Data breaches at restaurants and hotels are nothing new, but a just-out report from Verizon Communications Inc. shows how extensively the hospitality industry gets hit by hackers.
New York City-based Verizon, which besides telecommunications has a large business in investigating data breaches, says in its latest annual breach study that it investigated 368 incidents of data compromises at accommodation and food-services businesses last year, 338 of which resulted in confirmed disclosure of data to unauthorized parties.
While Verizon said its investigations involving hospitality-industry data compromises increased by a third in 2018 over the year before, attack methods and targets changed little. Point-of-sale technology, including servers and payment card terminals, is the primary target through which hackers compromise the merchants’ systems. “In fact, the point-of-sale [intrusion] pattern accounts for 90% of all breaches within this industry vertical,” Verizon’s new Data Breach Investigations Report 2018 says.
POS intrusions were more than 40 times more common at accommodation and food-services businesses than they were in the average industry Verizon investigated, according to the report. While hackers have targeted hotel reservation systems, more often it’s the restaurants and small stores on their properties that get hit.
External data thieves—Verizon says only 1% of hospitality breaches involve insiders—typically compromise POS systems through various forms of hacking and installation of malware that captures and exports payment card data. Ninety-three percent of the data compromised was payment-related, 5% was personal, and 2% involved other credentials.
Some 86%, or 292, of the accommodation-industry breaches occurred at small businesses. “As stated in previous reports, often restaurants are smaller organizations without the luxury of trained security staff, but they are forced to rely almost exclusively on payment cards for their existence, so this finding is not unexpected but is certainly unfortunate,” the report says. “These attacks are overwhelmingly motivated by financial gain and perpetrated by organized crime.”
Data thieves usually are long gone before a restaurant or other hospitality merchant gets the bad news. “Breaches aren’t discovered for months in 96% of cases,” the report says. “When they are discovered it is typically via external sources such as detection as a common point of purchase (CPP) or by law enforcement.”
Hospitality firms can reduce their breach exposure by taking such elementary steps as not using default or easily guessable passwords on their POS systems, using antivirus software, and making their POS servers invisible from the Internet.
“Many victims could easily become an above-the-median hanging fruit by simply filtering what external IP [Internet Protocol] addresses can reach the remote-access mechanism of their POS controller,” the report says.
Verizon’s 11th annual data-breach study collected information from 67 organizations around the world and examined 53,000 incidents, including 2,216 actual breaches in 65 countries.