Starwood Hotels & Resorts Worldwide has disclosed that malware designed to help cyber thieves steal credit and debit card data has been found on point-of-sale systems at some of its US hotels. This announcement makes Starwood the latest in a recent string of hotel chains to acknowledge credit card breach investigations, and comes only days after the company announced its acquisition by Marriott International.
Mark Bower, Global Director of Product Management, Enterprise Data Security for HPE Security, commented:
“Once again with today’s news of a potential payment card data breach at Starwood Hotels, we see that hospitality service providers face extraordinary challenges with customer data security at point of sale (POS).
Card-on-file transactions are common, meaning card data is often stored longer than typical, to maintain customer bookings and for resort service charges after check-in. Online booking systems often channel card data from various sources and third parties over the internet, creating additional possible points of compromise. Partner booking systems accessing the hotel platforms also present additional risks and malware paths for entry to data processing systems to steal sensitive information.
Avoid the impact of these attacks
However it’s important to note, especially going into the busy holiday season, that hospitality organisations, as well as retailers and any businesses using POS systems, can avoid the impact of these types of advanced attacks.
Proven methods are available to neutralise this data from breaches either at the card reader, at the POS, in person, or via web booking platforms. Leading travel-related organizations, airlines, and travel booking aggregators have adopted these data-centric security techniques with huge positive benefits: reduced exposure of live data from the reach of advanced malware during an attack, and reduced impact of increasingly aggressive PCI DSS 3.1 compliance enforcement laws, laws aimed at making data security a ‘business as usual’ matter for any organisation handling card payment data.
Vulnerability of checkout terminals
Point of sale (POS) systems – what consumers often call the checkout system – are often the weak link in the chain and the choice of malware. They should be isolated from other networks, but often are connected. A checkout terminal in constant use is usually less frequently patched and updated, and is thus vulnerable to all manner of malware compromising the system to gain access to cardholder data.
Risks of theft from point of sale (POS) malware is totally avoidable. The good news is that savvy merchants are already tackling this risk and giving the malware nothing to steal through solutions that also have a dramatic cost reducing benefit to PCI compliance. Encrypting the data in the card reading terminal ahead of the POS eliminates the exposure of live information in vulnerable POS systems. If it’s GammaPOS, Abaddon, Dexter or other variations of malware designed to steal clear data in memory from POS applications, resulting in the loss of magstripe data, EMV card data or other sensitive data exposed at the point of sale, the attackers get only useless encrypted data. No live data means no gold to steal. Attackers don’t like stealing straw.”
Starwood has published a list of more than 50 of its hotel properties in the US that were impacted by the breach
htm sponsor hotel information at H&C News