Landry’s Malware Attack Highlights Need for Stronger Data Security
The recently discovered malware attack on U.S. dining, hospitality, entertainment and gaming chain Landry’s is proof that more emphasis is needed on data security.
That’s according to Terry Ray, senior vice president and fellow at Imperva. Landry’s owns and operates more than 600 restaurants, hotels, casinos and entertainment destinations in 35 states and the District of Columbia.
In a statement on its website, Landry’s has advised customers of a point-of-sale (POS) malware attack that stole payment card data from an order-entry system used to process kitchen and bar orders. The company says the cards were mistakenly swiped through the devices between March 13 and Oct. 17 of last year.
Its encryption technology on POS terminals, which makes card data unreadable, was working as designed and prevented the malware from accessing payment card data when cards were used on these encryption devices. The malware searched for track data, which sometimes includes the cardholder’s name, card number, expiration date and verification code.
MSSPs and other cybersecurity service providers should definitely be working to build to a data security practice, as business security teams globally are failing to hire the necessary experts and in-house expertise is often lacking in that area, Ray said.
It’s always critical for any company storing private data to be able to answer five simple questions about that data at any given point: who accessed it, when was it accessed, how was it accessed, what was accessed, and – most important and timely – should it be accessed, he said.
“Most security teams don’t know where to begin for data security, so they opt for what they know — data leak prevention, identity access management and anti-malware — yet these are proven time and time again to fail in preventing a breach and fail to answer the basic questions above,” Ray said.
Bill Conner, SonicWall‘s CEO, tells us this type of attack has become a common occurrence that plagues retailers and hospitality businesses relying on POS systems to conduct transactions. There is a growing list of nationally and globally known companies that have fallen victim to similar attacks, he said.
“Some of these had more than enough budget to protect their systems, yet they were still unable to secure themselves,” he added. “This is why cybercriminals have also honed their tactics to target SMBs, which are often not as equipped to defend themselves against today’s persistent threats and threat actors.”
This presents an opportunity for MSSPs and other providers to work more closely with customers to strengthen their security and educate them on the constantly evolving cyberthreat landscape and attack patterns, Conner said.
Mike Puglia, Kaseya‘s CMO, said retailers must ensure they are complying with the Payment Card Industry Data Security Standard (PCI DSS).
“Compliance with these standards helps retailers protect payment card data by restricting physical and digital business access to cardholder data and requiring multifactor authentication (MFA) for all non-console administrative access,” he said. “None of these processes alone will ensure complete IT security; however, retailers can leverage compliance and incorporate cybersecurity best practices to maximize consumer protection in the payment life cycle.”