A Thing
The Green SheetGreen Sheet

Wednesday, September 5, 2018

GitHub upload may have caused epic hotel breach

Security analysts are reacting to Huazhu Group’s security breach involving 13 prominent Chinese hotel brands. Huazhu represents more than 3,000 hotel brands in multiple cities across China, according to Reuters’ Shanghai bureau. On Aug. 29, 2018, the news agency reported the Hanting Hotel, Crystal Orange Hotel, VUE, CitiGO and Grand Mercure Hotels, among others, may have been affected, compromising a trove of check-in records and related consumer data.

In “China police investigate possible data breach at hotel operator Huazhu Group,” posted Aug. 29, 2018, in The Straits Times international edition, reporters wrote, “The information included 123 million pieces of registration data on Huazhu's official website, such as name, mobile number, ID number and log-in pin; 130 million pieces of check-in records, such as name, ID number, home address and birthday; and 240 million pieces of hotel stay records, such as name, credit card number, mobile number, check-in and check-out time, consumption amount and room number.”

Reuters noted Huazhu Group may face penalties under China's Law on the Protection of Consumer Rights and Interests, which “stipulates operators should take technical and other measures to safeguard information security, to prevent leaking consumers' private information.”

Zpower, a cybercrime reporting service and intelligence agency, suggested Huazhu may have unwittingly exposed a vulnerability when uploading its database to GitHub, a web hosting company. Authorities later found millions of personal records listed for quick sale on the Dark Web and are working to confirm authenticity, according to sources familiar with the investigation.

Hospitality a frequent target

Michael Magrath, director, global regulations & standards at OneSpan, said the Huazhu security breach is only the latest in a string of cyberattacks against hospitality brands. “Last summer the SABRE breach affected numerous chains including Trump Hotels, Loews Four Seasons and Hard Rock,” he stated. “Given the breadth of personally identifiable information stored on hospitality industry systems, cyber criminals will continue to their attack often targeting usernames and static passwords or compromising unsecure mobile applications.”

Considering the hospitality industry’s commitment to customer service, Magrath said advanced security technologies could be a point of differentiation for a leading hotel brand. “Upscale properties can differentiate themselves by offering the latest, frictionless adaptive authentication methods combining behavioral biometrics and machine learning and well as fingerprint and facial recognition,” he said. “These technologies can enhance the overall customer experience from online booking, registration, check-out, and entering their guest room.”

David P. Vergara, head of security product marketing at OneSpan, said hotels must fully assess their security postures and technologies while implementing best practices throughout their enterprises. The Huazhu Group case highlights the need for better internal training and adoption of best practices from an IT security and development perspective, he stated.

“No security measures can fully protect against mind-numbingly careless behavior on the part of internal development teams,” Vergara said. “If, indeed, [the Huazhu Group] breach was tied to unsecured copies of the hotel database being released, hotel customers should be furious, and the hotel should be responsible, providing tools and services to protect customers from fraud.”

Update, review vendor agreements

George Mateaki, security analyst at SecurityMetrics, emphasized the need for clearly defined security policies and procedures in the lodging industry, particularly those involving third-party service providers. While nothing is 100 percent secure, hospitality merchants need to put into place controls that limit or decrease the probability of a security issue, he said.

“With vendor engagement agreements there has to be protection for a breach,” he stated. “Whether that comes in the form of insurance or some agreement, this consideration is part of due diligence with securing your environment.”

Vendor engagement policies and procedures should be living documents that address access to data in cloud environments, Mateaki added. He recommends conducting continual reviews and updates to meet changing challenges. end of article

Editor's Note:

The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

Facebook
Twitter
LinkedIn
2024 2023 2022 2021 2020 2019 2018 2017 2016 2015 2014 2013 2012 2011 2010 2009 2008 2007
A Thing