Hyatt Breach: Lessons for AsiaExperts Weigh in on Security Challenges in Hospitality
Hyatt Hotel Corp. announced that it concluded investigations into point-of-sale malware infections at 250 properties worldwide. On the list of affected properties are 20 of the 23 hotels it runs in India - roughly 90 percent of its Indian portfolio, as well as three each in Malaysia, Hong Kong and Thailand, eight in the UAE and 18 other properties in APAC (see: Hyatt Breach: 250 Hotels, 50 Countries).
See Also: 2016 State of Threat Intelligence Study
Hyatt publicly disclosed the breach on Dec. 23. The Chicago-based hotel chain tells Information Security Media Group that it hired third-party digital forensic firms Mandiant and Kroll to help it investigate and remediate the intrusion. The chain says that anyone who used a payment card at one of the affected properties last year from July 30 to Dec. 8 was potentially affected. In the United States, 100 hotels in 26 states were affected (see: Hyatt Falls to POS Malware Infection)
Hotels chains are ripe targets, especially in Asia. They typically keep card details on file for the duration of a guest's stay, says Nitin Bhatnagar, head of business development at SISA InfoSec Consultants. The classic scenario in the hospitality industry is that card data is often stored longer than usual to maintain consumer bookings and for miscellaneous service-related charges after guests check in. Online booking systems often get card data from various sources and third parties over the Internet, creating additional possible points of compromise, he says.
The POS malware outbreak sparks questions about security deficiencies in the Indian hospitality sector. And experts say many other such organizations remain vulnerable, owing to a combination of factors, not the least of which is their approach to security - just the adherence to global policies, if any, is not enough.
Hyatt Attack Overview
In a blog post, Hyatt says that the malware was designed to collect payment card data - cardholder's name, card number, expiration date and internal verification code - from cards used onsite as the data was being routed through affected payment processing systems at its restaurants, spas, front desks, parking and other areas.
Hyatt is the fourth major international chain known to be hit with POS malware in the past three months. Others include Trump Hotels, which warned Sept. 29 that its POS systems had been malware-infected for more than a year; Starwood Hotels and Resorts, which disclosed that on Nov. 20 that malware had infected some of its restaurants, gift shops and other POS systems; and Hilton, which said on Nov. 24 that it suffered intermittent POS malware breaches in 2014 and 2015.
Hyatt says it's offering affected cardholders one year of prepaid identity theft monitoring services from TransUnion's CSID service for both U.S. as well as international breach victims.
The Asian Angle
Looking at the list released by Hyatt for the effective risk dates, more than 50 locations in Asia are confirmed to have been compromised.
"In the Hyatt data breach, It looks like a decent portion of breached data may have come from the restaurant or front desk of the hotel chain's facilities, which are usually integrated with POS environments running various applications," Bhatnagar says.
Multinational chains manage technology differently from how a local chain might because they have to adhere to global standards and policies. But having global standards and policies is not enough to prevent breaches; policies specific to the local market, covering local variables and legal requirements, are important, says Ravish Jhala, a hospitality consultant and ex-CIO with a Indian hospitality chain.
For instance, this POS infection likely spread within the network due to poor controls and lack of crucial practices, such as network segmentation. But because the nature and type of the malware remains in question, it is possible that this and other attacks could be customized to exploit specific weaknesses in different geographies that global policies might not appropriately cover.
Security in Indian Hospitality
When global hotel chains expand to more countries, they need to comply with the law of the land. In India, that's the IT Act 2000 and the subsequent amendment in 2008, and IT rules 2011. In the case of Hyatt, as well as most multinational corporations, Jhala says, global corporate IT & security policies were likely followed, which may not necessarily cover local legal regimes.
Jhala believes that in the hospitality industry, there's a mismatch between what's happening locally and at the global, corporate level. "Corporate and global departments need to listen closer to local businesses, rather than choosing to focus on broad enterprise roadmaps with poor local context," he says. And because the hospitality industry is big on adherence to established practices, there may be some aversion to change, he says. That's why, in the pursuit of maintaining global standards, global policies may be perceived as being superior to local inputs/recommendations.
Speaking from the perspective of Indian chains, Jhala says that though IT maturity is above average, the importance given to IT, and subsequently security, in the hospitality industry is poor. But increasingly, a clear requirement for a security/CISO role is taking shape. Hotels have multiple compliance requirements, including PCI, that require expertise.
Jhala says there's an understanding in the industry, in India at least, that although the IT Act is open-ended, liabilities are clearly defined in certain areas. For instance, enterprises - including hotels - holding sensitive personal information need to be compliant to section 43a of the IT Act, and be audited under it. Failing that, the board of directors and CEO can be punished to the point of imprisonment.
But while the need is there, he questions how many hotels will actually ever have done a vulnerability assessment and penetration testing, or VAPT, audit.
Many hotels still use outdated backend systems and software, making them extremely vulnerable. That includes, for example, POS systems running Windows XP and Internet Explorer 8. Even at hotels that invest in technology, he says the focus is on innovation and functionality to get an edge on the competition; security is a secondary concern.
Hyatt Lessons for Asia
While the Hyatt breach appears to be the biggest in the hospitality sector so far, it remains to be seen what affect it will have on information security Asia. Jhala believes that Indian chains will take note, and are better at compliance, than globally-managed chains in India. For global chains, policy will likely be driven from overseas.
The reasons such a breach might happen again in the region include:
- Routine processes and audits may not be being conducted properly;
- Risk analysis on existing processes are not being re-evaluated in the context of new and emerging threats, and;
- Point solutions are deployed, but organizations are then neglecting to measure performance metrics and configuration.
In breaches such as the one that hit Hyatt, investigators must figure out at what stage the compromise happened. There may be a need to revisit the whole architecture. For a global entity with numerous locations, a local expert who knows the industry well needs to be involved, rather than just hiring a major firm from another nation, Jhala believes.
SISA's Bhatnagar stresses that security best practices include ensuring network segmentation, strong password hygiene and monitoring for data exfiltration. Malware infections commonly occur in environments using remote administration software with weak password policies, he says. He recommends reviewing all accounts with administrative access for password complexity and regularly checking POS systems for physical tampering. And hotels in India must migrate from legacy systems, including Windows XP and Windows Server 2003, to more advanced options, he adds.
Jhala says India hotel chains that lack in-house expertise should consider outsourcing to get their security roadmap on track. Enlisting experts who understand the industry is essential, he says.
Jhala suggests that practitioners managing IT and security for a global franchise at the country level, who are attempting to influence change in global processes or infrastructure, should start small. "Start with a problem statement, and focus on implementing a solution in a small way to measure results," he says. "If positive, this can be a case study to then recommend to the global team and CIO, demonstrating the benefits." You could then run a pilot study in your country, which if fruitful, might serve as a catalyst for change throughout the organization.