Hilton Hotels Group – Victim of a Data Breach?

The global hospitality company, Hilton, is investigating claims of a data breach. Whilst the actual number of properties that might have been affected is not publicised, it is known that a data breach affected a “large number of Hilton Hotels and franchise properties” operating in the United States. Hackers are believed to have compromised point-of-sale (POS) registers in coffee shops, gift shops and restaurants; hotel reservation systems remain unaffected though so the damage is somewhat limited.

VISA alerted its suspicions to a number of financial institutions. As a response, several banks confirmed that the common point-of-sale for the cards in question was Hilton. The hospitality company says that security is taken very seriously and if there are any suspicions, those have to be investigated. Hilton claims that this is what they are doing to solve the problem – IT security experts operate to see who compromised the POS registers. Hilton admits that even though they have systems in place, cybersecurity is a constant challenge faced by many companies: “Unfortunately the possibility of fraudulent credit card activity is all too common for every company in today’s marketplace.”

If you’ve visited any of the Hilton restaurants, gift shops or other outlets at its properties, checking your bank records is certainly a must do. If the suspicions prove right, Hilton will be the latest major American chain to suffer a substantial credit card breach that was a result of a malware incursion on POS systems. Also, remember the FireKeepers Casino case – a possible data breach that resulted from the insecure POS systems.

In fact, many hotels around the world would do well if they learnt some cybersecurity lessons from recent incidents… You may have come across warnings about free hotel wi-fi spots being “horribly insecure”. The hotel market is being extensively targeted by hackers and cybercriminals – a family of specialist malware aimed specifically at the hospitality industry called Darkhotel was discovered only last year. “A group of hackers spread malware by hijacking the networks of luxury hotels”, The Register reported.

Frank Green of Commissum warned: “Hotels often focus their security efforts on traditional physical security; safety of staff and guests, theft from guests and the hotel itself, counter terror, etc. They spend vast sums on state of the art CCTV, alarms, identity and access control systems. Cyber security gets left as an afterthought. Hotels often have huge numbers of staff and contractors that are a challenge to monitor and control, add into the mix internet based threats with high volumes of card transactions at multiple locations within a site and soon the attraction for financially motivated criminal activity is clear to see. It is seen as low risk for cybercriminals.”

Hospitality groups are improving though. Commissum has worked with a number of organizations within the sector and PCI DSS has been a core driver of cyber security improvements in recent years, however with the alleged Hilton breach we are potentially seeing POS malware harvesting card data again. Also, it would appear this was another persistent attack. Both these facts show there is a long way to go for many organisations.

Cyber security is not a one-off exercise – it is an ongoing battle with the entire threat actor community. It has to be embedded in the daily running of your organisation. Commissum are here to provide appropriate and relevant guidance in your adoption of best practice. Give us a call at 0131 625 2737 or submit your enquiry here.