Join the Community

21,997

Expert opinions

44,168

Total members

415

New members (last 30 days)

152

New opinions (last 30 days)

28,672

Total comments

Join Sign in

National security implications of weak hotel databases

02 July 2010 2 comments

Stephen Wilson

Managing Director

Lockstep Consulting

The Destination Hotels & Resorts cyber security breach is not the first report of credit card details being stolen from hotel databases.

Hotels are a fantastic target for identity thieves. Hotel databases don't just hold credit card numbers and billing addresses (which are held for weeks in advance of a stay and for weeks afterwards to secure incidentals, complicating PCI data retention requirements), but for many customers the hotel also has their home address, driver licence number, airline memberships, arrival flight details, and even their passport number. It's a complete cornucopia for criminals.

And the most dangerous, most difficult to control threat vector in the hotel industry won't be war-driving or SQL injection attacks or any of the other high tech hacking tools used by organised crime. It will be the inside job. Thousands of itinerant hotel workers in every corner of the world have the opportunity to access office systems after hours, and simply download the contents of central databases to a thumb drive.

Has anyone asked the obvious question: Was the hotel PCI compliant? How feasible is PCI-DSS for hotel chains with their horribly decentralised computer systems and untold interconnections with airlines, travel agencies and the like? And as I've discussed previously, what difference would PCI compliance make anyway?

The vulnerability of hotel databases to identity thieves has clear implications for national security. I trust that counter terrorism agencies are working on this problem? Not only do these databases hold credit card, driver licence and passport numbers, but they also tell of the forward travel plans for thousands of VIPs worldwide.

We should expect that organised criminals and terrorist organisations are tapped into hotel databases as we speak, and are mining them systematically.

Stephen Wilson, Lockstep, Australia.

External

This content is provided by an external author without editing by Finextra. It expresses the views and opinions of the author.

5117

Report

Channels

/security /regulation & compliance

Comments: (2)

A Finextra member

05 July 2010

Stephen,

As you imply, current standards and methods appear to be inneffective and I'd suggest virtually pointless.

I can't escape the conclusion that most of that data shouldn't be there in the first place.

I am regularly offered databases of 'customers', ranging from millions of consumer credit applications through to psychologist's treatment and billing records.

The task of securing all that data in the wild is not worth attempting. Pointless. A fantasy not worh promoting. Most of it is already gone.

Better to not need it in the first place (in the doctor's consulting rooms and hotels too).

The recent decision to re-issue Puerto Rico's birth certificates in response to their attractivenes to organised gangs of dodgy visa providers illustrates other risk. They had mass thefts of birth certificates from schools. When was the last time you had to provide an original or copy of a birth certificate for your child to play a sport for instance? Wouldn't original be more reliable? (Did you pay by card? Where is that stuff kept coach? Can't I prove young Harry Jr is 12 some other way? Do you need to know the name of his birth father?)

Obviously original wouldn't be better unless a little thought was put into the process which might not include the use of cards or paper. Otherwise we face almost infinite risk and an unaceptable limit to efficiency in every exchange of trust.

Simply remove the data from the processes and the stolen ID centered data theft issue will vanish with the un-needed and useless data.

New methods of transacting and identity are required. I'm thinking.

Report

Keith Appleyard IT Consultant at available for hire

05 July 2010

It's not even the large multinational chain you need to worry about.

If you consider even a medium size hotel could have 5,000 visitors per annum, especially in a tourist area. I recall staying at a boutique hotel in Oxford for my daughters graduation, and was interested to note that the Hotel Reservation, Booking, Invoicing system was all Excel-based, and yet the Reception was of course un-manned after 11pm and you just let yourself in, and given the turnover of staff the Password was there on a Post-It - all you needed to do was help yourself at 3am.

Report

Stephen Wilson

Managing Director

Lockstep Consulting

Member since

24 Apr 2008

Location

Sydney

More expert opinions

Konstantin Rabin Head of Marketing at Kontomatik