Fraudsters on the prowl for payment card data last year increasingly turned to the hospitality industry as a source for the valuable data, according to the Trustwave Global Security Report 2010 released yesterday.
In an analysis of more than 200 global data breaches the Chicago-based security company investigated in 2009, the hospitality industry, comprising hotels and similar businesses, accounted for 38% of them, up from less than 5% in 2008.
In 2008, the food-service and retail industries had fraudsters’ attention, Nicholas Percocco, senior vice president of Trustwave’s SpiderLabs, tells PaymentsSource. Food-service businesses alone that year accounted for 49% of breaches and retailers 27%. SpiderLabs is Trustwave’s investigative lab.
“At the end of 2008, we started seeing some hotels begin to get compromised,” Percocco says. Mostly, hackers found ways to access a hotel’s point-of-sale system via remote access, such as logging on to the hotel’s network for guests, in some instances while in the hotel.
“Once in they were in they were able to harvest the data,” he says.
Hackers found relatively unsecured hotel networks and used sophisticated malicious software to check for payment card data, Percocco says. Once found, the sensitive data were stored on the hotel’s computer network until uploaded and sent to the hacker.
“These were tools written specifically for the hospitality industry,” Percocco says.
Other industries targeted in 2009 include financial services, accounting for 19% of breaches; retail, 14.2%; food and beverage, 13%; business services, 5%; technology and other, 4% each; and education and manufacturing, 1.4% each.
As in previous years, software-based point-of-sale systems reigned as hackers’ favorite point of entry. In 2009, 83% of the attacks Trustwave investigated originated in POS software. In 2008, 72% of the cases it investigated since 2001 started in the POS software (
“Software POS systems are considered low-hanging fruit to even the novice attacker,” the report says.
Rounding out the list of hacker targets, entry via an e-commerce site accounted for 11% of the 2009 attacks, followed by payment-processing systems at 3%, ATMs at 2%, and Web-based portals and desktop-computer connections to a company’s network at less than 1% each.
Many companies do not realize they are exposed to hackers, which is why so many breaches are occurring, Percocco says. Trustwave investigators often found devices and networks still active when the company thought they were no longer used.
“They can’t secure what they don’t know exists,” Percocco says.
The lesson for 2010, Percocco says, is for organizations to inventory what they have before embarking on new initiatives. “What we found is a lot of information-technology organizations do a good job keeping up with the latest things but haven’t plugged the old holes,” he says.
