Please stop using the business centers in the hotels

As noted previously, I had the pleasure of attending GrrCON, the InfoSec conference in Grand

Rapids, Michigan. The event was a complete pleasure to attend with the talks, vendors, and

others involved. As this is a bit away from my residence, there was a need for me to stay at one

of the local hotels. One evening there was a bit of extra time and I walked around for a bit and

found the business center. This typically is where people would go when staying at the hotel to

check their work email, print items, etc.

In review of the equipment, these were the general use desk tops with a multi-purpose printer.

There were no security measures noted with the two computers on the desk. There could have

been a simple check to ensure the person using the system was indeed a guest. This could have

taken the form of a simple login with the person’s last name and room number. This would not

have slowed the system down significantly and would have allowed for a speed bump for

someone seeking data in an unauthorized manner.

For the record, there were no illegal or unlawful activities with this. I was a guest at the hotel,

had checked in previously, and was authorized to be present and use the facilities in their

entirety. The mouse was moved to wake up the computer system. There were two folders

analyzed (Documents and Downloads). These were opened simply to see if anyone had left any

files on their system. Unfortunately, there were files present from 2014 to the 2017. The files

were not encrypted or had any protections engaged. Anyone walking into the hotel and then to

the business center could have simply sat down, woken up the computer, and clicked on the files.

These varied dramatically and were personal and corporate (non-hotel) files that people had been

working with on a public computer.

Most of the files consisted of flight tickets, healthcare card images, medical records, mechanical

engineering drawings (not sure if these were confidential or non-patented intellectual property),

quotes for work to be done, presentations to global corporations, home appraisals, etc. This is a

treasure trove of data that may be used for nefarious purposes. The full extent of this and the

potential abuses is a topic for a much longer article.

As a responsible researcher and member of the InfoSec community, this was reported to the hotel

and the medical office whose records were on the computer. The initial thought was the hotel

would send the usual “Thank you …” email and let it go from there, and the medical office

would take note and contact me immediately in light of the potential HIPAA violation and fines.

Unfortunately, I was sadly mistaken. The hotel contacted three times within 12 hours to let me

know they were going to take care of the issue. I was amazed at the speed and tenacity of their

response and actions. Given this I have a new respect for the corporate chain. On the other hand,

the medical office still has not contacted me after four days. The medical office’s medical staff

has allowed expressly the large amount of risk to the patient whose records the medical staff just

left on an open computer for the long term. Anyone could have reviewed this and violated the

patient’s confidence, privacy, and respect. The information from the medical records can easily be coupled with others and sold on the Dark Web, making the patient’s life very interesting fo the next 10+ years.

For the consultants and Administrators, please provide training and simple insight into how to

handle medical records away from the office. This should not have been so easy to gather.

About the Author - Charles Parker, II has been working in the info sec field for over a decade, performing pen tests, vulnerability assessments, consulting with small- to medium-sized businesses to mitigate and remediate their issues, and preparing IT and info sec policies and procedures. Mr. Parker’s background includes work in the banking, medical, automotive, and staffing industries.

Featured Posts
Posts are coming soon
Stay tuned...
Recent Posts
Archive
Search By Tags
No tags yet.
Follow Us
  • Facebook Basic Square
  • Twitter Basic Square
  • Google+ Basic Square