Symantec issued a report yesterday that two thirds of hotels inadvertently leak guests’ booking details and personal data to third-party sites, including advertisers and analytics companies. The study, which looked at more than 1,500 hotel websites in 54 countries that ranged from two-star to five-star properties, comes several months after Marriott International disclosed one of the worst data breaches in history. Symantec said Marriott was not included in the study. The research showed compromises usually occur when a hotel site sends confirmation emails with a link that has direct booking information. The reference code attached to the link could be shared with more than 30 different service providers, including social networks, search engines and advertising and analytics services.
Experts Comments:
Warren Poschman, Senior Solutions Architect with comforte AG:
“Of late, the hotel industry has been bearing the brunt of many of the data breaches and I expect the trend to not abate any time soon which is why they need to start taking action now.
The problem that hotels have is clearly the large amount of data they have in their data warehouses. Like other softer targets such as localities and state governments, they maintain numerous and detailed information on clientele because they need it. But having lots of data isn’t really the problem – it’s the challenges of the industry.
A key issue the hotel industry face is having open systems with large amounts of franchisees. The hotel industry is largely run on a franchise model with each hotel having some latitude on how they run their house with their own local partners while having access to the central systems. This makes the chance of introducing threats and attacks so much more possible than it does in the closed systems of banks and payments and, as the retail and restaurants have found, these threats are hard to contain even with rigorous enforcement of front of house systems.
Hotels have a lot of security choices including strengthening firewalls, intrusion detection, encrypting data, and limiting access to data through access controls. But, focusing on infrastructure, perimeter and intrusion detection is a losing battle since these measures only protect you from the threats you know about and don’t offer any protection once compromised or circumvented. Furthermore, many of the hotelchains heavily invested in passive, data-at-rest encryption protection for their storage, databases, and data warehouses – which doesn’t address the current threat vectors and is a false sense of security.
The key is to think about what the attackers are after at the hotel chains – the data warehouse – and how that great resource can be used while preventing abuse. Adopting a data-centric security model allows for the data to be protected as it is acquired and traverses through the organization and, when an attacker gains access through the perimeter, then the risk that the actual personal data will be exposed is dramatically reduced. Data-centric protection using technologies like tokenization allows the organization to use the protected data for their operations, analytics and data sharing meaning that any exfiltrated data would be useless tokens and not a data breach. Guest safety and privacy has to extend through the full environment, not just the front doors!”
Lisa Baergen, VP of Marketing at NuData Security:
“User experience and security still seem to be at odds for many hospitality websites. In an effort to make information easily accessible to third parties and customers, some companies lower their security measures that expose customer data. Hotels and other hospitality companies should work on securing their digital supply chains, reassess the security measures protecting their customer’s data, and have post-breach processes ready. After a breach happens, hospitality companies need to be ready to mitigate the damages by correctly authenticating their good users despite hackers potentially leveraging stolen credentials. This sort of data exposure is why so many organizations – from the hospitality sector through to eCommerce companies, financial institutions, and major retailers – are layering in advanced security solutions, such as passive biometrics and behavioral analytics that identify customers by their online behavior, thus mitigating post-breach damage as hackers are not able to impersonate individual behavior.”
Tim Dunton, MD at Nimbus Hosting:
“Consumers should feel safe and secure when they hand over their personal information into a business’s website. Unfortunately, it is becoming increasingly apparent that some websites lack the basic security measures required to prevent such information from being exploited by cyber criminals.
“In the age of GDPR, and at a time when consumerism exists almost entirely online, exploitable websites and a lack of basic cyber security measures is simply not acceptable. Moving forward, it is essential that all businesses begin to understand the full implications of not protecting their customer’s data, and start taking proactive measures to ensure hackers cannot access sensitive information by exploiting outdated websites and unregulated IT systems.”
Martin Jartelius, CSO at Outpost24:
“Cross domain includes site tracking scripts and site optimization platforms which are notorious for causing leaks such as these. However, it is great to see that discussions to rectify this are surfacing. We have seen sites exfiltrate, not only this form of personal data, but also other data, including credit cards. Over the last few years, a range of breaches have been caused by supply chain or dependencies on platforms managed by others. However, with the amount of information crossing organizations trust-boundaries, there does not seem to be a substantial amount of consideration related to confidentiality and privacy. This also happens to be one of the issues with domains that GDPR was designed to address. Hopefully we will see future developments taking this on as privacy-by-design settles in as a concept.”
Naaman Hart, Cloud Services Security Architect at Digital Guardian:
“Ultimately these companies are letting their customers down as they should require more thorough authentication. A simple addition would be two-factor authentication via a phone call or SMS.
“These companies already require your phone number so they could use it for two-factor authentication on top of your email. This wouldn’t impede their existing process and ‘ease of use’ but it would significantly bolster the security requirements of these services.
These companies want to appear easy to use but they’re putting their customers at risk by doing so. There are ways of not requiring someone to have a full-on account with a username and password but still being secure. Just look at the ease of setup of services like WhatsApp where you simply register your phone number and they confirm it via text. No one thinks that’s a protracted process and it’s significantly more secure than a 5-digit booking number and an email address.
“Hotels desperately need to get up to speed with security as it’s still a common occurrence for them to photocopy your passport and physically note down your credit card details when you visit and store it in a manual file in a cupboard. Yes, GDPR should be all over this but Hotels are so behind in their processes it’s laughable. If GDPR requires proof of data destruction on request, are they going to send us a video of them shredding the paper? Who knows, but it puts into perspective why they’re clearly struggling.”
Matan Or-El, CEO at Panorays:
“Recent research indicating that hotel websites leak guest book information is concerning for two reasons:
First, because it’s difficult for users to track what they are sharing with each third party.
Second, because it’s not clear how the third parties are sharing that information, and whether they are further sharing that information with other parties. Does the hotel that gave consent to the third party know that this data is going to be propagated throughout nth parties?
The problem that the hotels now face is that if there’s going to be a breach at one of these parties, it’s the hotel brand that will be tarnished because the user provided the information to the hotel. For this reason, it’s crucial that the hotels perform a thorough risk assessment of their supply chain ecosystem.”
Pravin Kothari, CEO at CIpherCloud has advice for organizations:
“You should be aware that your data will be leaked in some capacity when using email. You should ensure appropriate measures are in place to keep your data protected.
You should wrap your email service and such cloud applications with a layer of a “security broker” to provide the necessary security solutions such as rights management, end-to-end data protection, and local key management to protect sensitive data.
All applications including such email services should always encrypt personal identifiable information (PII), never in clear. With the growing number of regulations on data privacy of individuals, such as EU GDPR (The General Data Protection Regulation), HIPAA, PCI, and California Consumer Privacy Act of 2018, exposing such PII data opens the organization to breaches, reputational damage as well as stiff penalties.
Security tools that automatically protect your data such data loss prevention (DLP) and digital rights management (DRM) help secure the sensitive information. Select vendors that support end-to-end data protection for your email and cloud applications.”
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.