The majority of security breaches in the hospitality industry involve point of sale (POS) and denial of service (DoS) attacks, finds the Verizon 2016 Data Breach Investigations Report.

This year’s report points to repeating themes from prior-year findings, as cybercriminals continue to rely on familiar attack patterns, such as phishing, and increase their reliance on ransomware. Eighty-nine percent of all attacks involve financial or espionage motivations, while 85 percent of successful exploits targeted known vulnerabilities for which patches have been available for months or, in some cases, years. There was a pattern of human error, with 63 percent of confirmed data breaches involving weak, default or stolen passwords and many organisations continuing to lack basic defences.

Key concerns highlighted in the report include an increase in phishing and three-pronged attacks.

Phishing scams have picked up dramatically over the prior year. These scams involve end users receiving an email from a fraudulent source that contain malicious attachments or links. Thirty percent of phishing messages were opened – up 23 percent from the 2015 report – and 13 percent of those clicked to open attachments and links, causing malware to infect their devices.

Three-pronged attacks involve sending a phishing email and using malware from the malicious links or attachments in the email to establish an initial foothold. Additional malware, which can be used to steal credentials to multiple applications through key logging, was then downloaded. These credentials can be used for further attacks, such as logging on to third-party websites like banking or retail sites.

According to the report other human errors included sending sensitive information to the wrong person, improper disposal of company information, misconfiguration of IT systems, and lost and stolen assets, such as laptops and smartphones. These ‘miscellaneous errors’ were the number one source of security incidents.

“You might say our findings boil down to one common theme – the human element,” said Bryan Sartin, executive director of global security services, Verizon. “Despite advances in information security research and cyber detection solutions and tools, we continue to see many of the same errors we’ve known about for more than a decade now. How do you reconcile that?”  

The speed at which cybercrimes are committed is also of increasing concern, according to Verizon.  In 93 percent of cases, it took attackers minutes or less to compromise systems, while data exfiltration occurred within minutes in 28 percent of cases.

Within the hospitality industry specifically, seventy-four percent of attacks can be attributed to POS intrusions and 20 percent to DoS. While insider and privilege misuse is the third largest threat, it accounts for only two percent of incidents.

Most POS security breaches use legitimate credentials to access POS devices, where attackers then install malware, like a RAM scraper, to capture payment card data.

The report lists a number of strategies businesses can implement to increase their POS security, including: review vendors authentication and use two-factor authentication where possible; monitor the use of POS systems to ensure it is only being used by the right people; separate the POS system from the corporate LAN; and use anti-virus software and keep it updated.

DoS attacks aim to disrupt organisations by using botnets to swamp networks with traffic to force key services offline. This can result in the loss of services such as email, internet access and webservers, which can mean blocking access to critical processes like booking portals and billing systems, as well as negatively affecting productivity and threatening business reputation.

The list of strategies suggested by Verizon to combat DoS attacks includes:

  • segregate key serves
  • have a mitigation plan that involves educating key operations staff on the best course of action should an incident occur
  • test and update your plan regularly.

To reduce the risk of insider and privilege misuse, the report recommends businesses monitor user behaviour, track USB usage and know what data you have, where it is stored and limit who as access. 

Despite the continuing pervasiveness of human error, Verizon did report improvement in the discovery time of breaches in the hospitality industry. Compared to the prior year, security incidents have gone from being discovered predominantly in months to being discovered within weeks. However, there is still a significant gap between the time it takes to compromise – just minutes in 98 percent of cases – and exfiltrate data – just days in 98 percent of cases – and the time it takes for businesses to discover breaches.  

Leave a comment

Your email address will not be published. Required fields are marked *