IT Laziness and Self Denial are what makes Hotels vulnerable to card data breaches

IT Laziness and Self Denial are what makes Hotels vulnerable to card data breaches

Hackers exploited a web app vulnerability on a server at hotel booking website FastBooking to install malware and pilfer data, such as names, email addresses, booking information and payment card data, from guests at hundreds of hotels.

The breach took place on June 14, said FastBooking, which states it works with 4,000 partner hotels in 100 countries. In an email to affected properties, FastBooking says an attacker exploited a vulnerability in a Web application hosted on its server to install malware, reports Dark Reading. The attacker used this access to steal first and last names, nationalities, physical and email addresses, and booking-related details, such as hotel names and check-in/check-out dates.

“All of our markets have been affected but this represents a minority of our customers,” a spokeswoman for Fastbooking told the Japan Times.

Laziness is the primary reason why Hotels IT systems are vulnerable to hackers

It is clear that the hackers don’t have a lot of work to do in order to steal card data from Hotels, physical security is often weak, IT systems are left unattended and logged in, card data is left on systems and most of the IT staff that work within the Hotel industry are in perpetual denial.

How could have prevented the card data breach at and other Hotel booking sites

I have been warning Hotels for a few years now that this was a disaster waiting to happen and the first rule I would implement for hotel booking website is very simple, Do not see card data, you cannot do anything with it other than pass it on to the bank and if that is the case, what is the point of seeing it.

I have spoken to many Hotel Management teams who spew this nonsense about the need to charge customers and avoid the need to incur debt because the customer left the hotel, well here is a test, how many people that stood by the Hotels holding card payments are supporting them now?

The fact remains, Hotels have no business seeing card data and its sheer laziness as well as self denial that make up the two illnesses that plagues this industry and allow Hotels to handle card data in this insecure manner, regardless the size of the Hotel.

There are 4 main payment channels for Hotels, here are the issues and how’s strategy would have protected them

  1. Customer present  –  We would implement P2PE on all Payment terminals
  2. Email payments  –  we would implement our Email payment link solution that is already integrated with the Bank. We implement a process that detects and deletes unsolicited inbound email and respond with an payment link to make a secure payment, if required, we can
  3. Online payments  –  we would take away the ability for the hotel website to take card payments and redirect to the bank
  4. 3rd party payments – we would implement our APIs with the 3rd party organisations that intercepts the payments and redirects them to the bank

To address the issue around debt management and hotel guests that leave with outstanding debt, our solution is tokenisation.



No Comments

Sorry, the comment form is closed at this time.