Symantec issued a report yesterday that two thirds of hotels inadvertently leak guests’ booking details and personal data to third-party sites, including advertisers and analytics companies. The study, which looked at more than 1,500 hotel websites in 54 countries that ranged from two-star to five-star properties, comes several months after Marriott International disclosed one of the worst data breaches in history. Symantec said Marriott was not included in the study. The research showed compromises usually occur when a hotel site sends confirmation emails with a link that has direct booking information. The reference code attached to the link could be shared with more than 30 different service providers, including social networks, search engines and advertising and analytics services.
Experts Comments:
Warren Poschman, Senior Solutions Architect with comforte AG:
The problem that hotels have is clearly the large amount of data they have in their data warehouses. Like other softer targets such as localities and state governments, they maintain numerous and detailed information on clientele because they need it. But having lots of data isn’t really the problem – it’s the challenges of the industry.
A key issue the hotel industry face is having open systems with large amounts of franchisees. The hotel industry is largely run on a franchise model with each hotel having some latitude on how they run their house with their own local partners while having access to the central systems. This makes the chance of introducing threats and attacks so much more possible than it does in the closed systems of banks and payments and, as the retail and restaurants have found, these threats are hard to contain even with rigorous enforcement of front of house systems.
Hotels have a lot of security choices including strengthening firewalls, intrusion detection, encrypting data, and limiting access to data through access controls. But, focusing on infrastructure, perimeter and intrusion detection is a losing battle since these measures only protect you from the threats you know about and don’t offer any protection once compromised or circumvented. Furthermore, many of the hotelchains heavily invested in passive, data-at-rest encryption protection for their storage, databases, and data warehouses – which doesn’t address the current threat vectors and is a false sense of security.
The key is to think about what the attackers are after at the hotel chains – the data warehouse – and how that great resource can be used while preventing abuse. Adopting a data-centric security model allows for the data to be protected as it is acquired and traverses through the organization and, when an attacker gains access through the perimeter, then the risk that the actual personal data will be exposed is dramatically reduced. Data-centric protection using technologies like tokenization allows the organization to use the protected data for their operations, analytics and data sharing meaning that any exfiltrated data would be useless tokens and not a data breach. Guest safety and privacy has to extend through the full environment, not just the front doors!”
Lisa Baergen, VP of Marketing at NuData Security:
Tim Dunton, MD at Nimbus Hosting:
“In the age of GDPR, and at a time when consumerism exists almost entirely online, exploitable websites and a lack of basic cyber security measures is simply not acceptable. Moving forward, it is essential that all businesses begin to understand the full implications of not protecting their customer’s data, and start taking proactive measures to ensure hackers cannot access sensitive information by exploiting outdated websites and unregulated IT systems.”
Martin Jartelius, CSO at Outpost24:
Naaman Hart, Cloud Services Security Architect at Digital Guardian:
“These companies already require your phone number so they could use it for two-factor authentication on top of your email. This wouldn’t impede their existing process and ‘ease of use’ but it would significantly bolster the security requirements of these services.
These companies want to appear easy to use but they’re putting their customers at risk by doing so. There are ways of not requiring someone to have a full-on account with a username and password but still being secure. Just look at the ease of setup of services like WhatsApp where you simply register your phone number and they confirm it via text. No one thinks that’s a protracted process and it’s significantly more secure than a 5-digit booking number and an email address.
“Hotels desperately need to get up to speed with security as it’s still a common occurrence for them to photocopy your passport and physically note down your credit card details when you visit and store it in a manual file in a cupboard. Yes, GDPR should be all over this but Hotels are so behind in their processes it’s laughable. If GDPR requires proof of data destruction on request, are they going to send us a video of them shredding the paper? Who knows, but it puts into perspective why they’re clearly struggling.”
Matan Or-El, CEO at Panorays:
First, because it’s difficult for users to track what they are sharing with each third party.
Second, because it’s not clear how the third parties are sharing that information, and whether they are further sharing that information with other parties. Does the hotel that gave consent to the third party know that this data is going to be propagated throughout nth parties?
The problem that the hotels now face is that if there’s going to be a breach at one of these parties, it’s the hotel brand that will be tarnished because the user provided the information to the hotel. For this reason, it’s crucial that the hotels perform a thorough risk assessment of their supply chain ecosystem.”
Pravin Kothari, CEO at CIpherCloud has advice for organizations:
You should wrap your email service and such cloud applications with a layer of a “security broker” to provide the necessary security solutions such as rights management, end-to-end data protection, and local key management to protect sensitive data.
All applications including such email services should always encrypt personal identifiable information (PII), never in clear. With the growing number of regulations on data privacy of individuals, such as EU GDPR (The General Data Protection Regulation), HIPAA, PCI, and California Consumer Privacy Act of 2018, exposing such PII data opens the organization to breaches, reputational damage as well as stiff penalties.
Security tools that automatically protect your data such data loss prevention (DLP) and digital rights management (DRM) help secure the sensitive information. Select vendors that support end-to-end data protection for your email and cloud applications.”