The hospitality industry shares many of the same data security vulnerabilities as the retail industry — accepting and storing cardholder information and personal information collected through participation in loyalty and rewards programs — yet lags in the adoption of data security practices, which makes it an attractive target for cybercriminals. We talk to Gary Palgon to understand the basics surrounding the key data security issues and what hotels can do to secure valuable information. Though many of these issues fall in the realm of IT, knowing the basics are a must for all digital hotel marketing professionals too.
[Hotelemarketer.com] What are the most common problems associated with data security and how do payment cards feature here?
[Gary] The most common problem is that data is not secure; rather, it generally resides in applications and databases as unsecured, clear-text data in most cases … whether it’s payment card information or other sensitive consumer or employee information.
[Hotelemarketer.com] Your recent press release stated that 38% of all data security attacks were against hotels and resorts last year, making the hospitality industry the #1 target for breaches – what is the source of this information and how is this usually evaluated? (Global vs US-centric, methodology?)
[Gary] Trustwave’s Global Security Report 2010: Based on data collected by Trustwave’s SpiderLabs, this report includes analyses of investigations of data compromised in 2009, detailed technical information on top vulnerabilities, and an actionable global remediation plan.
[Hotelemarketer.com] The release also stated that 98% of all 2009 breaches involved credit card numbers – why is this data particularly at risk and how do these breaches usually occur?
[Gary] It’s important to understand the context of the report, as well, in that as much as credit cards were involved in the majority of the breaches, they only represented 6 percent of sensitive data being stolen last year (see http://datalossdb.org/statistics). The bulk of stolen data centered on social security numbers, and names and addresses.
The reason why credit card numbers were involved to such a high extent is that they require the least amount of effort to convert into dollars. When it becomes too difficult to steal credit card numbers, criminals will look to the other types of sensitive data that will still yield conversion into dollars, but perhaps require a little more work. With social security numbers, for example, you’d have to first create a fake identity … then follow this additional effort by obtaining a credit card in order to make purchases.
[Hotelemarketer.com] If you were to list the top 3 data breach scenarios at hotels, what would they be? How does the hospitality industry differ from most other retailers in this respect?
[Gary] With regard to data breaches, hotels are not unlike other industries, in that typical data-breach scenarios include:
- Lost laptops with unencrypted sensitive information on them,
- Lost backup tape drives with unencrypted sensitive information on them, and
- Attacks on core data repositories within the enterprise, like applications or databases, through a website or a direct database attack.
So, the nature of the attack scenarios is not that much different. What is different, however, is the fact that the retail industry in general has taken a more aggressive approach in addressing these issues. As a result, criminals have sought other, “softer” targets. To this end, the hospitality industry has become a bigger target in recent years because of its lack of focus regarding data security.
[Hotelemarketer.com] What sort of security standards should most retailers including hotels comply with…and what do these standards stipulate?
[Gary] Retailers, including hotels, need to comply with not only security standards like the Payment Card Industry’s Data Security Standard (PCI DSS), but also with State Breach Notification Laws in the U.S., with the U.K.’s Data Protection Act and the European Data Protection Directive, all of which require protection of other sensitive consumer information like social security numbers, name/address data, protected healthcare information, etc.
[Hotelemarketer.com] What is state of the art in the data security space and how can hoteliers ensure they’ve got all avenues to potential breaches secured?
[Gary] Tokenization is a technology that enables surrogate data, called tokens, to replace sensitive data throughout the enterprise while storing the encrypted sensitive in a centralized data vault – think of the latter as Fort Knox in the U.S. where the world’s gold is stored or the Tower of London in the U.K. where the Crown Jewels are stored. It’s easier to protect the gold or jewels in one place than throughout their respective countries. The same model applies to sensitive data in the form of the centralized data vault. In addition to that, format-preserving tokens allow the business applications to function as they did previously (such as for analyzing transactional trends), but at the same time they lower the risk since the tokens have no intrinsic value, whereas credit cards do.
[Hotelemarketer.com] How does the application of security best practices vary across the growing array of distribution and payment channels, i.e. web bookings, call centres, hotel reservation numbers, walk-ins, etc?
[Gary] Different payment channels require different approaches to security. For example, a website is considered a “card not present” environment, while a hotel walk-in is considered a “card present” environment. Each situation has different “best practices” for protecting sensitive data, like protecting the swipe from being skimmed when present. Call centers, on the other hand, need to protect against individuals, like reservationists, from writing down or remembering sensitive information. An entirely different security practice is required for these channels.
[Hotelemarketer.com] How can hotels at various levels ensure the highest level of data security regardless of size and affiliation, i.e., independent properties vs chains, franchises vs owned hotels, etc.?
[Gary] Hotels, regardless of the type, need to adopt security standards that are commensurate with the types of sensitive data they are gathering … i.e., whether it’s credit card numbers or other types of consumer information. Individual hotel owners and/or franchise groups need to understand that a breach in a single franchise-owned hotel can tarnish the entire hotel brand. Education regarding the importance of protecting the sensitive data of a business is critical and should be an ongoing exercise to both corporate employees as well as franchisees.
About the Interviewee:
Gary Palgon, CISSP, is vice president of product management for data protection software vendor nuBridges, Inc. He is a frequent contributor to industry publications and a speaker at conferences on eBusiness security issues and solutions. Gary can be reached at firstname.lastname@example.org. To learn more about nuBridges, please visit www.nubridges.com.