The hospitality industry has a single focus on ensuring their guests have the optimal experience relative to their facility. This is the same with the medical and other fields; society wants people to specialize in their fields, versus generalizing in too many. If you are having heart surgery, you want the surgeon to be a specialist and not a general practitioner.
The hospitality industry is no different. As part of the operating process, the hotels and other facilities collect a mass amount of data from the clients. Each client has to pay for their room and other services, which is generally done with a credit card. This is valuable to the attackers, as the data may be sold. In recent history though, the industry has not done a fantastic job in protecting their client's data. A particularly glaring issue occurred with the Wyndham Hotels with the 2008 and 2009 compromises. The hotel in late 2015 settled with the Federal Trade Commission regarding charges the hotel did not do enough in order to protect the data. This arose from three breaches the hotel experienced with their client's data being exfiltrated. The process to resolve the issue was not inexpensive, as evidenced by the attorney fees and the fines.
Until this point, the hospitality industry has not given InfoSec a significant amount of attention. In comparison, other industries have declared this at a greater level of pertinence. For example, the DoD contractors, municipalities, financial services, medical, banking, and others have increased the focus and spending on this. The commonality with these is the entity computer system had been compromised, data exfiltrated, and fines from the FCC in specific cases.
This lack of focus may be a function of the entities working on their goal of achieving the best service for their clients. InfoSec, while vital, had not been significantly considered integral to their mission. Although not entirely within the distinct area involving their operations, InfoSec is still a supporting facet of their business.
Over the last few years, this has begun to change. The businesses are beginning to recognize each hospitality entity is the steward and responsible for their client's confidential and sensitive information. This data is sought by the attackers from the globe. The data being stored leads the reasons for attacks to occur. If the attack is successful, the hotel's client information (name, physical or mailing addresses, email addresses, credit card numbers, etc.) is removed by unauthorized parties.
This focus is expected to increase as this hospitality industry continues to increase their offerings geographically. The increase is relevant to InfoSec as the entities will be managing more data from many more regions and countries. Without this in place, the liability when there is a breach will only increase, especially with the GDPR coming online in the near future.
About the Author - Charles Parker, II has been working in the info sec field for over a decade, performing pen tests, vulnerability assessments, consulting with small- to medium-sized businesses to mitigate and remediate their issues, and preparing IT and info sec policies and procedures. Mr. Parker’s background includes work in the banking, medical, automotive, and staffing industries.
Share on Facebook
Share on Twitter
I'm busy working on my blog posts. Watch this space!