DarkMatter insight on the Hyat

DarkMatter insight on the Hyatt Breach

Background

Earlier this month, it was reported that more than a dozen hotels in the Middle East were among Hyatt-operated properties worldwide that were affected by a malware breach at the group late in 2015.

The Chicago-based firm said a previously reported malware attack to steal payment card data affected 250 hotels between August 13 and December 8, 2015.

Below is a list of all the Hyatt-managed properties in the Middle East affected by the breach, and the dates payment details were at risk:

  • ​Abu Dhabi: Hyatt Capital Gate Abu Dhabi - 8/13/2015 - 10/14/2015
  • Abu Dhabi: Park Hyatt Abu Dhabi Hotel and Villas - 8/13/2015 - 12/8/2015
  • Amman: Grand Hyatt Amman - 8/13/2015 - 12/8/2015
  • Doha: Grand Hyatt Doha - 8/13/2015 - 12/8/2015
  • Dubai: Grand Hyatt Dubai - 8/13/2015 - 10/14/2015
  • Dubai: Hyatt Place Dubai/Al Rigga - 8/13/2015 - 10/14/2015
  • Dubai: Hyatt Place Dubai/Baniyas Square - 8/13/2015 - 10/14/2015
  • Dubai: Hyatt Regency Dubai - 8/13/2015 - 12/8/2015
  • Dubai: Hyatt Regency Dubai Creek Heights - 8/13/2015 - 10/14/2015
  • Dubai: Park Hyatt Dubai - 8/13/2015 - 10/14/2015
  • Jeddah: Park Hyatt Jeddah – Marina, Club and Spa 8/13/2015 - 12/8/2015
  • Makkah: Hyatt Regency Makkah - 8/13/2015 - 10/14/2015
  • Muscat: Grand Hyatt Muscat - 8/13/2015 - 10/14/2015
  • South Sinai: Hyatt Regency Sharm El Sheikh Resort - 8/13/2015 - 10/14/2015

Comment and context by Eric Eifert, Senior Vice President - Managed Security Systems, DarkMatter

I believe this is a recent example of sophisticated cyber criminals targeting an industry that has information worth stealing and is generally unprepared to protect itself from these types of threats.

The hospitality industry clearly has sensitive customer information that it needs to protect. As a sector, it has to establish policies and procedures to properly handle such data, and which ought to be geared at answering questions that lie at the heart of data protection, including but not limited to:

  • How do hospitality establishments ensure sensitive data is encrypted at rest and in-transit?
  • Do hospitality establishments train their staff on how to properly handle this information?
  • ​ Are there systems in place to monitor and conduct assessments to determine if sensitive information is unencrypted?

Hoteliers need to understand that Payment Card Industry Data Security Standard (PCI DSS) compliance does not protect them from malicious intrusion attempts, but rather is a guide for them to build and manage a cyber security programme that will reduce the risk of a successful intrusion.

There are numerous examples of organisations who were compliant with PCI DSS and suffered a data breach where credit card data was stolen. In a recent intrusion investigation I supported involving a hotel that was PCI DSS compliant, malicious software resided on its network, and was stealing credit card information for nine months prior to being detected. Moreover the malicious software was only detected when law enforcement officials contacted the hotel to notify them as to the source of stolen credit cards.

Cyber threats have increased in sophistication and thus the hospitality industry needs to understand these threats to its industry and the potential impact to its business. This is where a company like DarkMatter can assist in helping hotels establish a cyber security programme incorporating policies, procedures, and personnel, developing a cyber security strategy that will give them visibility into their environment and deploy defensive technologies and methodologies to protect PCI and Personally Identifiable Information (PII) data.

Hoteliers should also consider establishing a continuous monitoring programme to rapidly identify security risks and remediate them before they are exploited. Additionally, cyber security risks are becoming an important discussion point for executive boards and as such hospitality companies should consider having a Chief Information Security Officer (CISO) or another person in place who can articulate the risks to the appropriate management level.