US Pro Insurance Services
Digital Security

Cyber Liability and Hospitality Risks

Cyber liability is potentially huge exposure for your hospitality customer, and today US Pro will help you better understand its implications on this industry and be more aware of the everyday hazards facing your customer.

Hotel and restaurant Point of Sales (POS) systems are the number one target of criminal data breaches. The risk facing the hospitality industry with respect to personal information is not only due to the volume of information. It’s also due to the attractiveness of that information to cybercriminals.

From POS systems – from ATM and Interact machines to guest paperwork — you’re providing plenty of sensitive information to hotels, restaurants and bars

  • Financial information stored in accounts systems
  • Customer information, including bookings, names, addresses and credit card details stored in Front of House (FOS) systems
  • Stock and transaction information stored in food & beverage systems
  • Key card data
  • A multitude of sensitive emails, spreadsheets and other documents

Information security exposure points are well known in the hospitality industry. In these trying economic times, risk associated with these exposure points is increasing. That’s why it’s time to end the “it won’t happen to us” syndrome and move information security up the priority list.

Below are some steps that can help mitigate risks posed by common points of exposure in the hospitality industry:

  • Focus on Information Security: As the economy has fundamentally undergone a meltdown, it is important to focus on securing information and assets as an organization while maintaining a secure infrastructure that enables business operations. Introduce a security policy that all staff are aware of and fully understand.
  • Adopt a Risk-Based Security Program: Incorporate a risk-based approach to security, especially during times when you have to make spending decisions on security. It is always better to take a proactive approach to security than a reactive one and only through a strong risk management program can these decisions be made effectively.
  • Focus on Security Awareness: Take steps to propagate your organization’s security strategy beyond your IT department. No better investment can be made to protect against insider threats and targeted attacks against employees, which rise during times of economic downturns. Ensure that the policies and procedures related to your information security program are being followed and working.
  • Think About Intellectual Property (IP) Protection: The purpose of IP is to protect investment in the branding, design, technology and creative works that give one supplier an edge over its competitors. Your IP is your business; protect it as such.
  • Think of Security as a Business Enabler: Process re-engineering and optimization projects can find efficiencies in information systems processes that can be turned into cost savings. Consider outsourcing non-core competencies to a managed security services provider, and focus internal resources on tactical and strategic activities rather than managing technology.
  • Conduct Compliance Assessments Regularly: Perform health checks on your security posture and ensure that you remain compliant with regulations regardless of the economic climate. The ultimate goal of compliance is to be secure – and not just on paper. For every compliance dollar spent, a corresponding measure of risk should be reduced. Otherwise, your compliance dollars are not being effectively spent, and may even be wasted. Risk reduction should drive compliance, not the other way around.
  • Special thanks to B. Sundarasen for this information

Some other eye-raising information to be aware of:

  • Hospitality Industry Cybercrime Risks: Criminal Hackers Target Hotels Lacking “Advanced Data Security Safeguards” On Local Credit Card Transactions; “Chip-And-Pin Cards” Coming Soon
  • “…criminal hackers gravitate to some hotels because, like retail stores and restaurants, hotels do many credit card transactions at a local level, where centralized and highly sophisticated data security safeguards may be lacking…Most hotels are locally owned, though managed by big hotel chain companies. For hotel owners, it is expensive to come into full compliance with the tough global data security criteria set by the credit card companies…That includes using complex passwords, being wary of public Wi-Fi, updating antivirus software — and checking credit card statements carefully…”
  • “…In the United States, credit cards use magnetic strips that are more vulnerable to hacking than the electronic chips embedded in credit cards in Europe and elsewhere. Such cards also require entry of a PIN…these so-called chip-and-PIN cards are headed our way, said Kathy Orner, vice president for information security at Carlson Rezidor, a worldwide hotel company that is among the industry leaders in data security…all of the major credit card issuers plan to start introducing these cards in the United States within two or three years…”
  • In its 2013 Global Security Report, Trustwave, a data security management firm, says that the top three industries targeted for data breach attacks in 2012, measured by the number of its investigations, were retailing (45 percent), food and beverage (24 percent) and hotels (9 percent).
  • Three years ago, the hotel industry was at the top, but hotels have since made “significant strides” in improving credit card security measures, the report says. Last year, for example, the Federal Trade Commission sued Wyndham Worldwide, the hotel chain, for what it said was inadequate safeguarding of credit card information that led to three data breaches at hotels in under two years, with “millions of dollars in fraud loss, and the export of hundreds of thousands of consumers’ payment card account information to an Internet domain address registered in Russia.” The threat is constant, Mr. Roman said. “The best protection is vigilance, and that takes work,” he said

Another recent article from February 2013, written by Robert Lemos at, is reprinted here as follows:

Retailers, Hotels Hit By Majority Of Cyber-Crime
Hotels, restaurants and shops accounted for 78 percent of the breaches analysed by security firm Trustwave in 2012. Hotels, restaurants and shops may get five-star ratings from tourists, but many are likely to only receive a single star for security.

An analysis of breach data for 2012 found that retailers and the hospitality industry continued to command the most interest from cyber-criminals, accounting for 78 percent of the breaches documented by security services firm Trustwave.

Easy targets
The businesses are typically easy targets, having outsourced the administration of important servers and business data to firms that focus more on keeping the systems functioning than on security, says Christopher Pogue, director of digital forensics and incident response for Trustwave’s SpiderLabs.

“An integrator may have 1,000 customers and may do remote administration for all of them using, not 1,000 passwords, but maybe two or three,” Pogue said. “That leaves a vulnerability that can be exploited by attackers.”

Almost one-third of all victims had critical systems administered by a third party. Attackers had no trouble exploiting that weakness, with vulnerable remote-access systems accounting for the method of entry in 47 percent of the cases, according to the Trustwave report. In most cases, users – not software vulnerabilities – were to blame: Almost 90 percent of systems had weak or easily guessable passwords, with “Password1″ continuing to be the most common, according to Trustwave’s report. The report underscored that attackers continued to focus on what works, not necessarily on new techniques.

Web flaws targeted
In addition to targeting poorly secured remote-access applications, attackers also focused on exploiting flaws in websites to gain access to the backend databases, typically known as a SQL injection attack and which accounted for more than a quarter of all attacks.

“From a criminal perspective, why should I get creative when I commit my crimes, when I don’t have to,” Pogue said.

Focused on stealing credit card and customer data, cyber-criminals compromised point-of-sale servers in nearly half of attacks and targeted websites for the other half. Only 5 percent of attacks focused on other infrastructure. Because the victims were not prepared to deal with security incidents, they detected breaches in less than a quarter of the cases. Moreover, the average time to detect a breach rose to 210 days in 2012, an increase of more than a month compared with 2011.

The attackers used a variety of exploit kits, yet nearly 70 percent of all attacks used the Blackhole exploit kit. By the end of 2012, however, the Cool exploit kit was increasingly being used.

Trustwave analysed some 450 cases investigated by the company’s incident responders and found 40 different variants of malware used by six distinct criminal groups. Further analysis suggests that only three criminal teams cause the majority of point-of-sale breaches in major nations worldwide.

Russian data dumps
While attacks typically came from the US, Russia and Taiwan, the criminals used data dump sites in Russia, the Ukraine and Romania.

The service provider recommended that companies hold their third-party service providers to a higher level of security.
Alternatively, companies can outsource their credit-card processing to prevent the sensitive data from ever being stored on their servers.

US Pro is America’s Cyber Insurance Experts, no matter the industry class. Medical and healthcare. Financial. Long term care. Nonprofits. Retail. Hospitality. Big business, and more! We spend great time and energy studying the industries, how cyber is impacting them, and what programs best fit their coverage needs.

Send us your submission, or ask us for an application today by contacting us at