A RECENT DATA breach at several Hard Rock Hotel properties occurred when hackers attacked the Florida-based chain’s third party reservation system. Some experts say it’s the kind of attack that hotel owners should remain vigilant against even as new technology reduces more traditional point of sale attacks.
Hard Rock revealed Thursday that hackers had managed to access unencrypted payment card information at 11 locations, including the Hard Rock Hotel Chicago, via third-party reservation vendor Sabre Hospitality Solutions. The company did not disclose the number of guests affected by the breach, which occurred between August 10 and March 9, but did say the number was limited.
“Not all of our hotels leverage Sabre Hospitality Solutions SynXis, so only a small subset were affected. Customers have been notified and Sabre has contacted the [Federal Trade Commission],” the company said in a statement. “Hard Rock Hotels & Casinos is in the process of notifying the attorneys general’s offices as required by law.”
Along with Chicago, other properties affected include Hard Rock Hotel & Casino Biloxi in Mississippi, Hard Rock Hotel Cancun in Mexico, Hard Rock Hotel & Casino Las Vegas, and Hard Rock Hotel Palm Springs and Hard Rock Hotel San Diego in California. Sabre said in a statement that some of the reservations accessed by the “unauthorized party” included the payment card security code, but no Social Security, passport or driver’s license numbers were accessed. “Less than 15 percent of the average daily bookings on the SynXis reservation system during that time period were viewed,” Sabre spokesman Timothy Enstice wrote in an email to media.
The 2017 Trustwave Global Security Report found incidents involving POS systems rose to 31 percent in 2016 from 22 percent in 2015, falling just behind compromises of corporate and internal networks in percentage of compromises. The hospitality industry suffered 12 percent of the reported breaches last year.
According to Trustwave, faster adoption of EMV chip technology (named after the companies that developed it, Europay, MasterCard and Visa) should be a focus for North American businesses. “Merchants’ slow adoption of EMV chip card readers in the United States again resulted in POS attacks accounting for the largest share of occurrences in North America,” the report states. “Researchers expect those attacks to diminish as more merchants adopt the technology and consumers grow more familiar with it.”
Data breaches can be costly, said Doug Friel, vice president of JKJ Commercial Insurance. “One of the more significant costs is about $200 per record,” he said. A record is the information for each guest a hotel has had, past, present and future. “If the bad guys break into the infrastructure, they may have the information of 5,000 guests,” he said. Each one of those compromised guests must be notified and provided ongoing monitoring to see if their information is misused.
Friel said it’s also important that hotels ensure that the vendors they use for automated check in systems are properly insured as well. That coverage should include error and omission insurance, and the limits should be sufficient to cover the vendor’s liability, depending on the size of the contract.