POSTINGS FROM THE TEAMRead the latest postings from our Uniguest team
Those four words no wants to hear: You have been hacked. As you begin to fight off a malicious hacker, you may find out you’re really facing more than one. Once you realize you’ve been breached, it’s time to quickly focus on recovery.
Not all cyberattacks revolve around financial gain; sometimes the damage done is just for fun. Many attackers engage in recreational destruction by placing graffiti on digital signs, disabling your guest–facing systems, and shutting down your systems all together.
If a franchise owner under a large flagship holding company were to be breached, they would have to follow certain regulations on reporting the issue at hand appropriately. For the most part, the franchise owner would handle the issue themselves since they are an independent business. However, there are reporting expectations since it will be seen by the world as if the flagship company is the one compromised.
Typically, during the recovery process, the flagship company would want to protect its reputation and reassure people the issue is not widespread. Simultaneously, the company would not assume any liability for the breach since they don’t own that franchise location and are not responsible for the breach occurring.
In the case that it was an independent hotel facing this problem, they would have to take a slightly different approach of addressing it.
Once you have determined that your system has been compromised, there are several things that must be done and asked to ensure the damage doesn’t escalate by answering these quantifying questions:
Laying out the issue properly would require significant data gathering. Doing so can be done by conducting a forensic analysis on precisely what happened. Once that is completed, the property is better able to report the problem more accurately in addition to combating it effectively.
If the problem were to cross the threshold of hurting more than 500 customers, the issue must be reported. The state your property is located in determines whether you have to file a notice of breach as guidelines vary by state. However, depending on the industry, you would have to also report it to the industry’s regulating bodies.
While all reports are being filed, the recovery process needs to begin. The first step being to close the holes and gaps found by the hacker. Next, rebuild the network. Once that is resolved, your property must investigate ways to prevent this from happening again in the future.
Often, these investigations result in implementing the right kind of network controls and managing what a guest can and cannot access. Only operate with third-party cybersecurity vendors that test your network and your controls repeatedly, so the security controls don’t degrade over time.
A good action to incorporate into your daily operation is to back up information so that if an issue occurs, you haven’t lost all your data. This is in addition to placing a backup off the network to ensure that your assets are safe.
Cyber attackers have the opportunity to gain access to the sensitive information of your guests; if they obtain this access, they will abuse it. Information such as payment data and customer information are the kind of things that will be sent to an off-site location to be possibly sold on the dark web. Prepare for the worst when working to secure your virtual assets. Not doing so could leave you open to a major attack.
When your guests engage with the internet, every session comes with a risk of a hacker making their way to your hotel. When hackers approach, they are looking for valuable information that can be sold on the black market or are trying to cause a major disruption to your business. The top targets at a hotel include the following:
- Payment Data- Storing this data anywhere will draw hackers in to try and take it from you.
- Customer Information- PII is sometimes more valuable than credit card information. This information can consist of several things such as home address, likes, dislikes, and luxuries that a customer enjoys.
Obviously, hotels gathering this information are attempting to create the best experience for their guests, not expose them to hackers. However, if a hacker has this information, they could find ways to expose your guests.
All hackers are not in it for selling information or the money. Some do it for the fun of causing disruption – doing anything they can to hurt a business and its customers. Many attack vectors operate to abuse a hotel’s data so it can’t operate efficiently.
Some examples of this being:
- Disabling systems so people can’t check in or out
- Shutting down systems
- Placing graffiti or some other threatening language on digital signage
- Embarrassing the guest with stolen data
When these attacks happen, hackers are coming with a plan to take everything and leave you with nothing. The best way hotels can defend themselves against attackers with these intentions and capabilities would be to protect your networks and improve best practices to support guest needs.
The first solution is to have your networks separate. Keep the guest network completely separated from the corporate network. This should be done so to prevent guests from jumping between their network to the corporate network or point of sale devices.
The assumption is that the guest network is identified as an untrusted network and doesn’t have authorized access to the trusted side of the network. However, within that network there are passwords that guests would have such as their name or room number to log on.
From a best practices perspective, one scenario that we often see is a guest asking the front desk to print a file or an email. The minute the front desk agent opens the USB drive or email, the hotel may have been compromised. The attack may not even seem imminent yet; it is now enabled to seep through your network and steal information.
Providing a way for guests to use secure public computers and printers is an easy way to provide this valuable service without compromising the hotel.
Remember, hotels are a common target for malicious hackers, might it be for money, intelligence or fun. Regardless of the reason behind an attack, hotels must place safeguards between potentially malicious intentions and themselves to keep their property and guests safe.
For more information on how you can prevent a cyberattack at your property, click here.