New Threats in an Evolving Data Landscape
Last fall, news broke that hackers had perpetrated an attack on Hilton Worldwide (www.hiltonworldwide.com). Instead of credit card data, the fraudsters drained millions of points from accounts held by participants in Hilton’s HHonors loyalty program and sold them online at deeply discounted prices. The purloined points were subsequently and fraudulently redeemed for free or reduced-price “rewards,” including hotel stays, merchandise, and gift cards.
Earlier this year, hotel management company White Lodging Services (www.whitelodgingservices) reported its second payment card data breach in less than 14 months. One incident involved 14 properties and occurred between March and December of 2013; the subsequent incident affected 10 other properties and was perpetrated between July 2014 and February of 2015. The company claims nothing other than the POS system at these properties’ food and beverage outlets were affected in either incident, however a source reveals to HT that the property management system (PMS) could also have been compromised, allowing for a leak of other sensitive information, such as that found on guest folios.
Starbucks (www.starbucks.com) recently found the need to defend itself against reports that its app had been hacked, when multiple stories surfaced of hackers siphoning money out of users’ gift card accounts. The thieves were able to gain access to the app by getting passwords and user names from other accounts. They then would add a new gift card and transfer funds from the victim onto fraudulent gift cards enabling the attackers to quickly steal all the money on a user’s app. Starbucks contends that this was a case of weak passwords and not a breach of the Starbucks app itself.
These incidents and others like them underscore the fact that payment card information isn’t the only data that’s vulnerable to compromise. Also at risk is personally identifiable information (PII) — an individual’s first or last name combined with a Social Security number; driver’s license or state-issued ID card number; and/or any account number (credit, debit, membership, etc.) and accompanying security code, PIN, or password.
“Even at a time when Big Data is bringing to the forefront an ocean of personal information solicited to sharpen the competitive edge and solidify customer engagement, [many hospitality players] neglect the PII aspect of data security, because guest records, loyalty club member data, and the like are not subject to the Payment Card Industry Data Security Standard (PCI DSS),” says Marion H. Roger, vice president of Hospitality Evolution Resources (www.her-consulting.com), a hotel management and technology consulting firm. “However, given the consequences, that’s a short-sighted view.”
Roger notes that 47 states, the District of Columbia, Guam, Puerto Rico, and the Virgin Islands have enacted legislation that requires private or government entities to notify individuals of security breaches of information involving PII.
Only Alabama, New Mexico, and South Dakota have no such laws on the books. In addition to liability for notification and claim processing expenses, allowing PII to be breached brings with it such consequences as the cost of credit monitoring services for affected individuals (to lessen the potential for civil suits by persons alleging that their PII could be used to commit identity theft), Roger explains. Additional expenses may be incurred to find and remediate the cause of the breach and for any lost data.
“What’s more, if the PII of guests from other states outside the one in which the restaurant or hotel is located is affected by an incident, operators must comply with the laws of each of those states,” Roger observes.
Failing to consider the security of information other than credit card data also puts restaurant and hotel operators at risk of losing guests’ business. According to a recent survey by consulting firm Deloitte LLP (www.deloitte.com), 75 percent of frequent travelers expect loyalty program data to be secured to at least the same standard as applied by financial institutions — but only 33 percent feel their accounts are secure enough. The study also reveals that any breach of loyalty data would have a significant impact on the brand involved. Nearly one-quarter (23 percent) of respondents said that should such a breach occur, they would be less likely to patronize the company responsible and 15 percent said they would be “a lot less likely” to do so.
Hospitality players “increasingly request that customers share a detailed level of personal information,” states Charles Carrington, a partner in Deloitte’s Travel, Hospitality and Leisure practice. “These same companies need to roll up their sleeves and move beyond mere policy compliance to ensure that customer data is truly secure. Failure to do so could not only frustrate and even endanger [guests], but also cause serious reputational damage.”
Taking precautions with technology and administrative safeguards
Larger hotel companies have been focusing heavily on the PII aspect of security, notes Chris Zoladz, founder and principal of security consulting firm Navigate LLC (www.navigatellc.net).
In addition to implementing administrative measures and stepping up physical security (e.g., by restricting access to physical servers), these players are taking advantage of new encryption and tokenization technologies to safeguard PII and other sensitive guest information, Zoladz reports.
Among these solutions are the Personally Identifiable Information Tokenization process from payment processor and technology services provider CardConnect (www.cardconnect.com) and PCI XML Inbound, a solution from PCI Booking (www.pcibooking.net). The former protects such data as names, social security numbers, and program membership numbers by encoding individual pieces of information and storing them as irreversible tokens. In the event of a data breach, hackers would only be able to access strings of characters that do not contain a relationship to the sensitive information. The latter allows PII data (as well as payment data) to be imported into the PMS in encrypted rather than plain-text format. It is intended for use by small and large hotel operations alike.
Wyndham Hotel Group (www.wyndhamworldwide.com) recently struck a multi-year agreement with payment solutions provider Elavon (www.elavon.com) to integrate EMV and tokenization into the Sabre (www.sabre.com) SynXis Property Manager via Elavon’s Fusebox gateway and Simplify payment security software application. SynXis is the PMS used by Wyndham franchisees.
Roger says some hotel and restaurant operators are also looking to tokenization and encryption to address the protection of sensitive data in Big Data analytics conducted via Hadoop and similar tools. Data replication across multiple nodes and the need for access to multiple nodes of data concentrated in a single data pool by different users with varying analytic needs poses security challenges that can be addressed via a combination of tokenization and encryption technologies.
Voltage Secure DataSuite for Hadoop from HP Security Voltage (formerly Voltage Security; www.voltage.com) comprises an example. It melds tokenization with format-preserving encryption, which encrypts plain text of a specified format into a ciphertext of identical format. This simplifies the encryption process by eliminating the need to alter intermediate systems and storage layouts.
The use of cloud-based PMS comprises yet another means of addressing PII concerns. “Cloud-based PMS can be very secure if the appropriate controls, [such as strong authentication (preferably two-factor) and system and network security monitoring (including intrusion detection and prevention solutions)] are implemented,” Zoladz says.
Strand Development Company (www.stranddevelopment.com), whose portfolio includes more than 50 franchised properties operating under flags including Choice Hotels, IHG, and Starwood, follows this strategy having deployed SkyTouch Technology’s (www.skytouchtechnology.com) SkyTouch OS PMS. “In addition to other benefits [including remote access to PMS data], the SkyTouch Hotel OS helps protect the integrity of our hotel guests’ data because it is a cloud-based PMS,” and was chosen in large part for that reason, notes Andrew Pace, senior vice president.
By storing property management data in a managed cloud-based repository rather than in on-site servers, the hotel company hopes to reduce vulnerability. SkyTouch oversees the physical security of the servers, handles vulnerability management, and performs penetration testing as well as systems monitoring.
For its part, Jersey Mike’s Subs (www.jerseymikes.com) safeguards its PII in the same way it safeguards credit card information.
“Data breaches are becoming so common that we feel we can’t be too careful with either kind of data, which for us means going beyond the requirement of the PCI DSS for payment information and PII,” states Scott Scherer, CIO. All data resides on servers in Jersey Mike’s (www.jerseymikes.com) secure data centers; the servers are hosted inside the operator’s secure network.
Best practices: Combining tech and policies
For lodging and foodservice establishments to enhance PII security requires attention to both technology plus company policies and procedures. “The fundamentals around information security are ‘need to know,’ and by determining who needs to know, organizations have the opportunity to apply the appropriate level of protection while ensuring the business can function,” asserts Vikas Bhatia, CEO of Kalki Consulting (www.kalkiconsulting.com), a data security consulting firm. He notes that technologies like encryption, two-factor authentication, and data loss prevention will “go some of the way toward protecting PII,” but their true value will only be realized if used in conjunction with proper policies, processes, and employee training programs.
Both Bhatia and Roger advocate training employees to recognize the types of data that are considered PII. Roger believes that most “don’t understand that something as simple as someone’s name, birthday, or wedding anniversary,” falls into the category. Requiring staff to take common-sense precautions against PII breaches — for example, never leaving a computer unattended when PII is in plain sight — is also a wise idea, she notes.
Meanwhile, Deloitte counsels restaurant operators and hoteliers to harness policies and technology to ensure that data may only be accessed on a “need to know” basis and that it is housed within a secure and encrypted environment.
Other precautions encompass assessing risks across all data transmission points to identify potential weak points in security practices and harnessing analytics to detect patterns of behavior (employee and otherwise) that may indicate compromise. In merging loyalty programs with another entity (such as in the case of an acquisition) or entering into an agreement with a third party that requires data-sharing (e.g., engaging a marketing agency to administer a customer rewards program), it behooves hospitality players to establish a clear understanding of how the partner organization safeguards its PII, as well as to monitor these practices to ascertain that guests’ data is being properly curated.
Noodles & Company (www.noodles.com) takes great care in scrutinizing and vetting the security practices of its third-party partners. While it does not have a formal loyalty program, the restaurant operator maintains an extensive email database that contains the PII of more than one million customers. As with other third-party partners, “we heavily review and discuss the controls used by our third-party email marketing firm, and have also included it in our yearly penetration testing for PCI” as an additional security measure, reports David Lehn, vice president, information technology.
Jersey Mike’s also vets its third-party vendors in addition to narrowly segmenting its PII data so that individual pieces of information cannot be combined to reveal customers’ identities. For example, its customer email list contains only email addresses – no associated information, such as customers’ names or physical addresses, is found on it. Similarly, customers who opt-in to receive promotional text messages from Jersey Mike’s are identified only by their mobile phone number and a generic ID. “With PII, the best thing is, if it isn’t needed, it isn’t there — on a mailing list or wherever,” Scherer says.
Making Guests Part of the Security Solution
Deloitte recommends the following ways to engage guests in the process of securing PII data, while engendering brand loyalty.
Earlier this year, hotel management company White Lodging Services (www.whitelodgingservices) reported its second payment card data breach in less than 14 months. One incident involved 14 properties and occurred between March and December of 2013; the subsequent incident affected 10 other properties and was perpetrated between July 2014 and February of 2015. The company claims nothing other than the POS system at these properties’ food and beverage outlets were affected in either incident, however a source reveals to HT that the property management system (PMS) could also have been compromised, allowing for a leak of other sensitive information, such as that found on guest folios.
Starbucks (www.starbucks.com) recently found the need to defend itself against reports that its app had been hacked, when multiple stories surfaced of hackers siphoning money out of users’ gift card accounts. The thieves were able to gain access to the app by getting passwords and user names from other accounts. They then would add a new gift card and transfer funds from the victim onto fraudulent gift cards enabling the attackers to quickly steal all the money on a user’s app. Starbucks contends that this was a case of weak passwords and not a breach of the Starbucks app itself.
These incidents and others like them underscore the fact that payment card information isn’t the only data that’s vulnerable to compromise. Also at risk is personally identifiable information (PII) — an individual’s first or last name combined with a Social Security number; driver’s license or state-issued ID card number; and/or any account number (credit, debit, membership, etc.) and accompanying security code, PIN, or password.
“Even at a time when Big Data is bringing to the forefront an ocean of personal information solicited to sharpen the competitive edge and solidify customer engagement, [many hospitality players] neglect the PII aspect of data security, because guest records, loyalty club member data, and the like are not subject to the Payment Card Industry Data Security Standard (PCI DSS),” says Marion H. Roger, vice president of Hospitality Evolution Resources (www.her-consulting.com), a hotel management and technology consulting firm. “However, given the consequences, that’s a short-sighted view.”
Roger notes that 47 states, the District of Columbia, Guam, Puerto Rico, and the Virgin Islands have enacted legislation that requires private or government entities to notify individuals of security breaches of information involving PII.
Only Alabama, New Mexico, and South Dakota have no such laws on the books. In addition to liability for notification and claim processing expenses, allowing PII to be breached brings with it such consequences as the cost of credit monitoring services for affected individuals (to lessen the potential for civil suits by persons alleging that their PII could be used to commit identity theft), Roger explains. Additional expenses may be incurred to find and remediate the cause of the breach and for any lost data.
“What’s more, if the PII of guests from other states outside the one in which the restaurant or hotel is located is affected by an incident, operators must comply with the laws of each of those states,” Roger observes.
Failing to consider the security of information other than credit card data also puts restaurant and hotel operators at risk of losing guests’ business. According to a recent survey by consulting firm Deloitte LLP (www.deloitte.com), 75 percent of frequent travelers expect loyalty program data to be secured to at least the same standard as applied by financial institutions — but only 33 percent feel their accounts are secure enough. The study also reveals that any breach of loyalty data would have a significant impact on the brand involved. Nearly one-quarter (23 percent) of respondents said that should such a breach occur, they would be less likely to patronize the company responsible and 15 percent said they would be “a lot less likely” to do so.
Hospitality players “increasingly request that customers share a detailed level of personal information,” states Charles Carrington, a partner in Deloitte’s Travel, Hospitality and Leisure practice. “These same companies need to roll up their sleeves and move beyond mere policy compliance to ensure that customer data is truly secure. Failure to do so could not only frustrate and even endanger [guests], but also cause serious reputational damage.”
Taking precautions with technology and administrative safeguards
Larger hotel companies have been focusing heavily on the PII aspect of security, notes Chris Zoladz, founder and principal of security consulting firm Navigate LLC (www.navigatellc.net).
In addition to implementing administrative measures and stepping up physical security (e.g., by restricting access to physical servers), these players are taking advantage of new encryption and tokenization technologies to safeguard PII and other sensitive guest information, Zoladz reports.
Among these solutions are the Personally Identifiable Information Tokenization process from payment processor and technology services provider CardConnect (www.cardconnect.com) and PCI XML Inbound, a solution from PCI Booking (www.pcibooking.net). The former protects such data as names, social security numbers, and program membership numbers by encoding individual pieces of information and storing them as irreversible tokens. In the event of a data breach, hackers would only be able to access strings of characters that do not contain a relationship to the sensitive information. The latter allows PII data (as well as payment data) to be imported into the PMS in encrypted rather than plain-text format. It is intended for use by small and large hotel operations alike.
Wyndham Hotel Group (www.wyndhamworldwide.com) recently struck a multi-year agreement with payment solutions provider Elavon (www.elavon.com) to integrate EMV and tokenization into the Sabre (www.sabre.com) SynXis Property Manager via Elavon’s Fusebox gateway and Simplify payment security software application. SynXis is the PMS used by Wyndham franchisees.
Roger says some hotel and restaurant operators are also looking to tokenization and encryption to address the protection of sensitive data in Big Data analytics conducted via Hadoop and similar tools. Data replication across multiple nodes and the need for access to multiple nodes of data concentrated in a single data pool by different users with varying analytic needs poses security challenges that can be addressed via a combination of tokenization and encryption technologies.
Voltage Secure DataSuite for Hadoop from HP Security Voltage (formerly Voltage Security; www.voltage.com) comprises an example. It melds tokenization with format-preserving encryption, which encrypts plain text of a specified format into a ciphertext of identical format. This simplifies the encryption process by eliminating the need to alter intermediate systems and storage layouts.
The use of cloud-based PMS comprises yet another means of addressing PII concerns. “Cloud-based PMS can be very secure if the appropriate controls, [such as strong authentication (preferably two-factor) and system and network security monitoring (including intrusion detection and prevention solutions)] are implemented,” Zoladz says.
Strand Development Company (www.stranddevelopment.com), whose portfolio includes more than 50 franchised properties operating under flags including Choice Hotels, IHG, and Starwood, follows this strategy having deployed SkyTouch Technology’s (www.skytouchtechnology.com) SkyTouch OS PMS. “In addition to other benefits [including remote access to PMS data], the SkyTouch Hotel OS helps protect the integrity of our hotel guests’ data because it is a cloud-based PMS,” and was chosen in large part for that reason, notes Andrew Pace, senior vice president.
By storing property management data in a managed cloud-based repository rather than in on-site servers, the hotel company hopes to reduce vulnerability. SkyTouch oversees the physical security of the servers, handles vulnerability management, and performs penetration testing as well as systems monitoring.
For its part, Jersey Mike’s Subs (www.jerseymikes.com) safeguards its PII in the same way it safeguards credit card information.
“Data breaches are becoming so common that we feel we can’t be too careful with either kind of data, which for us means going beyond the requirement of the PCI DSS for payment information and PII,” states Scott Scherer, CIO. All data resides on servers in Jersey Mike’s (www.jerseymikes.com) secure data centers; the servers are hosted inside the operator’s secure network.
Best practices: Combining tech and policies
For lodging and foodservice establishments to enhance PII security requires attention to both technology plus company policies and procedures. “The fundamentals around information security are ‘need to know,’ and by determining who needs to know, organizations have the opportunity to apply the appropriate level of protection while ensuring the business can function,” asserts Vikas Bhatia, CEO of Kalki Consulting (www.kalkiconsulting.com), a data security consulting firm. He notes that technologies like encryption, two-factor authentication, and data loss prevention will “go some of the way toward protecting PII,” but their true value will only be realized if used in conjunction with proper policies, processes, and employee training programs.
Both Bhatia and Roger advocate training employees to recognize the types of data that are considered PII. Roger believes that most “don’t understand that something as simple as someone’s name, birthday, or wedding anniversary,” falls into the category. Requiring staff to take common-sense precautions against PII breaches — for example, never leaving a computer unattended when PII is in plain sight — is also a wise idea, she notes.
Meanwhile, Deloitte counsels restaurant operators and hoteliers to harness policies and technology to ensure that data may only be accessed on a “need to know” basis and that it is housed within a secure and encrypted environment.
Other precautions encompass assessing risks across all data transmission points to identify potential weak points in security practices and harnessing analytics to detect patterns of behavior (employee and otherwise) that may indicate compromise. In merging loyalty programs with another entity (such as in the case of an acquisition) or entering into an agreement with a third party that requires data-sharing (e.g., engaging a marketing agency to administer a customer rewards program), it behooves hospitality players to establish a clear understanding of how the partner organization safeguards its PII, as well as to monitor these practices to ascertain that guests’ data is being properly curated.
Noodles & Company (www.noodles.com) takes great care in scrutinizing and vetting the security practices of its third-party partners. While it does not have a formal loyalty program, the restaurant operator maintains an extensive email database that contains the PII of more than one million customers. As with other third-party partners, “we heavily review and discuss the controls used by our third-party email marketing firm, and have also included it in our yearly penetration testing for PCI” as an additional security measure, reports David Lehn, vice president, information technology.
Jersey Mike’s also vets its third-party vendors in addition to narrowly segmenting its PII data so that individual pieces of information cannot be combined to reveal customers’ identities. For example, its customer email list contains only email addresses – no associated information, such as customers’ names or physical addresses, is found on it. Similarly, customers who opt-in to receive promotional text messages from Jersey Mike’s are identified only by their mobile phone number and a generic ID. “With PII, the best thing is, if it isn’t needed, it isn’t there — on a mailing list or wherever,” Scherer says.
Making Guests Part of the Security Solution
Deloitte recommends the following ways to engage guests in the process of securing PII data, while engendering brand loyalty.
- Remind customers to change passwords and/or security questions;
- Advise guests to monitor program activity;
- Embed a link in email communications to facilitate the process for guests to check their accounts;
- Offer points or other rewards for regular customer-initiated password changes
- Reward program members for providing contact information and registering to receive security alert services.