Scammers are tricking the world’s most famous hotels customer to give up their credit card details. Ritz London posted several tweets on the discovery of an apparent breach of its food and beverage reservation system that “may have compromised some of our clients’ personal data,” and are now investigating the matter. The cybersecurity experts commented below on the danger of scam and what are the best strategies to overcome such attacks.
Information Security Buzz (aka ISBuzz News) is an independent resource that provides the experts comments, analysis and opinion on the latest Information Security news and topics
This is an interesting example of how seemingly trivial information can be used in ways we did not anticipate, the fact here is that an attacker by learning information you thought was entrusted only to a certain organisation uses the information to aid in committing fraud against the victims. It plays on both having this information as well as the ability to use a degree of social pressure as the information is needed to “help” the victim with their booking, so a victim not only feels the identity of the caller is established, they are in a socially uncomfortable situation of having to refuse information to someone only helping them out, which is awkward to most.
The Ritz Hotel is notifying customers that it’s food and beverage booking system has been compromised. Such a highly prestigious hotel will likely have some high profile clients information stored on this system. It’s not known how the data was accessed and details are still emerging. Although no credit card details seem to be included in the stolen data, hackers still have huge amounts of personal details, contact details, and of course the details of reservations. Fears must be that unsuspecting customers will be contacted by the hackers to “confirm” bookings and try to tempt customers to give over credit card details. Using this data in further cyberattacks is, unfortunately, becoming a reality as has been seen in a spate of recent spearphishing attacks. Spearphishing is the evolved concept of phishing campaigns (mass spam emails or phone calls ) that are tailored towards individuals. It uses personal information, or imitates somebody the individual trusts like someone claiming to be from the Ritz Hotel, for example.
Yet again, another well-known brand is at the heart of a cyber attack involving customer data. It appears that social engineering has taken place on The Ritz diners using compromised details. The incident is a stark reminder to The Ritz, and indeed any organization that holds customer data, of the critical need for good data hygiene. The Ritz will undoubtedly be launching its own investigation and I expect it will be working closely with those impacted to resolve the situation. I also expect that they will share their findings with a wider audience as appropriate and as further details emerge.
Whilst this may not be an example of a multi-million-pound breach, it shows again that data has a value and no one is immune to the attention of cybercriminals. It is therefore essential to have robust policies, procedures, and education, along with enabling technology, in place to mitigate risk and minimise impact when, not if, breaches occur.
If in doubt, organisations should work with a trusted specialist to ensure all cybersecurity practices are appropriate to their organisation. In general, businesses and individuals should be very clear that if someone you don\’t know calls you and asks you for sensitive information, take their details and call them back on a trusted number. It is vital that you do not share personal information with anyone you cannot verify.
Cybercriminals are opportunists – once these individuals have gained access to information, they are likely to leverage this for financial gain. This information can often be used in social engineering tactics, be it phishing, smishing, fishing, etc. and the more information they have, the more convincing the attempt. Individuals should be vigilant at all times of any attempt to ascertain sensitive data such as banking information. If in doubt, contact the source directly.
Compromising systems are usually one half of any hack. The second part is knowing how to monetise the information. In many cases, information relating to individuals can be used to launch social engineering attacks against the victims. This can range from sending phishing emails, to physical mail, text messages, or phone calls. Because the criminals have access to sensitive information, they can sound very convincing and it can make it very difficult for people to identify it as fraudulent activity.
In today\’s connected world, it is far too easy for criminals to get personal information on individuals from any number of sources. Therefore, people should always be wary of any call claiming to be from their bank or trusted reseller and should refrain from giving financial or other sensitive information over calls that they have not initiated themselves. When in doubt, they should end the call, and phone the provider themselves using a known number.