As hotel data breaches mount, be alert for card fraud
Regularly change passwords, watch accounts for suspicious activity
By Susan Ladika | Published: August 16, 2016
With hotel data breaches surging, hotel guests need to act to protect their credit card and other personal info from crooks.
Hotel data breaches have become epidemic. Since the fall of 2015, prominent hotel names such as Hyatt, Hilton, Trump, Starwood Hotels & Resorts and Omni Hotels & Resorts have announced data breaches affecting hundreds of properties around the world. In July 2016, Kimpton Hotels announced its investigation of a possible data breach.
HEI Hotels became the latest when it announced Aug. 12 that travelers visiting at least 20 hotels, including Marriotts and Westins, may have had their credit card information swiped (see list). Cardholder names, card numbers, card expiration dates and security codes were thought to have been stolen, HEI said.
Minimum effort, maximum reward
Hackers “go where there’s minimum effort and maximum reward,” says Brian Hussey, global director of incident response & readiness at Trustwave, an information security company. “Attackers get pretty good at finding holes.” If they find a weakness in one industry, they’ll focus attention there.
Thieves see hotels as a weak spot. The 2016 Trustwave Global Security Report, which examined hundreds of data breaches across 17 countries in 2015, found the hospitality industry accounted for 14 percent of the breaches. The industry had the second-highest number of breaches, up from third place a year earlier. The retail industry continues to suffer the most breaches.
While many hotel chains have been silent about breach details, Omni revealed credit card and debit card information for more than 50,000 customers had been swiped, and Hyatt said about 250 of its locations around the world had been hit.
[Hackers] go where there's minimum effort and maximum reward. Attackers are pretty good at finding holes.
Several hotel chains said crooks targeted point-of-sale systems in restaurants, bars and gift shops. Trustwave found two-thirds of the hospitality industry attacks were at these payment terminals.
Thieves look for the equivalent of a master key to data accounts, says Gary Davis, chief consumer security evangelist at Intel Security. “There’s a tendency to break into one [hotel], and then use the same technique to break into another,” he says.
He compares the wave of hotel data breaches to the attacks on major retailers in late 2013 and 2014 that included Target and Home Depot.
Experts say hotels attract cyberthieves because:
- They keep guests’ credit card information for a long time. Guests may reserve rooms months in advance, and hotels retain their credit card details until after the visit is completed.
- Once guests check in, they create a large number of transactions, from restaurant to spa to minibar.
“They’re kind of more ripe for the picking,” says Andrew Hacker, a professor at Harrisburg (Pennsylvania) University of Science and Technology.
Hotel loyalty programs also can be vulnerable, says Neill Feather, president of SiteLock, a website cybersecurity company. Both the Starwood Preferred Guest and Hilton HHonors program have been hacked. A customer’s name and password for these loyalty programs then can be used “to access higher value targets like bank accounts and emails,” Feather says.
your card info at hotels
Experts say hotel guests can take steps to safeguard their cards and personal information.
- Change passwords. People commonly use the same password for online accounts. If that's you, go to every account with the same password and change it, Feather says.
- Use a credit card, not a debit card. Having your credit card company reverse a charge “is a lot easier than getting money put back in your account,” Hussey says.
- Watch your accounts after you hear of a hotel data heist. Regularly monitor your credit cards, bank accounts and 401(k) accounts for any signs of fraudulent activity, Hussey says, and immediately notify your financial institution if anything looks suspicious. You can also get help monitoring your account through technology, such as signing up to receive a text from your bank whenever your credit card is used, Davis says.
Hotels taking action
Maryam Cope, vice president of government affairs for the American Hotel & Lodging Association, said in a statement that her organization has partnered with the U.S. Department of Commerce “to study state-of-the-art ways to best combat cyberthreats.”
The hotel industry also is “working with the payment card industry to aggressively roll out chip-and-PIN technology, which will reduce credit card fraud and ensure payment card security stays ahead of bad actors,” Cope said.
For hotels that don’t have the new card readers, customers still must swipe their credit card, and information from the magnetic stripe can easily be replicated by fraudsters. With the new card readers, the chip in the credit card creates a unique code for each transaction that can’t be reused.
Hacker says that to beef up security, the hotel industry needs to move to point-to-point encryption, so card data is encrypted from the moment it’s entered into the hotel’s point-of-sale device until it reaches its endpoint, such as the payment processor.
Or hotels should consider tokenization, he says, in which the account number is replaced with a randomly generated number, called a token, and it’s passed through wireless networks without bank details being exposed.
In the interim, experts say guests who stayed at one of the hotels that have been hacked shouldn’t obsess about the data breaches. “You can only worry so much because we’ve got to live our lives,” Hussey says.
Anyone can be vulnerable to a data breach. Even Hussey was recently a victim, when his credit card was used to buy an airline ticket in Europe.
Because credit card companies have become more adept at recognizing fraud, “The life span of a credit card that’s been breached now is so small,” Davis says.
- CFPB rule: Consumers should be able to band together and sue – Banks, GOP oppose measure that would end "mandatory arbitration" clauses that prevented class-action suits ...
- Bluesnarfing is newest card fraud at gas pumps and ATMs – With a skimmer and Bluetooth technology, fraudsters can sit nearby and intercept your payment transaction details ...
- TransUnion to pay $60 million to consumers flagged as criminals – A jury sided with a consumer who claimed TransUnion violated federal law over OFAC alerts ...