The Recent Data Breach Is a Wake-Up Call for the Hospitality Industry
The recent reservations system data breach at a hospitality company, compromised the personal and financial information of millions of customers. The company said it discovered unauthorized access to their database including access to a combination of name, mailing address, email address, passport number, and birth dates. For some, the compromised information also includes payment-card numbers and expiration dates. While this information was encrypted, it was not certain if the hackers had the ability to unencrypt the data.
Beyond the costs associated with breach remediation, legal fees, and reputational damage, the intrusion may trigger an investigation and potential fines related to the EU’s General Data Protection Regulation (GDPR), a sweeping data-privacy law enacted earlier this year. If the data of EU citizens is compromised, the GDPR requires that companies notify EU authorities of a breach within 72 hours.
This massive breach, among the biggest ever, should be a wake-up call for the hospitality industry. Hotels collect and process a lot more than just financial data from their customers, and some of this information can be used to carry out identity theft and other types of fraud. To protect this sensitive data, many businesses will need to re-engineer their cybersecurity and privacy programs to help mount a robust defense against evolving threats.
It will be necessary to appraise data across the enterprise, as well as data held by third-party partners and supply chains. Businesses will need to define and identify sensitive data, classify the value of that data, and establish rules and controls that prioritize protection.
One reason why data heists continue to be successful is that many companies haven’t adequately classified their data across the network. Hotel chains, for instance, typically use a number of disparate systems for reservations, frequent guest programs, and other customer data.
Classification is a basic tenet of data security and privacy, but many companies have been slow to take action because, as the volume and types of data stored has skyrocketed in recent years, they may have lost track of their data. It may be in the cloud, in various business and reservations systems, or held by third-party partners. What’s more, classification of enterprise-wide data is an arduous undertaking that is time-consuming, costly, and may require outside expertise. It’s not easy. However, using a top-down approach across critical applications and developing process/data-flow maps will help organizations identify where they need to focus. Following a bottom-up approach, businesses should use data-discovery tools to identify and employ tagging techniques to apply proper levels of classification.
Another defensive technique is network segmentation, which separates data into subnetworks so that if one is breached, data in other modules would not be affected. That could make it more difficult for cybercriminals to lift all data and help stop attacks from spreading across the business ecosystem.
Of course, there’s no guarantee that these strategies and techniques will fully protect your systems from cyberattacks. That’s why a comprehensive cybersecurity and privacy program should also carefully craft processes and controls for intrusion detection and fast response within a framework of a risk-based cybersecurity and data-privacy program.
This has been prepared for information purposes and general guidance only and does not constitute professional advice. You should not act upon the information contained in this publication without obtaining specific professional advice. No representation or warranty (express or implied) is made as to the accuracy or completeness of the information contained in this publication, and CohnReznick LLP, its members, employees and agents accept no liability, and disclaim all responsibility, for the consequences of you or anyone else acting, or refraining to act, in reliance on the information contained in this publication or for any decision based on it.