TECHNOLOGY : SECURITY
Computer hackers who profit from data theft are always on the hunt for a quick and easy meal , and hotels are currently the low-hanging fruit . According to Verizon ’ s “ 2011 Data Breach Investigations Report ,” out of 761 surveyed data breaches affecting 3.8 million records , 40 % occurred within the hospitality industry .
“ Over the last five years the industry has experienced a huge uptick in the amount of attacks — both successful attacks and [ failed ] attempts ,” says Erin Nealy Cox , executive managing director and deputy general counsel for security firm Stroz Friedberg , New York City . “ Banks have been targets for decades , and have been tightening their perimeter and getting better at it . So now , hackers are going toward non-financial institutions that aren ’ t up to speed , like retail and the hospitality industry .”
Most notorious is a string of break-ins that plagued Wyndham Hotel Group , Parsippany , New Jersey . Since 2008 , Wyndham was hacked at least three times ; one incident saw 41 hotels and records of 21,000 customers compromised , and after each occurrence , Wyndham was fined heavily .
Destination Hotels & Resorts , Englewood , Colorado , was hacked in 2010 , exposing up to 21 properties after malicious software was installed remotely ; the Westin Bonaventure Hotel & Suites in Los Angeles disclosed possible POS data breaches going as far back as 2009 ; and between November 2008 and May 2009 , some Radisson hotel computers in the United States and Canada were infiltrated .
“ That scares me ,” says Jeffrey Stephen Parker , vice president of technology for Stout Street Hospitality , Denver , and advisor for the American Hotel & Lodging Association ( AH & LA ) and Hospitality Financial and Technology Professionals ( HFTP ). “ There are hotel groups that had breaches and they had no policy whatsoever , and now because they need to get caught up immediately , they have million-dollar plans to get in compliance this year . If they ’ d started four or five years ago , they ’ d be mostly in compliance now , and they wouldn ’ t be in such a bad position .”
PCI-DSS standard For any business conducting credit card transactions , or transmitting and / or retaining customer data , the most widely acknowledged security objective — albeit a stopgap measure , at best — is ensuring Payment Card Industry ( PCI ) Data Security Standards ( DSS ) compliance . PCI- DSS has become the starting point for industry-wide security reform , but many entities are still working to get there . The 2011 Verizon forensic report stated that of all the breaches monitored , 89 % were perpetrated against businesses that weren ’ t PCI-DSS compliant .
“ PCI compliance requires basically that you need to protect cardholder data . You need to encrypt or make the cardholder data unreadable ,” explains Ulf Mattsson , chief technology officer of security firm Protegrity Corp ., Stamford , Connecticut . “ That is usually where merchants fail . When they do a PCI audit , that is usually the hardest part , and where the attackers are attacking . They get right to the cardholder data .”
Safeguarding data traditionally comes down to encryption , a process that scrambles the information for transmittal , then decodes the data at its destination . Although currently the gold standard , encryption is expensive
“ YOU NEED TO ENCRYPT OR MAKE THE CARDHOLDER DATA UNREADABLE . THAT IS USUALLY WHERE MERCHANTS FAIL . When they do a PCI audit , that is usually the hardest part , and where the attackers are attacking . They get right to the cardholder data .”
– Ulf Mattsson , Protegrity Corp . www . hotelsmag . com March 2012 HOTELS 57