Recent hotel data breaches highlight outdated PoS protection

It was déjà vu all over again for hotel management company White Lodging as it announced another data breach earlier this month.  The company eventually came clean, admitting point of sale terminals in 10 hotel bars and restaurants had been infected with malware for at least seven months. All this comes despite White Lodging’s appointment of a third-party security firm to beef up internal systems following an earlier, more comprehensive data breach a year earlier.

Hotels have long been thought of as a soft target for cybercrooks and following the fallout from high profile data breaches, hospitality firms are unsurprisingly reticent in giving away too many details on their front and back office vulnerabilities.  

Yet it is not just the hotel sector that could be paying the price for complacency. A recent report suggests a staggering number of retailers are putting themselves and their customers’ sensitive data at risk due to very fundamental mistakes. Data security firm Trustwave has revealed some shocking statistics which could open the malware floodgates for many small stores, hoteliers and travel agents.

"The big issue is not the latest strain of malware, it’s how the malware is getting on your PoS in the first place," says Trustwave VP of managed testing Charles Henderson.

One damning statistic is the fact that 90% of PoS terminals tested by Trustwave still run the six-digit default password the device came with, even though many of these systems date back to the 1990s.

"They haven’t been tested in the same way that the attackers are testing them. It’s not like the hackers are going to the ends of the earth to get malware on these machines," said Henderson.

Henderson says plugging some of the loopholes is neither expensive, too technical or time consuming.

"Averaged out of the number of PoS terminals deployed, testing isn’t a big investment as you only need to test one of each type".

"The industry hasn’t learned from parallel technologies – routers for example – which are now mostly supplied already secured," said Henderson.

He also urges businesses to use network segmentation to isolate PoS systems to easier detect, and then contain malware attacks.

Prior to the latest malware strike at White Lodging, upscale hotel group Mandarin Oriental was the latest big name in hospitality to suffer a PoS breach.  According to the company, the incursion was "undetectable by all anti-viral systems" leading other security experts to suggest its PoS hardware was outdated and inadequate.

"This breach has once again brought to light concerns around PoS systems, which are often built on antiquated technology," says Andrew Avanessian, executive vice-president of consultancy and technology for security firm Avecto.

"These terminals tend to be legacy systems run on Windows XP for example, which are not patched regularly. Though XP expired last year, there is still a perceived supportability of POS via limited patching until 2016, due to a 10-year license of embedded systems, so a lot of organisations are sticking with it for the next year, despite its risks."