Following news that Hyatt has published a list of all its hotels hit by malware, please find below a comment from David Emm, principal security researcher at Kaspersky Lab.
[su_note note_color=”#ffffcc” text_color=”#00000″]David Emm, Principal Security Researcher at Kaspersky Lab:
Hyatt has published a list of all its hotels hit by malware that was found on its customer payments system last year is certainly a step in the right direction in terms of data breach transparency by large organisations.
In addition, the fact that the hotel chain has teamed up with a security firm to give its customers who have stayed at one of its compromised hotels free security protection for one year, demonstrates that companies holding customer data do recognise that they have a huge responsibility to keep it safe, and make sure it doesn’t fall into the wrong hands.
Unfortunately, for anyone affected by the breach, this response has come too late and highlights that businesses and consumers need to consider security procedures before a data breach forces them to – prevention is always better than cure.
In an incident such as this, lead times between the breach taking place and the business in question discovering whether cybercriminals have customer data at their disposable, coupled with the lead time between the business finding out and notifying the customers, can equate to a long time resulting in lots of damage.
There are a number of risks that all organisations that transact online need to consider. For example, cybercriminals can use phishing messages to redirect customers to fake websites, they can use install malware on customer computers to steal their account details and passwords, or they can use malware to intercept financial transactions and create fraudulent transactions.
Any business that handles financial transactions has a responsibility to secure the personal data of its customers, in addition to securing its own data. This must start with providing a security of web-based transactions. It must also include hashing and salting of passwords and encryption of other personal data- so if they are to experience a breach, its customers feel safer in the knowledge that the data is encrypted. To further reduce the risks, it’s important that they implement anti-fraud monitoring technologies to analyse a customer’s behaviour during online transactions and to detect other suspicious activity within their IT infrastructure. This mitigates the risks of a possible lack of security at the customer’s endpoint, over which they have no direct control.
In light of the upcoming EU data legislation which will force companies to disclose data breaches, organisations need to begin to consider how they may deal with such an attack.[/su_note]
[su_box title=”About Kaspersky Lab” style=”noise” box_color=”#336588″]
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.