Susceptibility of Retail and Hospitality to Data Breach

Are retail and hospitality companies susceptible to data breach? In a word: highly. Of the hundreds of major data breaches investigated in 2016 by security provider Trustwave, 23% were in the retail industry and 14% in hospitality – a significantly higher volume of cases than other industries including finance & insurance (8%) and professional services (4%).

From a cyber-criminal’s perspective, retailers and hospitality providers are a lucrative source of personal data, customer identities and business account access. Every time a product is sold, a hotel guest checks in or a new employee is hired, new data records are created – from employee IDs and CVs to customer receipts and payment details. Much of this information can be used in criminal activities such as fraud and identity theft.

Several of the highest-profile data breaches of recent years have affected retail and hospitality companies and their customers. Let’s review some notable cases from both industries:  

Malware, moles and radio antennae: how cyber criminals target retailers

Recent history shows that even the biggest and best-protected retailers are susceptible to data breach.

Take the American retailer, Target, for example, where there was a company data breach in 2013. Target’s network was infected with malware by cyber-criminals, who were able to steal data pertaining to over 60 million of the chain’s customers. The hackers behind the attack captured customer information including full names, phone numbers, email addresses, payment card numbers and credit card verification codes.

Interestingly, Target was using advanced cybersecurity software from the CIA-related supplier FireEye at the time of the breach. However, the company had chosen not to use the software’s automated malware blocker functionality, which would likely have prevented the breach. Target’s team were just one good decision away from stopping one of the biggest data leaks in history.

Cyber criminals use a variety of techniques to compromise retailers’ data, notably including:

  • Insecure Wi-Fi. In the early 2000s, “America’s most notorious hacker”, Albert Gonzalez, used powerful radio antennae to access major retailers’ networks via their Wi-Fi. With the help of his accomplice, Christopher Scott, Gonzalez stole around 400,000 card accounts from BJ’s Wholesale Club, and a further million from the footwear retailer DSW.
  • SQL injection. In an SQL injection attack, the hacker exploits the database server driving the victim’s website, using it as a “lily pad” to get behind the victim’s firewall. This tactic is used in nearly a quarter of attacks targeting customer card data.  
  • Malicious insider. A member of staff or other party with access to the organisation manually introduces malware to its systems, e.g. via USB storage device.
  • Compromised insider. A member of staff or other party with access to the organisation is compromised, allowing criminals access to the organisation’s systems. This approach was used in the Target attack, which stemmed from a successful phishing attack on an employee of one of Target’s supply chain partners. The hackers compromised the insider; then the insider inadvertently compromised Target.  

Compromised check-in data and leaky software suppliers: how hospitality companies are falling victim to data breach

Hospitality companies have borne the brunt of some of the worst data breaches in history. Most recently, up to 500 million guests of the Marriott Hotel chain have had their personal information compromised in a data breach of unprecedented proportions. Early reports indicate hackers had access to the chain’s Starwood Hotels database over a period of four years, in which time they siphoned off customer information including credit card data, passport numbers and loyalty account information.

As far as we know, the Marriott Hotels data breach of 2018 is the biggest ever leak of customer data. However, it is far from the first case of a hotel booking database getting broken into by cyber criminals. Four Seasons Hotels and Resorts, Trump Hotels, Kimpton Hotels & Restaurants and Red Lion Hotels Corporation all had their customer data compromised when their third-party reservations provider, Sabre, was breached between August 2016 and March 2017.

If all these companies got breached, do others have any hope of protecting their data?

We’re sorry if this article has made for upsetting reading. There’s no getting away from the fact data breach is an increasingly widespread and complex problem in the retail and hospitality industries.

Thankfully, there is a silver lining, in that there are things companies can do to reduce the risk of their data being compromised. With the benefit of hindsight, every breach discussed in this article could have been diverted through better decision-making and processes.

Take the Sabre breach, for example. The hotel chains affected may not have given up their customer data so lightly, if only they had taken better care when choosing a reservation software partner. And how about Target? If their security software’s automatic malware removal feature had been active, perhaps that breach could have been avoided.

With these lessons in mind, you will hopefully be feeling inspired to remove the weak spots in your own company’s network. If so, check out the framework for identifying and controlling cyber vulnerabilities detailed in our article, Why Cyber Criminals Target HR Managers. The examples given relate specifically to a HR context, but the theory used can apply to any context where data needs to be protected.

Stay up to date on PlanetVerify news, product updates, and more

PlanetVerify will only use the information you provide to share blog updates. You can unsubscribe any time. For more details, check out our privacy policy.

Related Articles

Unlocking Success: The Essential Checklist for Digital Customer Onboarding

Businesses are constantly evolving to meet the demands of tech-savvy consumers and one crucial aspect of this evolution is the digital customer onboarding process. Digital customer onboarding refers to the seamless integration of new users into a digital platform or service. It is the first impression a customer has of your product, making it a pivotal step in creating a positive user experience. In this era of instant gratification, a well-executed digital onboarding strategy can be the key to retaining customers and fostering long-term relationships.   BOOK A PLANETVERIFY DEMO TODAY →   Essential Checklist to Consider Clear Communication: Successful

Read More ...

Essential Customer Onboarding Best Practices for Success

At PlanetVerify, we’re not just experts in secure document collection and verification; we’re also passionate about ensuring the onboarding experience for our clients is second to none. This blog dives deep into the nuances of customer and client onboarding, sharing advanced strategies that have been refined through our extensive experience. Whether you’re welcoming new customers or clients, these insights are designed to set your business apart. BOOK A PLANETVERIFY DEMO TODAY →   The Critical Importance of Customer Onboarding Customer onboarding is a pivotal phase in the customer journey, laying the groundwork for a long-term relationship. It’s more than a

Read More ...

PlanetVerify Platform Updates October 2023

Companies across many different industries use PlanetVerify to streamline and secure their customer processes. We work closely with our customers who provide us with invaluable feedback as we build out our feature set to meet new and evolving customer needs. This month we have enhanced the search capabilities on our platform as well as adding a new view option for users to identify profiles that have added attachments. 1 – Search Messages When you send a profile request you have the possibility of including a personal message with each data request, and this message is also shown on the main

Read More ...