Are retail and hospitality companies susceptible to data breach? In a word: highly. Of the hundreds of major data breaches investigated in 2016 by security provider Trustwave, 23% were in the retail industry and 14% in hospitality – a significantly higher volume of cases than other industries including finance & insurance (8%) and professional services (4%).
From a cyber-criminal’s perspective, retailers and hospitality providers are a lucrative source of personal data, customer identities and business account access. Every time a product is sold, a hotel guest checks in or a new employee is hired, new data records are created – from employee IDs and CVs to customer receipts and payment details. Much of this information can be used in criminal activities such as fraud and identity theft.
Several of the highest-profile data breaches of recent years have affected retail and hospitality companies and their customers. Let’s review some notable cases from both industries:
Malware, moles and radio antennae: how cyber criminals target retailers
Recent history shows that even the biggest and best-protected retailers are susceptible to data breach.
Take the American retailer, Target, for example, where there was a company data breach in 2013. Target’s network was infected with malware by cyber-criminals, who were able to steal data pertaining to over 60 million of the chain’s customers. The hackers behind the attack captured customer information including full names, phone numbers, email addresses, payment card numbers and credit card verification codes.
Interestingly, Target was using advanced cybersecurity software from the CIA-related supplier FireEye at the time of the breach. However, the company had chosen not to use the software’s automated malware blocker functionality, which would likely have prevented the breach. Target’s team were just one good decision away from stopping one of the biggest data leaks in history.
Cyber criminals use a variety of techniques to compromise retailers’ data, notably including:
- Insecure Wi-Fi. In the early 2000s, “America’s most notorious hacker”, Albert Gonzalez, used powerful radio antennae to access major retailers’ networks via their Wi-Fi. With the help of his accomplice, Christopher Scott, Gonzalez stole around 400,000 card accounts from BJ’s Wholesale Club, and a further million from the footwear retailer DSW.
- SQL injection. In an SQL injection attack, the hacker exploits the database server driving the victim’s website, using it as a “lily pad” to get behind the victim’s firewall. This tactic is used in nearly a quarter of attacks targeting customer card data.
- Malicious insider. A member of staff or other party with access to the organisation manually introduces malware to its systems, e.g. via USB storage device.
- Compromised insider. A member of staff or other party with access to the organisation is compromised, allowing criminals access to the organisation’s systems. This approach was used in the Target attack, which stemmed from a successful phishing attack on an employee of one of Target’s supply chain partners. The hackers compromised the insider; then the insider inadvertently compromised Target.
Compromised check-in data and leaky software suppliers: how hospitality companies are falling victim to data breach
Hospitality companies have borne the brunt of some of the worst data breaches in history. Most recently, up to 500 million guests of the Marriott Hotel chain have had their personal information compromised in a data breach of unprecedented proportions. Early reports indicate hackers had access to the chain’s Starwood Hotels database over a period of four years, in which time they siphoned off customer information including credit card data, passport numbers and loyalty account information.
As far as we know, the Marriott Hotels data breach of 2018 is the biggest ever leak of customer data. However, it is far from the first case of a hotel booking database getting broken into by cyber criminals. Four Seasons Hotels and Resorts, Trump Hotels, Kimpton Hotels & Restaurants and Red Lion Hotels Corporation all had their customer data compromised when their third-party reservations provider, Sabre, was breached between August 2016 and March 2017.
If all these companies got breached, do others have any hope of protecting their data?
We’re sorry if this article has made for upsetting reading. There’s no getting away from the fact data breach is an increasingly widespread and complex problem in the retail and hospitality industries.
Thankfully, there is a silver lining, in that there are things companies can do to reduce the risk of their data being compromised. With the benefit of hindsight, every breach discussed in this article could have been diverted through better decision-making and processes.
Take the Sabre breach, for example. The hotel chains affected may not have given up their customer data so lightly, if only they had taken better care when choosing a reservation software partner. And how about Target? If their security software’s automatic malware removal feature had been active, perhaps that breach could have been avoided.
With these lessons in mind, you will hopefully be feeling inspired to remove the weak spots in your own company’s network. If so, check out the framework for identifying and controlling cyber vulnerabilities detailed in our article, Why Cyber Criminals Target HR Managers. The examples given relate specifically to a HR context, but the theory used can apply to any context where data needs to be protected.