Hotel Breaches on the Rise, Putting Guests, Their Companies at Risk

Written by Pam Baker
March 31, 2020

VPNs and email encryptions aren’t the only protections MSSPs need to provide for their clients who travel.

From MGM Resorts’ massive hack to Marriott International hotel chain’s second breach in less than two years, it’s clear that hotel breaches are on the rise.

The hackers behind these attacks are looking for more than the usual data score and are setting their sights on far-flung attacks for even bigger stolen hauls. To protect clients from what comes next, MSSPs will need to step up protections for hotels and for traveling clients working in other industries.

Lucy Security’s Collin Bastable

“Consumers have grown used to the hospitality industry’s data incontinence, but leaked email addresses mean that the risk continues for consumers long after the initial attack is over,” said Colin Bastable, CEO of security awareness training company Lucy Security.

This trend is underscored by the fallout after last summer’s MGM Resorts hotels breach. The personal details of more than 10.6 million MGM Resorts guests was subsequently published on a hacking forum last month.

“This is a great example of how these breaches and their fallout can continue to haunt businesses for quite some time. It’s likely MGM thought this incident was far in the rear view, but the value of their particular data set continues to have appeal, despite its age and the potential staleness in certain spots,” said Adam Laub, CMO at STEALTHbits Technologies.

The most recent hotel breach happened at Marriott hotels, the second such incident in less than two years.

Comparitech’s Paul Bischoff

“The biggest threat Marriott guests might face as a result of this breach is targeted phishing. Guests should be on the lookout for targeted messages from scammers posing as Marriott or a related company,” said Paul Bischoff, privacy advocate with Comparitech.

“Don’t click on links or attachments in unsolicited emails. Check email addresses and don’t just trust display names. If you’re uncertain as to whether a message is legitimate or not, ask Marriott using contact information found through Google,” Bischoff added.

This Marriott breach happened after hackers secured the login credentials of two employees at a franchise property.

“While the disclosure provides useful information for the consumers affected, it offers little for information security practitioners to better understand how to avoid similar incidents in the future,” said Tim Erlin, vice president of product management and strategy at Tripwire.

“Breaches that use valid credentials can be harder to detect because the attack looks like a valid login. In these cases, organizations often have to look at what changes that attacker is making as they carry out their objective in order to detect the malicious activity,” Erlin added.

Hotels have become bigger targets given their newfound vulnerabilities in the current pandemic crisis.

BitSight’s Jake Olcott

“The hospitality industry is particularly vulnerable to a cyberattack at a time like this. The hospitality attack surface has expanded dramatically. Significant parts of the workforce are now remote. Many are furloughed but still retain sensitive data,” said Jake Olcott, VP of communications and government affairs at BitSight.

“Because of the franchise model, HQ often lacks visibility into the technical operations of subsidiaries. All of this suggests that the hospitality sector IT teams need to gain more visibility into their security posture with fewer personnel and significantly less resources,” Olcott added.

MSSPs should consider adding or offering …