Managing Risk in an Inhospitable Environment: The Restaurant and Hospitality Industries are an Alluring Destination for Cyber Thieves

The recent onslaught of cybersecurity incidents and payment card thefts dominate daily headlines and have captured the nation’s attention—from the diner whose credit card was compromised during a data breach to the President of the United States who recently advocated passage of national data breach legislation: everyone has a stake in this issue. Beyond the headlines, however, the hospitality and restaurant industries are under constant attack by cyber thieves attempting to breach point of sale (PoS) servers and any other crack in their digital infrastructure. And while the data breaches reported by Target, Michaels and Neiman Marcus dominated the headlines, cyber thieves focused much of their attention on food, beverage and hospitality providers. The quick take away is that where data can be obtained and monetized, it will be stolen and the restaurant and hospitality industries are an alluring destination for cyber thieves. The PoS Problem In 2012, credit card and debit card fraud resulted in losses of $11.27 billion. While the total cyber theft losses for 2013 are not yet known, over 342 million identities were compromised in 2013. It appears that the most common cyberattack, and perhaps the most devastating economically and reputationally, involves the compromise of PoS servers or devices. In these attacks, criminals are able to remotely install malware on PoS systems that “scrape” data from the magnetic strips of credit and debit cards during the card authorization process. This process occurs during the milliseconds it takes for the data to travel through the live memory of a computer, where it appears in plain text, and before it is encrypted and stored on the PoS system. As the data is “scraped,” it is exfiltrated from the PoS system and sent to offsite servers where it is harvested by the thieves. Why do the thieves target the PoS systems? Because that is where the money is. The PoS systems are heavily used and relied upon by restaurants, hotels and other hospitality businesses. The PoS devices are where all customer payment card information is gathered, and where purchases are recorded and finalized. They are used by businesses of all shapes and sizes—from national hotel chains to mom-and-pop coffee shops. Yet, unfortunately, PoS systems are particularly vulnerable to attack. According to a Trend Micro report, it is “mostly because of their role and exposed location in the [company’s] network.” The PoS systems have multiple entry points, they are generally weakly protected, and their ubiquitous use by restaurants and hotels (large and small) make them an appealing target for even the least-sophisticated cyber thief. They are such an appealing target that in the first quarter of 2014 alone, seven times more PoS intrusions occurred than in all of 2013. Similarly, the Trustwave 2014 Global Security Report (2014 GSR) and the Verizon 2014 Data Breach Investigations Report (2014 DBIR) highlighted the special vulnerability of the hospitality sector, noting that the majority of U.S. breaches involved brick-and-mortar hospitality and retail businesses with large, nationwide payment networks, with hospitality and food and beverage ranking in the first and second most affected by PoS intrusions.[1] There is a lot of discussion about how a conversion to a “chip and PIN” system will solve the problem. While it will enhance security, it will not be the ultimate panacea. As with any system, there will be vulnerabilities that will be exploited. The weakness of a chip and PIN system will primarily lay in the nature of encryption, and it will not protect online or telephonic purchases, nor will it stop the rogue employee. A Hacker’s Entry Point In an attempt to improve service levels and reduce queue times at brick-and-mortar stores and restaurants, employees are increasingly being issued mobile devices enabled with PoS functionality. To control costs, businesses often choose common consumer devices with attached card readers instead of specialized PoS hardware. They then enable the mobile software to communicate with their existing sales and logistic infrastructures. These devices often don’t include the proper encryption key management. The assumption that data is safe because an internal device is being used on an internal network creates a dangerous vulnerability. But even if the PoS server is “locked” down, it isn’t the only cause for concern. Like all industries, intrusions via email, employee devices, and third parties who are connected to a company’s system are all potent points of entry for cyber thieves. With the complex interconnectivity of innocuous devices like videoconference equipment, printers, HVAC systems and vending machines, combined with reliance on older operating systems and poor network construction, it is a constant scramble for companies to identify their vulnerabilities. Mobile device theft is another issue. Thefts of mobile electronic devices are reaching epidemic proportions. Law enforcement authorities in major metropolitan areas across the United States reported annual increases in smart phone theft ranging from six to as much as 23 percent. An estimated 3.1 million devices were stolen in 2013, nearly double the amount stolen in 2012. While this problem isn’t unique to employees in the hospitality industry, given the data stored in their employer’s PoS systems, they need to be counseled to not place any business-sensitive data on their smart phones, to not connect to their employer’s systems with their smart phones, and to take extra precautions to avoid becoming victims of mobile device theft. Really, Size Doesn’t Matter Some businesses have a false sense of security due to the small size of their business, thinking that cyber thieves are only focused on the “big” targets. Unfortunately, cyber thieves don’t discriminate based on the size of the enterprise. The majority of attacks, 71%, target small businesses. If data can be accessed, it will be stolen. In January 2014, a company that maintains hotel franchises under several nationwide brands determined it suffered a data breach that exposed credit and debit card information on thousands of guests throughout much of 2013. The company manages 168 full service hotels in 21 states, with more than 30 restaurants. The company stated that the breach appeared to affect 14 of its hotels. Other sources indicated the breach affected mainly restaurants, shops and other businesses within the hotels. In February and April 2013, multiple regional grocery chains in the U.S. suffered data breaches that exposed customer payment card information. Then in late December 2013, a local Boston restaurant chain with ten restaurants and bars had its computer systems breached, resulting in the theft of thousands of customer data sets from credit card magnetic strips. The Executive Director of the Massachusetts Convention Center Authority summarized one of the reasons for the breaches when he stated, “[t]here’s a lot of innocent ignorance about this subject.” It should also be noted that intermediaries, such hotel booking services, have also attracted the attention of cyber thieves. These business-to-business service providers allow hotels to communicate availability and pricing information to travel websites and agencies. They also send booking and payment data back to the hotel, allowing them to accept bookings from global travel sites. The cardholder data is often stored from the time of receipt to sometime after checkout for the purpose of calculating cancellation fees. Regulators have traditionally not focused on booking service providers because they don’t process payments themselves. Unfortunately, this lack of scrutiny has led to insecure controls, resulting in the compromise of repositories of stored cardholder data. What Steps Can You Take To Prevent Data Theft? Several things should be done now in order to avoid or mitigate the crisis tomorrow: Identify existing vulnerabilities and potential vulnerabilities. A gap analysis will determine existing vulnerabilities—the difference between where the system is and where it should be, according to internal standards or external standards dictated by regulatory environments. This involves a review of internal administrative, physical and technical practices. A comprehensive risk assessment should also be conducted on a regular basis. The regular risk assessment will continue to help to identify vulnerabilities and determine the likely risk of a security incident. When you engage in these activities, be ready to promptly document and correct any deficiencies found. You may want to consider engaging outside counsel to facilitate both the gap analysis and the risk assessment, as “gaps” or vulnerabilities that are identified and addressed can be corrected under the direction of outside counsel and thus protected to some degree by the attorney-client and perhaps other evidentiary privileges. Create the most secure environment possible. Follow the appropriate information security practices, including those required under the payment card industry data security standard (PCI DSS) on a 24/7 basis—it isn’t a matter of just running an annual assessment test or completing a certification to comply with a regulatory authority. Security programs are ongoing, with regular and periodic system assessments to identify the existence of vulnerabilities, so that appropriate adjustments can be made in the constant fight against cyberattacks. The ultimate goal is to make the PoS system a “hard” target, to which it is as difficult as possible to gain unauthorized access. The following are several general suggestions about how to secure PoS devices. Management must engage information technology personnel to ensure that best practices are being followed and to determine which approaches are appropriate to the context and scale of the enterprise:

• Use the most current version of the PoS operating system. Ensure that only the most current version of the PoS operating system is installed and that the PoS operating system is timely updated with new versions;
• Update PoS software applications. Ensure that POS software applications are using the most current updated software applications and software application patches. Like computers, POS systems are vulnerable to malware attacks when required updates are not downloaded and installed on a timely basis;
• Use strong passwords. During the installation of PoS systems, installers often use the default passwords for simplicity on initial setup. PoS system owners must change the passwords to their PoS systems on a regular basis, using unique account names and complex passwords;
• Use a firewall. Firewalls should be used to protect PoS systems from outside attacks. A firewall can prevent unauthorized access to, or from, a private network by screening out traffic from hackers, viruses, worms, or other types of malware specifically designed to compromise a PoS system. A key tenet of the PCI DSS is that network segmentation and firewalls are essential. Host- and network-based firewalls should be used as part of a layered security approach. Traffic to and from the PoS system should only be allowed if it is similarly hardened against attack. Where possible, the traffic should also be monitored by an intrusion detection/prevention system to detect and/or prevent attacks;
• Use antivirus software. Antivirus software programs work to recognize software that fit current definitions of malicious code and attempt to restrict access by that malware to the system. It is important to continually update the antivirus programs for them to be effective on a PoS network. Antivirus software is not a panacea, in that it is extremely difficult to keep up with signatures of newly created strains of malware, but it is a necessary part of a layered defense;
• Employ white listing. Access to the PoS system should be limited to specifically authorized users, devices, and applications so that the PoS system can be locked down to its intended uses, users and applications;
• Limit internal physical access. The physical PoS device only be accessible to specific personnel on a need to access basis. This includes the physical repair and/or upgrade of the PoS device so that only vetted and trusted personnel have access to it;
• Routinely delete card holder data. When card holder data is no longer needed in the PoS system, it should be properly deleted to reduce the risk of theft and misuse;
• Restrict access to the Internet. Access to PoS systems must be restricted to prevent users from accidentally exposing the PoS system to security threats existing on the Internet. PoS systems should only be used online to conduct PoS-related activities and not for general Internet use; and
• Disallow remote access. Remote access allows a user to log into a system as an authorized user without being physically present. Cyber thieves can exploit remote access configurations on PoS systems to gain access to these networks. To prevent unauthorized access, it is important to disallow remote access to the POS network at all times.

Prepare an incident response plan. Preparing for a security incident is part of the “prevention” phase in managing the risk of a potential security incident. Given that the occurrence of a breach is more likely a question of “when,” rather than “if,” having a plan in place that enables an organization to effectively and efficiently respond to security incidents will mitigate any adverse impacts. Obtain cyber insurance. Managing risk in a digital infrastructure is an increasingly complex and challenging problem—one that can’t be completely mitigated through technology. Moreover, the cost of a data breach is increasing. The average organizational cost of a data breach in the U.S. is expected to increase from $5.40 million in 2013 to $5.85 million in 2014. The average cost of data breach notification alone in the U.S. is $509,237. The challenge is that premiums and limits of liability vary widely, and organizations must exercise care to identify their unique risks and obtain coverage for those risks at costs they can reasonably absorb. All businesses have the opportunity today to “harden” their networks and protect consumer payment card information—before there is a problem. The failure to follow “reasonable” security practices before a breach will lead to higher incident response costs, class action litigation, government investigations and enforcement actions, a loss of consumer confidence and revenues. At that point, you will likely have to take all of the steps listed above (and more), then report your compliance to the Federal Trade Commission for the next twenty years…