Please stop using the business centers in the hotels
As noted previously, I had the pleasure of attending GrrCON, the InfoSec conference in Grand
Rapids, Michigan. The event was a complete pleasure to attend with the talks, vendors, and
others involved. As this is a bit away from my residence, there was a need for me to stay at one
of the local hotels. One evening there was a bit of extra time and I walked around for a bit and
found the business center. This typically is where people would go when staying at the hotel to
check their work email, print items, etc.
In review of the equipment, these were the general use desk tops with a multi-purpose printer.
There were no security measures noted with the two computers on the desk. There could have
been a simple check to ensure the person using the system was indeed a guest. This could have
taken the form of a simple login with the person’s last name and room number. This would not
have slowed the system down significantly and would have allowed for a speed bump for
someone seeking data in an unauthorized manner.
For the record, there were no illegal or unlawful activities with this. I was a guest at the hotel,
had checked in previously, and was authorized to be present and use the facilities in their
entirety. The mouse was moved to wake up the computer system. There were two folders
analyzed (Documents and Downloads). These were opened simply to see if anyone had left any
files on their system. Unfortunately, there were files present from 2014 to the 2017. The files
were not encrypted or had any protections engaged. Anyone walking into the hotel and then to
the business center could have simply sat down, woken up the computer, and clicked on the files.
These varied dramatically and were personal and corporate (non-hotel) files that people had been
working with on a public computer.
Most of the files consisted of flight tickets, healthcare card images, medical records, mechanical
engineering drawings (not sure if these were confidential or non-patented intellectual property),
quotes for work to be done, presentations to global corporations, home appraisals, etc. This is a
treasure trove of data that may be used for nefarious purposes. The full extent of this and the
potential abuses is a topic for a much longer article.
As a responsible researcher and member of the InfoSec community, this was reported to the hotel
and the medical office whose records were on the computer. The initial thought was the hotel
would send the usual “Thank you …” email and let it go from there, and the medical office
would take note and contact me immediately in light of the potential HIPAA violation and fines.
Unfortunately, I was sadly mistaken. The hotel contacted three times within 12 hours to let me
know they were going to take care of the issue. I was amazed at the speed and tenacity of their
response and actions. Given this I have a new respect for the corporate chain. On the other hand,
the medical office still has not contacted me after four days. The medical office’s medical staff
has allowed expressly the large amount of risk to the patient whose records the medical staff just
left on an open computer for the long term. Anyone could have reviewed this and violated the
patient’s confidence, privacy, and respect. The information from the medical records can easily be coupled with others and sold on the Dark Web, making the patient’s life very interesting fo the next 10+ years.
For the consultants and Administrators, please provide training and simple insight into how to
handle medical records away from the office. This should not have been so easy to gather.
About the Author - Charles Parker, II has been working in the info sec field for over a decade, performing pen tests, vulnerability assessments, consulting with small- to medium-sized businesses to mitigate and remediate their issues, and preparing IT and info sec policies and procedures. Mr. Parker’s background includes work in the banking, medical, automotive, and staffing industries.