2017 was a peak year for data breaches. In terms of both size (number of records compromised) and frequency of attacks, 2017 stands among the worst years in history, with 2,600,968,280 records breached in more than 1,765 individual incidents, according to the annual Breach Level Index (BLI) report.
Though large-scale incidents like the Equifax breach—in which more than 147 million individual credit card data records were compromised—received the most media attention, the hospitality sector also saw multiple high-profile attacks, including incidents at InterContinental, Hyatt Hotels, and Hilton.
The most significant breach affecting the industry, however, came from an outside partner. In May, the international travel technology company Sabre announced that it had hired cybersecurity firm Mandiant to investigate a suspected data breach incident. By July, more information had come to light: Sabre disclosed that an unauthorized third party had obtained access to its SynXis Central Reservations system, and had viewed customer data including payment card information and personal details such as names, home and email addresses, phone numbers and travel dates.
As one of the world’s largest hotel and airline reservation aggregators, Sabre serves more than 100,000 hotels and 70 airlines, processing transactions worth over $120 billion each year. Given the company’s size and its enormous reach within the hospitality sector, the news of a possible breach was troubling at best.
Sabre Corporation was quick to reassure its customers, partners and investors that the incident was not nearly as damaging as it could have been. It was ultimately revealed that the total number of compromised records was relatively small: fewer than 15% of the average daily bookings on Sabre’s Hospitality Solutions reservations system were viewed, and that system served only a fraction (bookings for about 39,000 hotels) of Sabre’s total client base. Nonetheless, Sabre was required to notify payment card providers, its partners and its customers—as well as the media—about the incident.
It was also subject to a class-action lawsuit filed in California.
Because the attackers had access to the system for a period of seven months (from August 2016 until March 2017), and SynXis retains data only for 60 days, the exact number of records compromised remains unknown.
And the precise identities of the victims cannot be recovered.
Although the consequences of this particular data breach were not nearly as severe as industry experts had initially feared, the incident should serve as a wake-up call to leaders and decision-makers throughout the hospitality sector. Without question, the total number of data breaches in the industry is on the rise. And as attackers continue to innovate in order to uncover new vulnerabilities and deploy more effective strategies, reactive approaches are doomed to fail.
Lesson #1: POS Compromise is the Industry’s Most Prevalent Threat, But Credit Card Data is Vulnerable Elsewhere, Too
According to the 2018 Verizon Data Breach Investigations report, 90% of the breaches that have taken place in the hotel industry so far this year have involved POS intrusions, and the average hotel is 100% more likely than the median business to be targeted at a payment terminal or POS controller.
But the Sabre hack demonstrates that large-scale industry vulnerabilities extend well beyond POS: sensitive and valuable data can be accessed and extracted at many points within the complex IT systems that today’s hospitality industry depends on, and all data needs to be secured everywhere.
Although it’s possible to segment a POS terminal from the rest of your network and limit the number of external systems with which it’s allowed to communicate, it is by definition impossible to prevent a third-party software provider who handles your customer reservation data from accessing sensitive financial information or the Internet.
In fact, the integrated nature of the reservations system could well have been its greatest vulnerability. As risk management experts have observed, the compromised Sabre system was interconnected with multiple other software solutions, including more than 150 different property management, revenue management, CRM and content management applications. The widespread integration of Sabre’s APIs within the travel industry means that a single breach could potentially be exploited in many ways, affecting large numbers of partner companies.
Lesson #2: You Are Only as Secure as Your Weakest Password
The Sabre data breach took place by way of compromised credentials: that is, the attacker leveraged a weak, stolen or unchanged default password to gain access to the system. This remains the most common means by which attackers gain access to vital systems across all industries in 2018.
But complex, integrated platforms like Sabre’s reservation system are particularly vulnerable because they are accessed by many employees within a wide variety of industries, some of which are too liberal in granting user permissions.
The Sabre system also allowed its users to gain access from multiple devices by supplying only a single username and static password. This access management method, known as single-factor authentication (SFA), has repeatedly been proven far less secure than methods relying upon multiple types of credentials to verify user identities. But SFA remains in widespread use due to its low cost and ease of implementation.
Lesson #3: Prevention is No Longer Possible
Despite their inherent vulnerabilities, large-scale booking engines like Sabre’s SynXis system will remain part of the hospitality landscape for the foreseeable future. The advantages they offer to industry partners and customers are obvious: they make it easier than ever before for consumers to find available hotel rooms, compare prices, and obtain reservations. And they allow independent and boutique hotels to compete successfully with major brands in marketing themselves to worldwide audiences.
With advance knowledge of the vulnerabilities inherent to such systems, hospitality industry leaders can begin to adopt new ways of thinking about data breaches. The simple truth is that intrusion prevention has become impossible, and approaches to data security that are solely preventative in nature will inevitably result in failure.
The necessary mindset shift is clear: leaders must begin thinking of breaches as unavoidable, and being planning to reduce their costs and mitigate the consequences when they occur.
A managed detection and response provider like Netswitch can help you protect your data by implementing a multi-layered security platform including advanced behavioral analytics able to identify anomalies quickly and reliably—to recognize unusual patterns of file access, network traffic or user behavior—so that intrusions can be stopped before they become breaches, and breaches halted before they have significant consequences.