![[PR] PR_Ascott and Vimut Hospital_2024](https://www.traveldailynews.asia/wp-content/uploads/2024/04/PR-PR_Ascott-and-Vimut-Hospital_2024-400x265.jpg)
…
The data breach in online marketer Epsilon which exposed thousands of hotel loyalty programme members to targeted phishing attacks should remind hoteliers that customer data breach is one of the major risks they are facing today and that they need to have a strategy in place for it. Oxford Brookes’ Alexandros Paraskevas explains how this can be done.
The Epsilon Data Breach
Customers of Hilton HHonours, Marriott Rewards, Ritz-Carlton Rewards, Red Roof Inns and Disney Destinations have been exposed to the risk of targeted phishing attacks after a data breach disclosed last Friday involving online marketer Epsilon of Alliance Data Systems Corp, which said some clients’ customer names and email addresses were obtained via an “unauthorized entry.”
Epsilon assures that compromised files did not include payment card data, yet it is clear that with just having email addresses – plus knowing where someone shops – helps online criminals design more sophisticated and targeted ‘phishing’ campaigns to steal financial data or spread malicious software, or malware. The practice of using emails that appear to come from a trustworthy source to get users to divulge information about themselves is also known as ‘spear-phishing’ because such emails are more focused than traditional ‘phishing’ emails.
This type of data breach may be considered a ‘light’ one, however, the companies involved are responsible to take appropriate action as they may considered liable for the data breach – even if this occurred by a third party – or, at the very least, they may loose their customers’ trust in handling their personal data.
Data Breach Risk in Hotels: High Probability – High Impact
In 2010 Trustwave’s SpiderLabs compiled a list of 218 data breach investigations in organizations across 24 countries. The hotel sector accounted for 38% of these cases as opposed to financial services companies which accounted for only 19 percent. A whopping 98 percent of targeted data was payment card information.
Last September HEI Hotels & Resorts, owner and operator of a number of branded (Westin, Marriott, Hilton, Embassy Suites, Le Meridien, Sheraton, Renaissance and Crowne Plaza) hotels, announced that a “vulnerability in an information system at certain of its hotel properties may have been exploited, and credit card information related to certain transactions occurring between March 25 and April 17, 2010 may have been compromised.” According to a source, this incident involved data of around 3400 customers.
Previously, a number of data breaches have shaken the hospitality sector. In July 2008 an incident involving 41 Wyndham Hotels and Resorts may have affected as many as 21,000 customers in Florida according to that state’s attorney general. In February 2009 Hilton became aware that the Hilton Grand Vacations credit applications or Vacation Introduction Program databases were hacked and that names, social security number, and dates of birth of as many as 2,304 individuals have been compromised. In August 2009 Radisson admitted data breach of significant dimensions in the company’s servers and compromise of unknown number of customer credit card details.
These incidents show a clear vulnerability of hospitality operations and a risk that companies operating franchise and management agreements need to consider quite seriously. More often than not these risks are far more than just IT risks and cannot only be attributed to IT security ‘holes’. There are plenty of cases where breaches are due to plain negligence at operational level (e.g., password sharing, people forgetting to log out when using public computers, misplaced data storage devices, forgotten laptops in taxis, etc.). The consequences of a breach may also cause serious reputational and financial damage for the company and the aftermath needs to be very carefully handled.
Data Breach Risk Treatment
Hacker attacks range from very sophisticated to relatively basic and can be dealt with to a good extent with appropriate IT security measures and policies. The area of major concern for hoteliers however is the ‘negligent practice’ at operational level. Developing appropriate risk awareness culture and enforcing the policy controls with periodic audits and training (password control, anti-phishing and social engineering training, etc.) is one of the key measures against data breaches at this level.
Attacks against point of sale systems have been an area of growing concern for the
Payment Card Industry (PCI) Security Standards Council, the body that administers the payment industry’s PCI security rules. Hotel risk managers are strongly advised to comply with these standards.
However, one needs to make the difference between being compliant from just being PCI certified. The two most important data breaches in the history took place on TJX and Heartland Financial, both PCI certified by a QSA at some point in time. However, these companies were compromised after they stopped being or practicing PCI compliance or when they stopped performing best practice, state of the art, and best of breed information security on a daily basis.
Post- Incident Response
There are many ways to address a post-breach incident but disclosure is necessary in all cases. The accepted ‘best practice’ for companies in this case is to:
1. Publically acknowledge the data breach, apologise and assure everyone that they are putting every possible effort to prevent this from happening again and list specific measures that are being put in place.
2. Release information regarding which businesses were affected, as “full disclosure” is one of the major tenets of crisis communications.
3. Establish a “hotline” to answer any questions of consumers that might have been affected and offer a free credit monitoring package for cases where there is suspicion of data compromise. (In a similar case, in 2006, Expedia and Hotels.com did exactly that when the data of 243,000 Hotels.com customers were compromised). Depending on the type of breach, this may be a minimal cost measure, with hugely positive reputational effect.
The 2010 Trustwave report indicates that in the more than 70 post-breach investigations in the hospitality industry it performed, the majority of the companies involved have not publicised their data losses or warned customers.
What needs to be noted here is that non-response or partial response exposes the company to the risk of a class action lawsuit where general public may be invited by ‘consumer protection specialist law firms’ to contact them, if they have been notified that their debit card, credit card, or other information may have been compromised as a result of a data breach. The complaint may a claim pursuant to local Consumer Fraud Act (or equivalent) and assert causes of action for negligence, breach of implied contract, breach of contracts to which plaintiffs and class members were intended third party beneficiaries, breach of fiduciary duty, and negligence per se.
In the case of Epsilon, Marriott responded by a post on its website on Monday, saying that “the unauthorized person(s) had access to names and email addresses only. They did not have access to sensitive customer information, such as physical addresses, point balances, account logins and passwords, credit card information or other personal data.”
Hilton notified its customers by email on Monday that their names and email addresses were part of the breach. “The files accessed did not include any customer financial information… The most likely impact, if any, would be receipt of unwanted e-mails,” Hilton noted. They also reminded the customers that Hilton will never ask for sensitive personal data – credit card numbers, social security numbers and the like – to be transmitted over email.
Apart from the hospitality companies reported here, the Epsilon data breach involved customer emails of companies such as: JP Morgan Chase & Co, the second-largest U.S. bank; Citigroup Inc, the third-largest U.S. bank; Capital One Financial Corp, a bank and credit card lender; Kroger Co, the biggest U.S. supermarket operator; Walgreen Co, the largest U.S. drugstore and Best Buy Co, the largest U.S. consumer electronics chain.
Dr Alexandros Paraskevas is a Senior Lecturer in Strategic Risk Management in the Department of Hotel, Leisure and Tourism Management of the Business School at Oxford Brookes University, Oxford, UK. He has served as academic advisor in IH&RA’s Global Council of Crisis, Safety and Security Management and is a member of the European sub-chapter of the Hospitality, Entertainment and Tourism Council (HEaT) of ASIS International.
