The Rise in Hotel & Restaurant Data Breaches

Posted by Canh Tran on Feb 17, 2016 6:30:00 AM

Hotel Lobby

Hackers are increasingly targeting the lodging and restaurant industries to steal customer card information.  According to a Trustwave study of data breaches in 24 countries, 38% occurred at hotels making it the most breached type of business.  In the last two years alone the industry has experienced several high profile breaches at well-known chains.  While the well-known chains have gathered the most attention, no doubt smaller hotels and motels are likely to have been targeted as well.  Most of those go undetected or unreported creating additional headaches for consumers whose card information has been stolen and for banks who need to mitigate the subsequent fraud losses.

High Profile Hotel Breaches

Some of the more well-known hotel chains that have been breached in the last two years include:

Trump Hotels – May 2014 – June 2015

Mandarin Oriental Hotel Group – June 2014-March 2015

Hard Rock Café – September 2014 – April 2015

Starwood – November 2014 – May 2015

Hilton – November 2014 – December 2014 and April – July 2015

Hyatt – August 2015 – December 2015

Why Hotels, Restaurants and the Lodging Industry?

This is no suprise. The Trustwave study meshes with our own breach analytics showing that the top three types of businesses most susceptible to compromise are hotels and restaurants, grocery stores, and gas stations.

In their WSJ article “Checking in at Hotels? Hackers May Be, Too” Robin Sidel and Craig Karmin note many possible reasons for the acceleration of hotel breaches.

  1. Travelers tend to rack up a lot of charges and may be slower to notice fraudulent charges on their statements.  Some may use business cards and can be less vigilant when it doesn’t affect them personally.
  2. Many hotels gather detailed information about their guests and families to make their experience more enjoyable but also creating in the process an attractive target for data thieves.
  3. A hotel ecosystem typically includes several operations involving payment terminals including the front desk, gift shops, restaurants, spas, and back-office that may include many third party vendors with uneven security protections.
  4. The ubiquitous offering of Wi-fi services in rooms, lobbies, and conference areas also provides hackers with another potential hacking avenue.
  5. Fragmentation in the industry and movement towards more franchising as opposed to ownership can result in a lack of security standards.

What Can You Do About it?

Understandably, IT executives of the major hotel chains state that protecting their customer information is their top priority.  If you are a hotel chain, secure your network perimeter including wi-fi connections, de-identify your customer information data as much as possible, assess and inventory all third party payment vendors hardware and operating system software, and invest in a monitoring system that can detect breaches down to the terminal level. That way, security can pinpoint the compromise faster and contain the breach before it becomes a chain-wide problem.

If you are a card-issuing bank, analyze your card portfolio to determine the percentage of your customer transactions that occur at hotels and restaurants (also groceries stores and gas stations).  If that percentage is higher compared to other types of purchases or other card portfolios, you may be at higher risk of fraud losses due to data breaches and skimming.  Look at Common Point of Purchase (CPP) fraud tools that can help you pinpoint quickly suspected data incidents, identify the numbers of your consumer cards that may be affected, and predict how many of them are likely to become fraudulent in the next several months.

If you are a consumer and travel quite a bit, check the news and industry blogs frequently for public breaches.  If you have been to some of these breached locations, check your statements for suspicious charges, and notify your bank if you think you have been compromised.  You can also look at third party consumer monitoring services like Lifelock, Experian, and Intersections to see if they offer transaction monitoring services to help you automate the process.

Learn more about Rippleshot's approach to Common Point of Purchase (CPP) and how our tool can catch hotel and restaurant faster for both issuers and merchants:

New Call-to-action

Topics: Compromises