Security BY: RON HARDIN Since we last met on these pages (“Information Security: We’re Doing It Wrong,” Hospitality Upgrade, Spring 2017), there have been four events that war-rant further discussion, as much as we’d like to talk about something else: • 10th Annual Verizon Data Breach Investigations Report (DBIR) Released • InterContinental Hotels Group Issues Update on Data Breach • Sabre Reports Data Breach of SynXis Central Reservations Service • Worldwide WannaCry Ransomware Attack INFORMATION SECURITY: Can’t We Talk About Something Else? Operational applications that bring real innovation and competitive advantage to your hospitality busi-ness. Voice-activated guestrooms. Robots that deliver room service orders. Any one of these subjects is the basis for an infinitely more interesting conversation than information security. But recent events and media reports keep bringing us back to this subject. To quote Dr. Seuss: “It may not seem very important, I know, but it is, so I’m bothering telling you so.” Sabre has sent a letter regard-ing the SynXis breach to clients, customers and third parties. While the language is worst-case doom and gloom, it still indicates what the company believes could be possible, even if unlikely: “The costs of this investigation, as well as any other impacts or remedia-OF BREACHES tion related to this incident, may be material. INVOLVED “Any physical or electronic break-WEAK, DEFAULT in, computer viruses, cybersecurity incidents or other security breach OR STOLEN or compromise of the informa-PASSWORDS. tion handled by us or our service providers may jeopardize the security Danish researcher named Chris-or integrity of information in our tian Sonne analyzed the state computer systems and networks or lookup tool, and determined those of our customers and cause that slightly more than a dozen significant interruptions in our and properties were involved: our customers’ operations. 1,175 properties across “Failure to prevent or mitigate data the U.S. and Puerto Rico in loss or other security breaches could the following brands, Holiday expose us or our customers to a risk Inn Express (781), Holiday of loss or misuse of such information, cause customers to lose confidence Inn (176), Candlewood Suites in our data protection measures, (120), Staybridge Suites (54), Crowne Plaza (30), Hotel Indigo damage our reputation, adversely af-fect our operating results or result in (11), Holiday Inn Resort (3). litigation or potential liability for us.” It’s time for HITEC, and there are so many cool things to see and discuss other than information security. Entertainment solutions that work with your guests’ streaming services. High-performance wireless products that can provide a stellar online experience. Guest messaging and engagement platforms that enable actionable real-time data on your customers’ experiences before, during and after their stay. Mobile check-in. Mobile room keys. In a quarterly report, Sabre announced the “unauthorized access by a third party” of its SynXis Central Reservations service, used by more than 36,000 hotel properties. Ac-cording Sabre, the scope and methods of the compromise are not yet known. Sabre stated in a follow-up press release that “the unauthorized access has been shut off and there is no evidence of continued unauthorized activ-ity. There is no reason to believe that any other Sabre systems beyond SynXis Central Reserva-tions have been affected.” Sabre reports that it is working with law-enforcement, notifying affected customers, and hired cybersecurity firm Mandiant to conduct a forensic investigation. While Sabre has not released further details, it is the consen-sus among information security experts in several published articles that compromised credentials – user login IDs and passwords – are the most likely avenue of compromise. Not surprisingly, there is already a class action liability investiga-tion of the Sabre breach. One of the questions sure to be asked in any litigation will be whether Sabre could have made better use of technology solutions such as point-to-point encryption (P2PE) or tokenization. Certainly, InterContinental Hotels Group (IHG) is a believer in the importance of P2PE. In December 2016, KrebsOnSecu-rity.com broke the news that IHG was investigating a potential data breach due to multiple common point-of-purchase investigations regarding fraudulent transac-tions on credit card accounts used legitimately at various IHG properties. It took until February 2017 for IHG to acknowledge the breach, at which time it reported that about a dozen properties were involved from September 29 to December 29, 2016. In April, IHG released data by state on the properties involved, but no summary was provided. According to Krebs, a Nothing new there – in the 2017 DBIR, Verizon reported that 81% 38 Summer 2017 HOSPITALITY UPGRADE www.hospitalityupgrade.com