From MGM Resorts’ massive hack to Marriott International hotel chain’s second breach in less than two years, it’s clear that hotel breaches are on the rise.

The hackers behind these attacks are looking for more than the usual data score and are setting their sights on far-flung attacks for even bigger stolen hauls. To protect clients from what comes next, MSSPs will need to step up protections for hotels and for traveling clients working in other industries.

Lucy Security’s Collin Bastable

“Consumers have grown used to the hospitality industry’s data incontinence, but leaked email addresses mean that the risk continues for consumers long after the initial attack is over,” said Colin Bastable, CEO of security awareness training company Lucy Security.

This trend is underscored by the fallout after last summer’s MGM Resorts hotels breach. The personal details of more than 10.6 million MGM Resorts guests was subsequently published on a hacking forum last month.

“This is a great example of how these breaches and their fallout can continue to haunt businesses for quite some time. It’s likely MGM thought this incident was far in the rear view, but the value of their particular data set continues to have appeal, despite its age and the potential staleness in certain spots,” said Adam Laub, CMO at STEALTHbits Technologies.

The most recent hotel breach happened at Marriott hotels, the second such incident in less than two years.

Comparitech’s Paul Bischoff

“The biggest threat Marriott guests might face as a result of this breach is targeted phishing. Guests should be on the lookout for targeted messages from scammers posing as Marriott or a related company,” said Paul Bischoff, privacy advocate with Comparitech.

“Don’t click on links or attachments in unsolicited emails. Check email addresses and don’t just trust display names. If you’re uncertain as to whether a message is legitimate or not, ask Marriott using contact information found through Google,” Bischoff added.

This Marriott breach happened after hackers secured the login credentials of two employees at a franchise property.

“While the disclosure provides useful information for the consumers affected, it offers little for information security practitioners to better understand how to avoid similar incidents in the future,” said Tim Erlin, vice president of product management and strategy at Tripwire.

“Breaches that use valid credentials can be harder to detect because the attack looks like a valid login. In these cases, organizations often have to look at what changes that attacker is making as they carry out their objective in order to detect the malicious activity,” Erlin added.

Hotels have become bigger targets given their newfound vulnerabilities in the current pandemic crisis.

BitSight’s Jake Olcott

“The hospitality industry is particularly vulnerable to a cyberattack at a time like this. The hospitality attack surface has expanded dramatically. Significant parts of the workforce are now remote. Many are furloughed but still retain sensitive data,” said Jake Olcott, VP of communications and government affairs at BitSight.

“Because of the franchise model, HQ often lacks visibility into the technical operations of subsidiaries. All of this suggests that the hospitality sector IT teams need to gain more visibility into their security posture with fewer personnel and significantly less resources,” Olcott added.

MSSPs should consider adding or offering …

… additional services to hotels to further secure these new vulnerability points as well as guard against other types of attacks typically used against the hospitality industry.

In the case of the MGM Resorts hotel breach, “the hacker exploited data stored in cloud servers that didn’t have the highest level of protection and siphoned off millions of records,” said Gad Bornstein, security evangelist with PerimeterX.

“Configuration errors, malicious insiders, server hacks and client-side threats can cause data breaches. Data from breaches invariably make it to the dark web. Data from multiple breaches help bad actors execute bot-driven account takeover (ATO) attacks with better success,” Bornstein added.

MSSPs can also add new revenue streams by adding security services to their menu that are focused on protecting clients as they travel. It’s obvious that VPNs and encrypted emails are not enough for traveling workers, since much of their data is stolen directly from hotel, restaurant, and entertainment databases. Clients will also require more training on spotting more sophisticated phishing attacks that follow hotel data breaches.

“End users want to make sure they continue to be vigilant when it comes to spear phishing or targeted emails about their accounts, as criminals will mix this in with the COVID-19 scam emails that are in circulation,” said James McQuiggan, Security Awareness Advocate at KnowBe4.

“By staying vigilant against the COVID-19 emails, people may drop their guard when they see a data breach email scam informing them to change their account password and unknowingly click a link or open an attachment,” McQuiggan added.