Following the news that:
Holiday Inn hotels hit by cyber-attack
Holiday Inn hotels hit by cyber-attack – BBC News
Cyber security experts reacted below.
This is not the first time a hotel chain has been attacked. From a criminal business perspective, it makes a good target. Hotels will typically have invested less in security compared to other industries such as finance, yet hold extremely sensitive personal information of its customers which includes travel information, passport numbers, credit card details, among others. While details are limited at the moment as to the exact nature of the attack and whether any data was compromised, it’s a reminder for the travel and hospitality industry to remain vigilant against cyber attacks and to have relevant controls in place to protect, detect, and respond to attacks.
Although we don’t know for sure that this was a ransomware attack, it seems the most likely scenario. Organisations, like Holiday Inn, that process large volumes of personal data are a common target for ransomware attacks. It’s not hard to see why; all that customer data makes for a potentially bounteous ransom for cybercriminals.
However, Holiday Inn should be commended for reacting quickly to this incident. Implementing a proper response plan, calling in the experts within hours of the breach and notifying the authorities quickly is something all businesses should aspire to.
This is the latest high-profile attack to impact the hotel sector which has been increasingly targeted in recent times. Financially motivated attackers see hotels as valuable targets due to the vast amount of customer payment card details that they hold. It’s also common to see them leverage hotel loyalty and reward points to fund cyber activities in the criminal underground. There is no doubt that hotels have a target on their back, so their security standards need to be top notch.
This is the second high profile attack on IHG since 2017 when the company experienced a security breach that caused disruption for three months, so it raises the question of whether security processes were adequately updated following the previous attack. As IHG grapples with this latest incident, it needs to analyse all the devices connected to the corporate network to find any problematic ones and then take appropriate action to mitigate any further risk. This could include rolling out a patch or removing certain devices from the network. The problem is, most organisations do not have this level of visibility due to the complexity of their IT environments and the number of different tools that they are using. They can’t fix an issue that they can’t see, so this area is vital.
Another important measure that helps to avoid these types of attacks is having the right company culture. This should prioritise cybersecurity and encourage business stakeholders to work regularly in partnership with IT operations and security professionals. You can’t always stop a sophisticated cyber-attack, but by working together to maintain a good standard of IT hygiene and establishing effective employee awareness training you can certainly make it more difficult for the attackers to be successful.
Hindsight is a wonderful thing, but businesses should be more than prepared for the risk of a cyber-attack, and whilst they can’t always be prevented, they can be prepared for the aftermath. With the details and systems required by an organisation such as IHG, having an effective backup strategy in place will make recovery somewhat smoother. Organisations should embrace the ‘3-2-1 rule’: have at least three copies of data, on at least two different media, with at least one copy offsite and, with ransomware so prevalent, offline and encrypted. Data should be backed up regularly, and automatically where possible, to ensure quick recovery and restoration. One of the most straightforward ways to create offline backups is to store files on high-capacity external hard drives and USBs, which can be disconnected from the network to create an air gap between information and threat. Again, in line with data privacy compliance, these should be encrypted where appropriate.
We don’t yet know what happened at IHG, but hotel systems are very complex and often include external suppliers, for example for heating systems, booking systems, CCTV and much more. Every hotel location depends on a wider range of IT systems from booking to payment to stock control, but they typically don’t have local IT support. That’s why it’s critical that foundational protections are in-place such as ensuring staff only have the least level of permissions or access needed to get their work done, that external access is tightly controlled and monitored, and user accounts are constantly reviewed and updated as staff join or leave the hotel.
Information Security Buzz (aka ISBuzz News) is an independent resource that provides the experts comments, analysis and opinion on the latest Information Security news and topics