Hyatt hotel chain hit by financial malware; how to prevent such things?

The Hyatt hotel chain has revealed recently that 250 of 627 of its properties worldwide were infected with money-stealing malware.

The Hyatt hotel chain has revealed recently that 250 of 627 of its properties worldwide were infected with money-stealing malware. Customer financial data may have been compromised, as well.

The malware in question was designed specifically to steal financial data, including: cardholder names, card numbers, expiry dates, and the internal verification codes used to verify on-site transactions.

According to a statement issued by the company, the malware harvested credentials as they passed through Hyatt’s infected payment processing systems. The information-stealing malware was active between August 13 and December 8, 2015, but some locations may have been infected as early as July 30, 2015. Fifty-four countries, including the US, UK, Germany, Russia, France, and Japan were affected, ZDNet informed, providing a link to a global list of compromised sites. If you visited one, chances are you may be a potential victim.

This is clearly a “fail” case, but is it unique?

It is not

The Hyatt chain doesn’t look to be the only victim. Just the most recent. Last November, Hilton hotels reported a very similar cyberattack: hackers infected some of its point-of-sale computer systems with malware crafted to steal credit card information.

Four days prior to Hilton’s revelations, Starwood Hotels said its payment systems in 54 hotels have also been infected with credit card data “harvesters”.

Earlier in 2015, Mandarin Oriental chain discovered malware in its payment processing. Somebody had also been “collecting” credit card data from The Trump Hotel Collection between May 2014 and June 2015.

So, as we can see, attacks on hotels are not anywhere near unique. Unfortunately. We have previously addressed cybersecurity in hotels worldwide – in relation to Darkhotel APT, at least, and there’s really room for improvement, which is clearly shown by these attacks upon the world’s leading hotel chains.

Late in 2014, we covered cybersecurity issues in the hospitality industry, and there are lots of them aside from malware in payment systems and/or APTs targeting the top-tier residents; attacks upon the payment processing, apparently, is the most immediate problem, as a lot of people and businesses appear to be at risk.

What can be done against such incidents?

There are a number of cybesecurity tools and approaches available which can help the hospitality industry to prevent such disastrous experiences like that of Hyatt and others.

First of all, wherever significant volumes of personal, financial, or other sensitive data is involved, policies covering data storage and access should be especially strict. Properly set data access rules are a very significant part of establishing secure environment. Then there are the practical applications:

  1. Data storage security should be a top priority. This includes File Level encryption, Portable Storage encryption and perhaps even Full Disk encryption. All three are available as part of Kaspersky Endpoint Security for Business Advanced. Take a look on our whitepaper describing our approach to encryption as a security measure.
  2. Restrict access to the web and the use of personal storage. For this, Web Control and Device Control are available in Kaspersky Endpoint Security for Business (tiers Select and Advanced).
  3. Restrict the use of unsolicited applications, even considering a Default Deny scenario for certain endpoints (such as reception), whereas running any software which is not in the permitted list is denied – by default, apparently. Default Deny may seem complex, however, at times it’s the only way to ensure the necessary level of security, especially when critical data is in question. Also, the limited number of tasks undertaken by the users of such endpoints makes this scenarios less complex to deploy. Application Control technology allowing the Default Deny scenario is available in Kaspersky Endpoint Security for Business (tiers Select and Advanced).

More information on Kaspersky Endpoint Security for Business is available here.

The cases of top hotel chains, as well as earlier attacks on payment systems of large retailers, make it obvious personal data and payment systems require strong protection (in many cases, it should be stronger than it is now). The right approach and the use of proper technologies is a sort of insurance against massive data leaks and the reputation damage that would follow. And a reputation’s cost is very high everywhere, especially for businesses processing other people’s data and payments.

Stay safe!