Has Dark Hotel been Trumped?

Several Trump hotels including New York, Chicago, Miami, Vegas, LA, and Honolulu along with others have been the victims of a credit card breach which, according to KrebsOnSecurity.com, stems back from at least February 2015.

Is this yet another sign that hotels and the hospitality industry simply aren't taking information and cyber security threats seriously? In November last year, we wrote about the impact of a Dark Hotel group that targeted exclusive hotels and the guests that stay there. First published on Monday 10th November 2014, a report by security software vendor Kaspersky Lab describes an attack vector that a group of hackers have been exploiting since 2007.

Even as recently as March 2015, the Mandarin Oriental Hotel Group admitted that they too realised that they had been breached, which is expected to have impacted most if not all of the group's US properties:

“Mandarin Oriental can confirm that the credit card systems in an isolated number of our hotels in the US and Europe have been accessed without authorization and in violation of both civil and criminal law. The Group has identified and removed the malware and is coordinating with credit card agencies, law enforcement authorities and forensic specialists to ensure that all necessary steps are taken to fully protect our guests and our systems across our portfolio.Unfortunately incidents of this nature are increasingly becoming an industry-wide concern. The Group takes the protection of customer information very seriously and is coordinating with credit card agencies and the necessary forensic specialists to ensure our guests are protected.” 

Statements of this ilk are more and more common, and expected. The response from the Trump camp came from Eric Trump, executive vice president of development and acquisitions of The Trump Organization (and son of Donald Trump) who said in a statement to USA Today that the company is "committed to safeguarding all guests' personal information and will continue to do so vigilantly."

One would expect Eric probably doesn't understand much regarding the quality of security strategy in place or the quality of it's execution - not that I'm at all casting aspersions on him, but typically c-suite and executive board members still think that security is 'an IT issue', at which point they mentally switch off and delegate it to someone "more techie" - a fatal error that many at this level make. Sure they take time out to understand financial jargon, but somehow they're not aware that the risks to reputation and operations of a cyber breach can be catastrophic. 

Cyber+ (an Infosec Partners joint initiative with the Charmogen Group led by Chris Parker MBE) provides business leaders and executive boards with confidential services aimed at evaluating the integrity of their organisations’ Cyber Strategy; cutting through the jargon and making it easier to understand, translate and align the challenges and opportunities of Cyber Security, with their ongoing oversight responsibilities. Executive board members at these global hotel chains, it seems would benefit significantly from Cyber+ sessions.

It's to be expected that some heads have already rolled following these breaches, with several executives paying the price of the breach and bad press with their jobs. Privacy and Security are foremost in the minds of people of high net worth and influence, such as clients of Infosec Partners' exclusive VIPIT security services, and they will frequently ask themselves if they really want to stay somewhere where their credit card and personal details are stolen?

Infosec Partners have enabled clients, such as those with 'VIPIT membership', to stay secure through a programme of awareness, as well as through a 24x7 full service offering which incorporates security expertise and personalised support. Indeed it's not only on their travels where executives are being targeted, the executives homes and even families have also been identified as avenues to exploit, which is why Infosec Partners have outlined a series of steps to provide total protection for directors both at home, and away.

What many don't realise, is that many big brand hotel chains may still employ poor handling of credit card and customer information. It was 2003 when I first learned that hotels were keeping multiple copies of client credit card information as photocopies/scans in filing cabinets and desk drawers but my contacts in the hospitality industry have told me that even today this is still relatively common-place. When you combine this with the continued use of magnetic strip cards and slow adoption of chip and pin in the United States, it's no wonder that many of the card breaches are coming from the US especially through hotels and retail. Now in 2015, it's way past time that we get the security we expect and pay for by staying at these prestigious hotels and resorts.

By Fran Ordillano, Consulting Partner (Infosec Partners Group)