Wyndham's Computers Hacked -- Again! Are Hotels Easy Prey?

Last Updated Mar 2, 2010 5:50 PM EST

Wyndham Hotels & Resorts that thieves hacked into the hotel chain's networks to steal credit card information for the third time. The security breach happened some time between October 2009 and the end of January 2010, when it was finally discovered by the company. The company then hired an assessment firm to do forensics on the incident. From ZDNET UK:
"Briefly stated, an unauthorised user took over an authorised account and used that account to acquire credit card numbers from certain Wyndham-branded properties," the hotel chain's director of media relations, Evy Apostolatos, said on Monday. "Fortunately, the incident was identified and quickly shut down."

The hacker gained access to one of Wyndham Hotel Group's datacentres by going through centralised network connections, the company said in an open letter to customers on 18 February. Credit card data was then systematically moved to a URL outside the Wyndham network.

Although Wyndham declined to say how many guests or hotels were affected, I think it's logical to assume thousands of people's credit cards have been compromised. Wyndham also offered a FAQ for those customers who might be affected, including tips on how to freeze one's credit.

Security expert Nicholas Percoco, from Trustwave SpiderLabs, said that hackers target hotels because they are easy and it can take a long time -- on average, about five months -- until they are discovered. In a 2009 study by Percoco, 38% of all breaches were in the hospitality industry, higher than even the financial services or retail sectors. From Darkreading:

Nearly half of these attacks occur via remote access applications, of which 90 percent exploit default or weak passwords, according to the report. Around 42 percent of attacks occurred via third-party connections; 6 percent, SQL injection; 4 percent, exposed services; and 2 percent, remote file inclusion attacks. Interestingly, less than 1 percent began with an email Trojan.

Around 54 percent of the attacks used malware to harvest stolen data: More than two-thirds (67 percent) deployed memory parsers; 18 percent, keystroke loggers; 9 percent, network sniffers; and 6 percent, malware that the bad guys control who accesses the malware, such as in ATM attacks, according to Percoco.

But the main problem remains that since many properties are operated and owned independently by franchisees, computer security isn't uniform. Which is too bad, since any computer at these locations are on Wyndham's central network and cybercriminals can use lax security to open the door to millions of credit card numbers.

If we use the analogy of a door for computer security, then Wyndham Hotels & Resorts has a few hotels with high-tech bank vault doors, some with sensible but secure deadbolts and still others have swinging saloon doors open to anyone. Unless Wyndham requires its properties to have uniform and solid security measures, these data breaches will continue. Perhaps it may take customers avoiding the hotel chain for Wyndham to realize the extent of their security risk.

Photo: powtac