The theft of credit card data from the Mandarin Oriental hotel group highlights the security risk of legacy point of sale (POS) systems, say security experts.
The hotel group has confirmed credit card data was stolen from an “isolated number” of payment card systems at hotels in Europe and the US, after the company’s network was hacked.
The company said the forensic investigation has so far revealed that the breach affected only credit card data and no other personal guest data or credit card security codes.
Mandarin Oriental has not yet provided details of how many hotels or customers are affected, but said POS systems at some of its 45 hotels had been infected with data stealing malware.
The company said it has identified and removed the malware and is co-ordinating with credit card agencies, law enforcement authorities and forensic specialists to improve its cyber defences.
“This breach has once again brought to light concerns around POS systems, which are often built on antiquated technology,” said Andrew Avanessian, executive vice-president of consultancy and technology services at security firm Avecto.
“These terminals tend to be legacy systems run on Windows XP for example, which are not patched regularly. Though XP expired last year, there is still a perceived supportability of POS via limited patching until 2016, due to a 10-year license of embedded systems, so a lot of organisations are sticking with it for the next year, despite its risks.”
POS replacement from first principles
Avanessian said organisations wishing to revamp their POS systems should not only rip out old systems to install new, more secure Windows platforms.
“It should be more about understanding and refining existing systems by going back to basics: altering existing permissions and management of privileges, and controlling how programs are allowed to interact with the wider company network,” he said.
Mandarin Oriental issued the standard statement about taking the protection of customer information very seriously, but added that, while it has “leading data security systems” in place, the malware used in the attack is undetectable by all anti-virus systems.
“Unfortunately, incidents of this nature are increasingly becoming an industry-wide concern and we have therefore also alerted our technology peers in the hospitality industry,” the hotel group said.
In an attempt to assure customers, the company said customers can be confident that security protocols are being thoroughly tested at all hotels to protect guest information.
Mandarin Oriental said it has executed additional security protocols, but would not provide details.
Rich pickings for cyber criminals
It advised customers to monitor credit and debit card statements and to report unauthorised activity.
According to financial industry sources, the compromise probably dates back to just before Christmas 2014, said security blogger Brian Krebs.
He suggests payment card data had been stolen from compromised POS terminals at restaurants and other businesses in the hotels.
“This was the case with hotels managed by White Lodging Services Corp., which last year disclosed a breach that impacted only restaurants and gift shops within the affected hotels,” Krebs said in a blog post.
He said it will be interesting to see how much the stolen cards are worth if they go up for sale in the underground card markets.
“I’m betting these cards would fetch a pretty penny. This hotel chain is frequented by high rollers who likely have high or no-limit credit cards,” he said.
Luxury hotels yield big cyber crime returns
Considering Mandarin Oriental is aimed at the luxury market, the biggest loss for the company will not be in the cost of customer notification and breach cleanup, but in brand damage, said Kevin Epstein, vice-president of advanced security and governance at Proofpoint.
“Restoring consumer confidence is paramount. To that end, subsequent disclosure of the attack source and implementation of new, modern protective systems to prevent recurrence are also good steps to take, quickly,” he said.
Luxury hotel chains are rich pickings for cyber criminals. “The credit-card numbers alone, sold online, could be worth double-digits apiece even before being used to tap consumer lines of credit,” said Epstein.
“This theft could easily net the initial attackers many millions of dollars, with subsequent fraudulent use of the cards raising that by an order of magnitude or more.”
Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox.
Related content from ComputerWeekly.com
RELATED CONTENT FROM THE TECHTARGET NETWORK