Steps for hoteliers to counter guest personal data theft

WORLDWIDE Hoteliers should take immediate steps to minimize cyber crime vulnerabilities to avoid the potential for hundreds of thousands of dollars in costs and fines that typically result when just a single hotel system is breached, hotel industry associations say.

The American Hotel & Lodging Association, Hotel Technology Next Generation and Hospitality Financial and Technology Professionals have published a list of actions that hotels—and not their system vendors—need to take to secure guest data. These steps are in addition to, and not a substitute for, the Payment Card Industry Data Security Standards.

Cyber criminals are systematically attacking hotel systems that store credit card data, including point-of-sale and property management systems. Many hoteliers believe they are not vulnerable because their POS and PMS have been certified for the latest PCI security standards, but even such validated systems can be vulnerable if the hotel operates them in an unsecured manner.

Step 1. Eliminate every default password on every machine on a hotel’s network, including servers, workstations, routers, firewalls and any other device that has a password. The most important machines to check are the ones you think are least vulnerable, such as a computer on an engineer’s desk for monitoring building systems, or a computer in the parking garage attendant’s office, or the one in a closet running the keycard system.

To do this right, have the hotel IT manager or a network consultant map out the network electronically, identifying every attached device and then physically trying to log in to each one using the manufacturer’s default login credentials. If that login and password work, change them. In the majority of major cyber attacks in 2009, the thieves gained entry to the network by using the word “password” as the password.

Step 2. Eliminate holes in remote access to systems inside the hotel’s network. Remote access by vendors is an essential part of support for many hotel systems. The data thieves know this, and they know how to use it to get inside your network. They know all the default passwords, and they have even been known to steal master customer lists, complete with current passwords, from vendors.

At the very least, make sure that the administrative and remote-access passwords on all systems have been changed. Better still, for each vendor that needs remote access, put in place a process that ensures that each time they connect, you know that it is really them—not someone who has stolen the password list—and have approved their connection. While there are many good technology solutions, you can also institute a manual policy of issuing one-time passwords that are changed after each use. If the vendor wants to connect, have your staff call them back on their regular support line with the password. Give the list of passwords only to trusted staff, and store them under lock and key with instructions for changing them. Change the password as soon as the vendor is done.

Step 3. Operating without an Internet firewall is just as risky as storing stacks of money in plain sight in an exit stairwell. Yet many hotels, especially smaller ones, don’t have a firewall. If you are connected to the Internet without one, then people you don’t know, from around the world and many with malicious intent, are reaching into your network.

If you don’t have a firewall, buy one and install it. Even a consumer-grade firewall, available for US$100 or less, provides a lot more protection than nothing. Get a firewall and configure it properly to prevent the criminals from reaching your machines easily. It should allow only those types of traffic you need, and only to or from Internet addresses that you trust.