprise’s external digital profile across the surface, deep and dark web, categorize and analyze tens of millions of potential threats, and automate the risk remediation lifecycle - streamlining workflows, maximizing resources and securing business operations. This has made IntSights’ one of the fastest growing cybersecurity companies in the world. IntSights has offices in Amsterdam, Boston, Dallas, New York City, Singapore, Tel Aviv and Tokyo.

Copyright 2019 IntSights Cyber Intelligence | www.intsights.com

Table of Contents

Introduction 1

Chapter 1: Why: Why Do Hackers Target Hotels? 2

Chapter 2: Where: Understanding the Hotel Attack Surface 4

Chapter 3: What: Common Cybercriminal Attack Vectors 8

Chapter 4: Who: Who Are the Threat Actors 14

Chapter 5: When: Notable Data Breaches 17

Chapter 6: How: How to Protect Your Organization 21

The rapid rise of cybercrime has affected organizations around the globe and across all industries. Retail and Financial Services might be the most commonly targeted industries due to the enticing financial and consumer scam opportunities for cybercriminals. But organizations in the Gaming, Leisure and Hospitality space have been increasingly targeted by both cybercrime and nation-state groups, and face a unique set of challenges compared to other sectors.

The hospitality industry, which for this report includes hotels, resorts, casinos and other leisure/travel businesses, has been the victim of numerous high-profile data breaches in recent years. This includes the highly-publicized Marriott breach – carried out through their Starwood system – that exposed over 383 million customer records.

Hotels and resorts offer cybercriminals a number of intriguing attack vectors to target. They are widely distributed and highly connected, giving threat actors endless entry points to exploit, like software systems, third parties, or even employees with minimal cybersecurity awareness. They have made significant brand and digital marketing investments, meaning threat actors can more easily target customers through scams and fraud. And they contain huge amounts of personal data, meaning the payoff can be lucrative if a threat actor can successfully penetrate the network.

Furthermore, hotels must defend against hackers with various motivations. There is ample opportunity for financially motivated hackers to make money, but we have also seen a rise in nation-state and APT groups targeting hotels for espionage purposes. These groups have a war chest of TTPs, actors and funding, and attack in very different ways from the casual hacker looking to make a few bucks.

All of these challenges – or opportunities, depending on what side you’re on – have led to an alarming rise in attacks targeting hotels, resorts and other hospitality organizations. They have also highlighted some significant flaws these organizations have in their security infrastructure.

In this report, we provide an overview of the key challenges, attack vectors, threat actors and trends facing organizations in the Gaming, Leisure & Hospitality industry. We break it down by the Who, What, Where, When and Why behind hospitality-focused cyberattacks, and finally share How these organizations can better prepare and defend themselves from the ever-growing threat landscape.

IntSights Cyber Threat Report: 2019 Gaming, Leisure, & Hospitality

Introduction

1

Chapter 1: Why

Why Do Hackers Target Hotels?

In any adversarial situation, it’s important to understand your counterpart’s motivation to gain an idea of how they might attack you. In recent years, we have witnessed the hospitality sector suffer repeated cyberattacks, resulting in numerous high-profile data breaches. The most current and well-known example is the Marriott breach, where approximately 383 million customer records were breached according to Marriott’s update – although the initial number was estimated at 500 million. That makes this the second-largest data breach in history.

IntSights Cyber Threat Report: 2019 Gaming, Leisure, & Hospitality 2

IntSights Cyber Threat Report: 2019 Gaming, Leisure, & Hospitality

Figure 1: Hotel gift cards for sale on Hackforums

3

According to PwC’s Hotels Outlook report 2018-2022, the hospitality industry has the second-largest number of cybersecurity breaches after the retail sector. According to Trustwave Holdings, Hospitality was the third-most targeted industry in 2018, after Retail and Finance. Almost all major hotel brands were affected by a data breach in the past several years.

What makes the situation even worse is the fact that prominent hotel brands were attacked repeatedly. Trump Hotels were breached three times between 2015 and 2017, while Starwood, Hyatt and Hard Rock Hotels & Casinos were breached twice. This is the new alarming reality, in which customers’ personal information is being stolen and often sold on the dark web criminal black market. Hotels have become extremely attractive to cybercriminals and nation-state hackers because they:

1. Collect highly sensitive, valuable and varied personal data on their customers. This information may include guests’ travel itinerary, passport details, credit card information, personal preferences, air miles and more. Since hotels strive to give their guests personalized experiences, they tend to collect and store this customer data on a long-term basis, more so than other industries.

2. Manage a large number of financial transactions, which often involve executives and wealthy individuals with considerable credit card balances. If cybercriminals get their hands on this data, they can use it to make fraudulent purchases or run targeted phishing campaigns.

3. Are often spread national and even internationally. This means they have large attack surfaces and a wide variety of information that cybercriminals can sell across different regions of the dark web.

4. Use loyalty programs to encourage repeat visits and additional stays. Cybercriminals often target rewards members using troves of leaked email and password combinations to access customers’ loyalty accounts and use the points for fraud. These scams are much harder to detect, as users don’t typically watch their loyalty point balances the way they watch their credit card statements. In addition, many people habitually reuse their credentials on multiple sites, which can lead to a breach that could be duplicated on other sites via credential stuffing.

Chapter 2: Where

Understanding the Hotel Attack Surface and Its Challenges

To anticipate how you might be attacked, you need to know where you might be exposed, targeted or exploited. This is called your “Attack Surface”, and it’s important for organizations to map this surface to effectively identify and defend against cyber threats. Hotels and resorts are no different, and tend to have rather complicated and risky attack surfaces due to a number of factors.


1. Large Quantity of Diverse Endpoints: Hotels have a massive number of endpoints and remote connections within their networks, and they go way beyond desktops and servers. They include Wi-Fi systems, electronic door locks, alarms, HVAC (heating, ventilation and air conditioning) control systems, a wide variety of Internet of Things (IoT) devices and more. All these digital features can become an entry point for cybercriminals into a hotel’s network.

2. Access to the Mothership: Each regional hotel is directly connected to its chain’s entire national and/or global network. That means that hackers need to breach only one regional hotel to gain entry to the entire chain’s network, which is one of the most challenging and severe weaknesses of the

industry overall. IT personnel find it hard to maintain a consistent security standard when dealing with so many dispersed networks.

One example of this dependency is a major hotel brand that was breached in 2008 and in 2010, in which hackers penetrated their central reservations database by hacking a single franchised hotel. They later used this connection to the hotel’s central system to steal around 600,000 credit card records from other franchised hotels in the brand.

Figure 2: Hacking Group KelvinSec Team is doxing a resort contractor accused of propagating malware. This post shows that KelvinSec Team has a foothold into this resort’s network.


Figure 3: Forum post offering partial access to various hotel networks as an administrator

3. Lack of Employee Security Awareness: Employees are considered the hospitality industry’s most profound vulnerability. Hotels employ large numbers of workers, most of which lack cybersecurity awareness; however, many of these workers must interact with computers, hotel systems and guests — who could be threat actors. Hotel employee turnover is often high, and it’s difficult for an operations or IT manager to keep track of user permissions and which staff has access to which systems. Therefore, it only takes one unknowing or lazy employee to make one mistake that could end up in a global breach to the hotel chain.

4. Multiple Systems and Undefined Security Responsibilities: Branded hotels usually consist of at least three parties who run the hotel: The franchisor or “Brand”, the owner (or a group of owners) and the operator which is the management company.

Usually the franchisor is responsible for deciding which hardware/software the owner should install to

handle the hotel’s reservations, while the franchisor maintains control over that system. The owner may own separate POS systems for food, beverage, and retail outlets within the hotel. Each of these three entities might have its own data and different computer systems, which often includes legacy systems that are unsupported and/or may be left vulnerable.

These entities often interact and exchange information and connect separate computer systems. For example, hotel brands require that their franchised hotels use the brand’s reservation and management computer systems. This centrally connected reservation system extends the attack surface beyond a single hotel’s system.

In addition, many hotels permit interfacing between their own computer systems and those of third-party vendors or credit card processors. This means hotel systems are in some ways dependent upon other entities, while they cannot control those entities’ security measures and practices.



5. High Exposure to Third Parties: Hotels rely on third-party vendors for many key hotel functions. Almost all hotel breaches in the past few years were carried out through third-party companies that provided services to the hotel. Nearly every major hotel chain in the world has suffered a data breach through their POS system. In addition, hotels rely on third-party reservation services like Online Travel Agencies (OTAs), property management, maintenance, human resources, payroll and more. All of these functions have access to hotel systems, and thus become a potential entry point for hackers.

A great example of a third-party attack is the 2017 Sabre Corporation data breach. Sabre is a travel technology company and its central reservation system, called SynXis, was infiltrated. This reservation system was being used by almost all major hotel chains and handled reservations for over 36,000 properties. The breach affected Trump Hotels, Hard Rock Hotels & Casinos, Four Seasons Hotels and Resorts, and more.

6. Impersonation of Recognizable Brands: Hotels need to be worried about more than just being attacked directly. Cybercriminals frequently impersonate big brands online to target their customers, and hotel brands are no exception. Hotels often have loyal customers, many of whom are executives and/or wealthy individuals and make for attractive targets.

Impersonating a hotel brand online is an effective way to phish credentials or other personal information from such individuals, which can then be used to run fraud, drain loyalty program points or carry out further phishing attacks. Hotels and resorts have an obligation to protect their customers from brand impersonation and customer-targeted attacks.

Figure 4: Example of a phishing email impersonating a well-known hotel brand

Figure 5: Phishing website impersonating a hotel brand’s rewards login

Chapter 3: What

Common Cybercriminal Attack Vectors for Hotels

After you understand the extent of your attack surface, you need to understand the tools, tactics and procedures threat actors use to run their attacks. Monitoring external sources will also allow you to operate more proactively by gaining visibility into how threat actors may be planning or coordinating attacks. Take the dark web for example. Many cybercriminals use dark web forums to communicate about new scams and hacking tactics.


IntSights continuously monitors and captures hundreds of thousands of forum posts across the dark web and various hacker channels to spot indications of attack and new threats for our customers. To give some visibility into the dark web chatter surrounding hotels, we analyzed our database of posts over the past year and looked for any mentions of popular hotel brand names. This could include people offering stolen gift cards, posting about leaked data, sharing login credentials or discussing loyalty point fraud tactics.

Figure 6 below is a breakdown of “dark web chatter” for major hotel brands around the world based on content within dark web forum posts. We’ve anonymized the brand names, but you can see that three key hotel brands dominate the chatter found on the dark web.

In addition to coordinating on the dark web, there are many other ways hackers attack hotels. Here are some of the most common vectors used to target the hospitality industry.

Figure 6: Share of mentions on hacker forums for popular hotel brand names. Not surprisingly, the largest hotel brands make up the majority of dark web chatter.


1. Attacks on Point of Sale (POS): Attacks on POS systems are the most common attacks on the hospitality sector because they offer the most direct route to credit cards and financial gains. Modern credit cards have become more secure over the years, but POS systems are still highly vulnerable and often inadequately secured. These systems typically are configured improperly and have weak passwords and/or insecure remote access, opening the door for cybercriminals to easily infect them with card-skimming malware.

Hotels usually delegate their POS security to third-party vendors, which significantly increases the risk of a data breach. In addition, hotel POS systems are complex because they have multiple POS terminal locations − front desk, on-site shops, spa, restaurants, parking etc. − and thus the possible entry points are dispersed and more accessible. Hotels have extensive data stored in their

Figure 7: Forum post offering 2.3 million records of full credit card data for sale ($25,000), including names, addresses and phone numbers obtained from USA hotels that were breached. The credit cards were tested for validity by a checker software, as seen in the screenshot.

databases, further exposing guests to risk in the event of a successful hack. Since hotels charge all transactions during a stay to a guest’s credit card on file, hackers can also gain access into their buying patterns and potentially exploit that information.

2. Spear Phishing Attacks: A common attack vector used to target hotels is spear phishing, and especially spear phishing phone calls followed by an email. The “phisher” calls the hotel to complain that he or she is unable to make a reservation on the hotel’s website. The phisher then asks to email their details to the employee with whom they are speaking. The hacker then follows up with an email containing a malicious file and waits until the employee confirms they have opened the file. With the malicious tools deployed, the hacker now has an entry into the hotel network.

3. Wi-Fi Network Attack: Excellent Wi-Fi service has

become imperative to a positive guest experience. Unfortunately, public Wi-Fi systems are insecure, as they inherently have fewer security levels than regular wired networks. Unsecured/improperly secured Wi-Fi networks are easy targets for cybercriminals. Although Wi-Fi networks in general have become more secure than ever, the human factor still makes them vulnerable.

Many attacks on hotel Wi-Fi systems are made possible by human error − generally made by employees or hotel guests − but it simply is not feasible for hotels to alert all their employees and guests about security threats. For example, one common danger is a rogue access point (AP), which is a wireless AP that has been installed on a secured network without the authorization of the administrator. This AP might be added by hackers or by an


unaware employee. If an employee added it, there is a good chance they would configure it as “open”, or with insufficient security due to lacking IT expertise. This unintentionally enables hackers to access the network. With this rogue AP, hackers can attack the network from the hotel’s lobby or even from a close building or parking lot outside the hotel.

Another risk is an evil twin AP, which is a fraudulent Wi-Fi AP that appears to be legitimate. Hackers who are physically inside the hotel or in its vicinity scan the air for the hotel’s AP information such as SSID name, MAC address and Channel number. They use this information to create an AP that appears to be similar to the hotel’s legitimate AP. With this method the hackers are tricking the hotel’s employees and guests into connecting to the evil twin.

Through the hotel Wi-Fi system, hackers can access guests’ laptops or mobile phones. They can use malware to infect guests’ devices, hijack their data, steal passwords to their bank or other accounts and more. The hackers could also breach the hotel’s Wi-Fi systems to steal databases of guests’ information if they are secured inadequately. As an example, APT28 were found using the

EternalBlue hacking tool that spied on hotels’ Wi-Fi networks in hotels throughout Europe in the summer of 2017.

Another example was in 2015 when a cybersecurity company announced it had discovered a considerable vulnerability in InnGate routers from ANTlabs, a Singapore-based company that supplies routers to hotels and convention centers around the world. With this vulnerability, hackers could have compromised hotels’ Wi-Fi networks and infected any computer connected to the network with malware that would enable them to steal personal information.

4. Ransomware: Ransomware is a common tool used by cybercriminals after finding a vulnerability in a hotel’s systems. After penetrating the system and installing malware, the hackers take control of the hotel’s networks and hijack its data until the hotel pays a ransom in Bitcoin. Ransomware attacks have become well known and widely used, but they have proven to be effective time and time again.

Hackers might attack a hotel’s desktops to infect the computers that are used to code new room


Figure 8: Forum post claiming to have admin access to variety of hotel devices

keys. But hotels face even greater threats when hackers attack their databases, servers and critical systems, such as the hotel property management system (PMS) or the customer relationship management system (CRM).

Attacking these systems has much more influence on the hotel’s ability to function, and can possibly force the hotel to shut down until the ransom is paid.

5. DDoS and Botnet Attacks: According to Akamai’s Summer 2018 State of the Internet, the hospitality industry suffers the most from bot attacks. For these attacks, hackers use botnets of compromised networks to flood critical systems with traffic that in turn crashes the systems. Hotels have a wide variety of devices that are managed by computers − for example CCTV’s, sprinklers, HVAC systems, etc. Hackers use these devices to send pulses to other systems on the infrastructure and disable them.

DDoS attacks can shut down hotels’ online ticket booking, billing systems or even their official websites. For example, Trump Hotels’ website

suffered a DDoS attack in February 2017. While DDoS attacks can directly impact a hotel’s revenue, they are often used as distractions to hide other attacks, such as data theft.

6. Internet of Things (IoT) Attacks: Hotels and resorts have been some of the early adopters of IoT solutions over the past few years to automate the personalization of their guest experiences. For example, hotels use IoT devices to automatically adjust temperatures based on a guest’s preferences or to register consumption from the minibar. Hotel guests are also encouraged to use their mobile phones for check-in/out, ordering room service and more.

Many of these devices are built without security in mind and by companies that do not necessarily understand the security requirements. For example, when a guest is using their mobile phone to access hotel services, the commands pass through several servers before an action is taken. Hackers can intercept or reroute the information to a malicious server, and the information can also be stolen if it is not secured correctly.


According to Akamai’s Summer 2018 State of the Internet, the hospitality industry suffers the most from bot attacks. “

A study by IBM and the Ponemon Institute showed 80 percent of organizations do not test their IoT applications for potential vulnerabilities on a regular basis. Here are a few examples of IoT attacks that have occurred in recent years:

• The electronic key control system at a luxury Austrian hotel was hacked in January 2017. The hackers locked out the hotel’s computer system until the hotel paid ransom and hotel guests were locked out of their rooms until the ransom was paid.

• Cybercriminals breached an IoT connected (a.k.a “smart”) fish tank at a North American casino in 2017. Through a vulnerability in the fish tank’s smart thermometer, the hackers were able to infiltrate the casino’s network. Once inside the network, they were able to access a database of high-roller gamblers and then pull it out of the thermometer and up to the cloud.

7. Brand Impersonation and Customer-Targeted Attacks: Cybercriminals are leveraging popular hotels’ brand presences to impersonate them online and target loyal customers directly. This can take the form of social media impersonation, developing and publishing malicious mobile apps, or posing as hotel employees online offering special discounts and resort packages. Cybercriminals also target rewards programs by accessing customer accounts, emptying rewards balances and using those points for further fraud.

These attacks don’t target a hotel’s corporate systems directly, but still pose huge risks to brand reputation and can lead to financial damages as well. Hotels must monitor these external channels as well to identify brand impersonation and customer-targeted attacks.


Chapter 4: Who

Who are the Threat Actors Attacking Hotel, Resorts and Casinos?

There are two main categories of threat actors that target the hospitality industry: 1) Cybercriminal Individuals and Groups and 2) Nation-State APT’s (Advanced Persistent Threat Groups). For cybercriminals, the incentive for hacking is financial, as they are looking to make a profit from the information they steal. However, APT groups are focused on espionage rather than generating financial profit, so their attack styles and motivations are very different.


Nation State-affiliated hackers have become deeply interested in the hospitality sector because of the valuable data these organizations hold. For example, this data could allow them to gather intelligence on people of interest: Politicians, military personnel, intelligence community personnel and corporate executives. Once they gain access, APTs can collect these people’s PII, track their whereabouts, and even access their electronic devices while they are traveling. They can also learn about their victims’ travel habits, which could be used for future clandestine operations and targeted attacks against them. Even worse, this information can be used for counterintelligence operations to spot, exploit and recruit potential assets.

For example, Chinese intelligence agencies are believed to be behind the Office of Personnel Management breach which exposed the personal data of 20 million U.S. government employees, their family members and applicants. China is also believed to be responsible for the Marriott breach with the goal of collecting intelligence on U.S. citizens. If so, Chinese intelligence could compare the two databases to confirm accuracy and supplement their existing data on known intelligence officers.

The following are famous hacker groups − both APT and cybercrime − that are known for attacking the hospitality industry.

1. APT 28: Also known as Fancy Bear, APT 28 is a Russian cyber espionage group, which attacked various hotels between 2016 and 2017. The group targeted travelers to hotels throughout Europe and the Middle East using spear phishing emails with a malicious document (Hotel_Reservation_Form.doc) that contained the GAMEFISH malware. They also used the EternalBlue exploit to spread laterally through the hotels’ systems once they gained access.

2. Darkhotel Group: This is a South Korean group that has been active since 2007 and went unnoticed for seven years before being discovered by Kaspersky Lab. The primary motivation behind Darkhotel’s attacks has been conducting corporate espionage on CEOs and high-ranking corporate officials visiting hotels. The nature of its attacks and their level of sophistication − including usage of previously unknown vulnerabilities − suggest it is a Nation-State actor.

The group started each of its attacks by compromising the hotel’s Wi-Fi network. When a guest at the hotel connected to the compromised network, the group offered them spoofed software updates containing malware that allowed the hackers to take control of the guest’s computer. In addition, the malware included a keylogger that enabled the hacker to steal usernames and passwords. This group has mostly targeted Asian luxury hotels; however, there were indications it had also attacked hotels in the U.S., Ireland and Germany.

3. China Ministry of State Security (MSS): The recent Marriott breach was attributed to MSS, China’s civilian foreign intelligence agency. According to U.S. government officials, MSS was executing an extensive intelligence-gathering effort with the goal of further developing China’s databases on U.S. citizens.


Figure 9: Malicious phishing email sent by TA555 Group

4. Iranian APT: In February 2014, an unknown Iranian APT group attacked a well-known hotel and casino. The attackers shut down servers and PCs, wiped hard drives and took out key systems, such as those that monitor the payout at the gambling tables and slot machines. In addition, the hackers stole customer data, such as credit card numbers, SSN and driver’s license numbers. The investigators were unable to determine whether the Iranian government was involved. However, it appears unlikely that hackers would be able to conduct such a widespread attack without its knowledge and support.

5. FIN10: This is a financially-motivated criminal group that has been attacking Canadian mining companies and casinos. This group uses targeted spear-phishing emails to lure hotel employees into clicking a link or downloading an infected file that will enable them to access the company network.

Once they have access, the group locks their data and holds it for ransom. In March 2016, the group attacked the River Cree Resort and Casino and

stole customer and employee information from its systems. In June 2016, the group attacked Cowboy’s Casino and stole the same information as in the previous attack. In November 2016, the group attacked Casino Rama Resort and stole customer, employee and vendor information.

A year after the attack on Cowboy’s Casino, the personal information of employees and customers showed up on the data-sharing website Pastebin. The paste also included information on customers’ gambling habits and payouts.

6. TA555: There is not much information about this APT group. However, security experts have spotted a campaign carried out by this group targeting the hospitality sector in May 2018. The group has been using a new malware downloader called AdvisorBot via malicious email campaigns. The campaign targets are hotels, restaurants and telecom companies, and most of the victims are from the U.S.


Chapter 5: When

Notable Data Breaches in the Hospitality Industry

The following is a list of notable breaches that have taken place across the hospitality industry, organized by the date when the breach was publicly disclosed. You will notice a broad range of both well-known and behind-the-scenes players that were responsible for the breach, including hotel chains, travel websites and backend reservations systems. This shows the variety of vectors the industry can be attacked through, and the wide-reaching consequences of a single breach.


November 30, 2018: MarriottMarriott International announced it was the victim of a massive cyber breach that began in 2014 and continued until September 8, 2018, when the hotel chain was first alerted of an unauthorized attempt to access its guest reservation database.

The hackers penetrated Starwood’s reservation system in 2014 (a year before Marriott announced its intentions to acquire Starwood) and managed to keep the hack undetected for four years. The hack exposed the data of roughly 383 million guests who made reservations at any of Starwood hotels from 2014 until September 2018.

The information included names, mailing addresses, phone numbers, email addresses, passport numbers, Starwood Preferred Guest (“SPG”) account information, dates of birth, gender, arrival and departure information, reservation dates and communication preferences. Marriott also confirmed some compromised guest data included payment card numbers and expiration dates.

November 2, 2018: Raddison Hotel GroupRadisson announced it suffered a data breach in its Radisson Rewards database, which affected a small percentage of the Radisson Rewards members. The information compromised included member names, addresses (including countries of residence), email addresses, and, in some cases, company names, phone numbers, Radisson Rewards member numbers and frequent flyer numbers.

August 28, 2018: Huazhu Hotels GroupIt was announced that the Chinese police were investigating a data breach at Huazhu Hotels Group, after the group’s data was offered for sale on a Chinese dark web. The breach affected 130 million customers, and more than 500 million pieces of guest-related information were compromised across 13 of Huazhu hotel brands. The information breached included names, mobile numbers, login credentials, addresses, dates of birth, credit card numbers and room numbers.

June 26, 2018: FastbookingFastbooking, a French company that sells hotel booking software to more than 4,000 hotels in 100 countries, announced that their software was the victim of a data breach. The breach took place on June 14, 2018, when an attacker exploited a vulnerability in a web application hosted on FastBooking’s server to install malware. The attacker was able to steal data that included the hotel guests’ first and last names, nationalities, addresses, email addresses, and hotel booking information such as hotel names and check in/check out dates. The attacker also obtained the credit card information of some of the guests.

March 1, 2018: OrbitzOrbitz, a travel website owned by Expedia, announced it was breached and may have exposed the data of thousands of customers, including information on 880,000 credit cards. The information breached could have also included guests’ full names, dates of birth, phone numbers, email addresses, billing addresses and gender. The company explained that this breach only affected an older website and the platform of an unnamed business partner.

October 2017: HyattHyatt announced it was the victim of a data breach to its guest payment card information at 41 of its properties across 11 countries (18 of the hotels affected were in China).

July 6, 2017: Sabre Hospitality SolutionsIn June 2017, Sabre Hospitality Solutions, which provides a third-party reservation system for hotels, identified unauthorized access to credit card and reservation information taking place between August 2016 and March 2017. Trump Hotels, Hard Rock Hotels & Casinos, Loews Hotels, Four Seasons Hotels and Resorts, Kimpton Hotels & Restaurants, Club Quarter Hotels, RLH corporation and Roosevelt Hotel reported that they were affected by this breach.


February 3, 2017: InterContinental Hotels GroupIHG announced that restaurants at 12 U.S. hotels were breached between August and December 2016 by malware that was installed on the payment card processers of restaurants at IHG hotels in the U.S. and Canada. In April 2017, it was discovered that more than 1,000 hotels were affected by a malware that accessed payment card data.

August 26, 2017: Millennium Hotels & ResortsMillennium reported that 14 of its U.S. hotels were victims of a data breach between March and June 2016, in which food and beverage POS systems were attacked and compromised.

July 26, 2017: Kimpton Hotels & RestaurantsKimpton announced the company was breached between February and July 2016. According to the information published, the hackers used POS malware to scrape information from guests’ credit cards.

July 8, 2017: Omni Hotels & ResortsThe company announced it discovered a malware attack on POS systems in various Omni hotels between December 2015 and June 2016. The chain confirmed more than 50,000 customer credit cards at 49 properties were affected.

July 5, 2016: Hard Rock Hotels & CasinosThe hotel chain announced it discovered a data breach in which POS scraping malware targeting the resort was used to steal customers’ credit card information. The breached information included cardholder names, card numbers, expiration dates and verification codes.

April 4, 2016: Trump Hotel CollectionThe hotel chain announced its credit card system was breached.

March 4, 2016: Rosen Hotels & ResortsThe company announced it was hit by a breach between September 2014 and February 2016.

October 2015: Trump Hotel CollectionTrump Hotel Collection confirmed a credit card data breach, which affected several Trump properties. Customers’ credit card information was leaked between May 2014 and June 2015.

July 2015: HiltonHilton Worldwide hotels faced a data breach affecting the chain’s POS system and took place across two separate timeframes (November to December 2014 and April to July 2015).

November 2015: Starwood Hotel GroupStarwood Hotel Group announced it suffered a cyber-attack in which hackers attacked the POS system in restaurants, shops and gift shops at the hotel and stole credit card information, impacting 54 hotels across the U.S. and Canada.

December 2015: Hyatt Hyatt suffered a payment card breach affecting 250 of its hotels in 50 countries.

April 2015: White Lodging Services CorporationThis hotel management firm announced a data breach affecting 10 of the properties it manages. The POS systems at the hotels’ restaurants and lounges were attacked by malware.

March 2015: Mandarin OrientalMandarin Oriental Hotels experienced a data breach in which hackers stole credit card information of customers who used guest room, spa, beverage, dining room services and products. In addition, the breach affected the sales system of a few properties.

December 2013: Affinity GamingAffinity Gaming announced that hackers breached its POS system at a variety of casino locations between March 2013 and October 2013, affecting around 300,000 customers.


Chapter 6: How

How Can Hotels Protect Themselves?

Finally, let’s share how hotels, resorts and casinos can better protect themselves from the onslaught of cyberattacks taking place across the industry. Every cyberattack costs the victims a large sum of money. When a hotel is hit with a data breach, they typically must spend huge amounts of money on legal costs and fines. But this is only half the story.


1. Train and Re-Train Your Staff: At least 95 percent of reported data breaches can be traced to an intentional or unintentional act by a person within − or associated with − the affected organization. A hotel can deploy every state-of-the-art technological protection available, but it only takes one employee clicking on the wrong link to bypass all of those protections.

Just like hotels train their staff on customer service, it is critical they also train employees on cybersecurity best practices and common attack vectors. Employees must be educated, re-educated and alerted to cyberattack attempts. It is the entire staff’s responsibility to keep the hotel safe, both physically and virtually.

2. Strengthen Your Infrastructure (Specifically POS Machines): Hotels must patch and update their systems from vulnerabilities as frequently as possible to remain protected. When a network is left unpatched, these systems can be exploited.

In particular, POS systems are the most attackable systems, and this is where hotels need to direct their utmost attention for patching and updates. Here are a few steps hotels should take to ensure their POS systems are secure:

a. Avoid using default or easy-to-guess passwords on their POS systems.

b. Use two-factor authentication, no matter how long or complex passwords are.

c. Ensure antivirus or endpoint protection is installed and up-to-date.

d. Separate the POS network from other networks and track and investigate any anomaly there with greater care.

e. Filter which external IP addresses can reach the remote-access mechanism of the POS controller.

f. Use PCI-Validated Point-to-Point Encryption (P2PE). The PCI SSC Council (the Payment Card Industry Security Standards Council) asserted that PCI-Validated P2PE is the best solution for stopping POS malware. This solution encrypts credit card data immediately upon swiping or dipping in the payment terminal. Only by encrypting the cardholder’s data can a hotel prevent clear-text data from being present in their network, where hackers can access it in the event of a data breach.

g. Segment Wi-Fi networks by making guest Wi-Fi and business networks separate. This will decrease the potential damage if a hacker is able to penetrate either network.

h. Hotels should deploy Wireless Intrusion Prevention Systems (WIPS) to detect and prevent hacking attempts against the Wi-Fi network.

3. Regulate Vendors: Most cyberattacks on the hospitality industry are carried out through third-party vendors. Third-party vendors are part of the attack surface, and pose a huge risk to the overall security of an organization. Hotels should ensure all vendors meet a compliance standard, and take it upon themselves to regularly assess the risk of their vendors and partners.

4. Threat Hunt Inside Your Network: Because hotels have large digital footprints, hackers try to gain entry into the network any way they can, then move around to find data that’s valuable to them. You must monitor your network traffic to identify suspicious activity and discover potentially unauthorized access.



5. Monitor Externally for Cyber Threats: Just like you should monitor internally, looking externally can help you identify indications that your organization might be targeted or attacked. For example, monitoring paste sites and dark web forums can help you identify if any employee credentials are leaked online, so you can lock down those accounts before a threat actor tries to use it.

External threat monitoring can help you operate proactively and mitigate attacks before they occur.

6. Create a Plan: Unfortunately, it’s a matter of when, not if. At least, that’s the approach organizations need to take.Every hotel should have an incident response plan in place if a data breach does occur, which will help speed up the communication and mitigation process. According to the IBM’s 2018 Cost of a: Data Breach Study, it takes hotels an average of 195 days to identify a data breach. The study also found that breaches that took longer than 100 days to identify cost organizations 35.3 percent more than breaches that took under 100 days to identify.

www.intsights.com

There is no sign that attacks will slow down across any industry, let alone the Gaming, Leisure and Hospitality industry. We hope this report provides you with a clear look into the current state of the threat landscape for the industry so you can better protect your organization from the latest vectors, techniques and threat actors.

cyber threat report: 2019wow.intsights.com/rs/071-zwd-900/images/cyber threat... · 2019-10-05 ·...

Documents