White Lodging has been hit by another POS breach which has affected travelers who made purchases at its restaurant and bar operations within 10 hotels. Nine of the affected hotels were under Marriott flags and one was under Sheraton.
This is the very same management company that was affected by a more wide-reaching breach just last year. That breach ended up affecting far more hotels and customers than the latest one.
In announcing the breach, White Lodging pointed to lessons learned and changes implemented after last year's breach. The company is clearly trying to reduce its continued vulnerability, says Dave Sibley, president and CEO, Hospitality Management:
After suffering a malware incident in 2014, we took various actions to prevent a recurrence, including engaging a third party security firm to provide security technology and managed services.
These security measures were unable to stop the current malware occurrence on point of sale systems at food and beverage outlets in 10 hotels that we manage. We continue to remain committed to investing in the measures necessary to protect the personal information entrusted to us by our valuable guests. We deeply regret and apologize for this situation.
The vulnerability remained even after hiring a third-party security firm, which is something of concern to any hotel brands seeking to deploy additional security measures and analysis by third parties.
Even so, it's a grave concern when the company states that
the unlawfully accessed data at risk is believed to be limited to names printed on customers’ credit or debit cards, credit or debit card numbers, the security code and card expiration dates of credit/debit cards used at the food and beverage outlets at the 10 hotels during the period July 3, 2014 through February 6, 2015.
The thieves pretty much had everything they needed to make fraudulent purchases off guests' cards, and were able to access this for over 7 months.
So what can be done to protect travelers?
EMV is the technology that is supposed to make credit card fraud more difficult. The cards have a chip in them, which is then encoded with a PIN, so any purchase must be matched with a PIN and not just a signature. While this added layer of security does help to ensure the owner of the card is present, the technology is also vulnerable to devices that can swipe information from cards simply by being nearby.
Pundits point to Europe's rate of fraud versus America's as the key indicator that the technology is successful. But the Washington Post did some research that shows a rapid recent increase in fraud across the European continent. This doesn't bode well for those who think that EMV is a silver bullet in payments.
White Lodging has been transitioning its POS to tokenization, which replaces sensitive information such as the card number with a non-meaningful token for transmission. The transition was slated to be complete in February of this year, not soon enough to prevent the ongoing fraud. Even so, tokenization is an effective means of protecting sensitive transaction data.
Wherever transactions are made, there will be fraud. The key to successfully managing the risks is to regularly monitor systems for any breaches and updating to the latest software. Ensuring that all POS systems are upgraded to the current version will ensure that urgent security patches are accounted for in the system.
Beyond that, insurance is available to protect against costs for data breaches — a solid measure of last resort that reduces the financial burden of a data intrusion.
NB: Lock image courtesy Shutterstock.