In an era when data breaches have become almost a dime a dozen and it seems nearly everyone has been breached — it takes something extraordinary to stand out above the crowd.
On the last day of November 2018, Marriott managed just that, when it reported one of that largest data breaches in history with 500 million guests impacted. Roughly 327 million of those affected saw significant data caches boosted, including info that ranged from names to passport numbers to email addresses and Starwood account information. Marriott also said credit card data might have been compromised, though on the upside much of that was encrypted.
The breach was issued from a remote access trojan (RAT), software that lets hackers take control of a target computer, as well as another piece of malware that scours computer memory for usernames and passwords. Moreover, in so far as the news went from bad to worse — all of that boosted data seems to have stayed off the dark web, according to testimony Marriott CEO Arne Sorenson offered a Senate committee hearing in March. That may not sound like bad news on first hearing — but according to most security experts, that lack of commercial intent for the stolen data makes it more likely the hack was carried out by a government, which might use the data to extrapolate information about politicians, intelligence assets and business leaders.
China has been named most often as a likely potential culprit.
“From an intelligence standpoint, there are some real advantages to understanding where high-profile people are going to be ahead of time,” Gates Marshall, director of cyber services at CompliancePoint Inc., whose consulting clients include airports, told Bloomberg. “There’s a market for travel itineraries. It’s not a commercial market; it’s more of a geopolitical one.”
The Marriott hack caught the world’s attention for its size and scale — hacks have become increasingly common in the world of hospitality — Hilton, Hyatt, InterContinental, Mandarin, Trump Brands, White Lodgings and Kimpton have all reported hacks since 2016 — and more hands-on criminals have found ways to target electronic door locks to burgle rooms. Hotels tend to face attempted hack attacks on the same line as financial institutions and retailers — though to many they might seem a less obvious target.
However, as FI’s and retailers have gotten better at hardening their defenses, hackers looking for entry points are increasingly turning to hotels — and finding an arena that is structurally vulnerable — and perhaps at risk of becoming more so.
A Naturally Slow To Adopt System
The structure of most modern hotel chains creates something of an issue that makes a unified focus on cybersecurity difficult. Large international brands like Marriott and Hilton at the enterprise level build, maintain and secure brand-wide databases that store reservations and loyalty program information. But individual hotels are often own and operated by franchisees, pick up a task like protecting the electronic locks or technological systems at individual properties. Individual operators managing on thin margins have a finite budget to spend up upgrades and improvements to their technology — will instead opt to invest in more visible upgrades like room renovations or better amenities for guests.
As a result, individual hotels often run on older software systems. According to Bloomberg, one favored option for primary management systems within hotels (PMS, the systems that manage payments, reservations, issuing room keys and other tasks) is Opera, sold by Oracle Corp because it is designed to run on a legacy Windows operating system. The system, during its installation process — encourages users to turn off a series of security features designed to protect the system from malware, remote attacks and seizures of control by cybercriminals. The security guide does encourage users to “reharden” their security once the installation is complete, but according to reports, that step often gets forgotten.
So to make matters worse — many hotels put their PMS online, making them essentially attackable from any remote port. Cyber insurer Coalition Inc. tested and found at least 1,300 instances of Opera PMS operating on the public internet.
“All of a sudden your system is only as secure as a username and password,” Coalition Joshua Motta, CEO noted, adding, “which hackers have repeatedly shown isn’t terribly effective.”
Moreover, those are only the baseline issues. As hotels are increasingly struggling to plug their cybersecurity holes — they are rapidly finding that many of the upgrades they include in their properties to enhance the guests' experience are making their systems more vulnerable.
All Of The Emerging Ways To Crack A Hotel Room
One might not be prone to look at a massive fish tank in a Las Vegas hotel room as a particularly dangerous thing. Tacky perhaps, but not inherently threatening. However, a smart fish tank in a Las Vegas casinos was all hackers need to breach the system and gain access to a database of high rollers on the property’s internal network.
Similar intrusions have come from smart alarm clocks, appliances, speakers and televisions that are showing up more and more often in higher-end hotel rooms to enhance a visitor's stay. One dedicated trio of white hat researchers doing an audit on a client’s hotel room found no obvious targets at first — no smart TV, no internet-connected minibar. What they did find, however, was a small internet port above the drapes designed to make it easy for guests to remotely open and close the shades.
That attack didn’t work, nor did one they found in a closet (because the auditors forgot to bring a cable they would have needed to exploit it) but they eventually found some success using distributed denial of service attacks to trick hotel guests into signing onto a spoofed computer network.
And that, they noted, was a good outcome. In a more typical result with more porous defenses, they would have been able to steal administrator access to the hotel's main page — and start harvesting credit card data directly from it.
However, the problem is serious — particularly in a world where more and more hotel chains are building more comprehensive loyalty and consumer information databases ever to better meet consumer needs. Because hackers know the data is there — and that there are perhaps more ways than ever to get at it.