WannaCrypt, Ransomware and the Global Hospitality Industry

May 17, 2017 / Omo / Travel

In a departure from our usual destination-focused articles, we shift our attention to the global hospitality industry to discuss the recent WannaCrypt ransomware, cyber security and the implications for industry; including large brands, small business operators, industry associations and customers.

WannaCrypt makes global headlines

‘Ransomware cyber-attack threat escalating – Europol’ a BBC Technology News headline greeted us on Sunday, 14 May 2017 as we returned from Portugal.

This was the latest assessment by the European Union Agency for Law Enforcement Cooperation (Europe’s top cops), of the nasty WannaCrypt (a.k.a “Wanna Decryptor”, “WannaCry”, “Wcry”) ransomware cyber-attack which first gained global attention the Friday before.

Conservative estimates suggested that over 200,000 victims in 150 countries had been affected at the time of that news report.

Check out this NYT post, they made a really cool time based map with my data https://t.co/K7lVjagq29

— MalwareTech (@MalwareTechBlog) May 13, 2017

Ransomware (a form of malicious code which allows an attacker to lock a user’s files on an infected computer and demand a ransom in order for the victim to recover them) indiscriminately affects individuals and organisations alike.

Although the WannaCrypt ransomware affected multiple industries and services across the world, it had a particularly nasty impact on the United Kingdom’s National Health Service (NHS), hampering the operations of many hospitals, pharmacies and GP surgeries and directly putting many lives at risk.

Global hospitality: A high value target for cyber criminals

In a non-ransomware incident, while reviewing bank statements ahead of a recent trip, we noticed a suspicious payment to a hotel in Iowa, USA. We’ve never been to Iowa.

We use this particular card exclusively for foreign travel and sadly, this wasn’t the first time it had been compromised (USA we’re looking at you). A quick call to our card provider’s fraud hotline flagged the payment and resulted in the card being cancelled immediately.

The WannaCrypt cyber-attack and this latest fraud on our payment card has had us thinking seriously about the state of cybersecurity in the hospitality industry. With terrorism often taking centre stage, major industry trade conferences (WTM, TBEX, ITB Berlin) either hardly address the cyber threat or do not go far enough.

The global hotel industry revenue was predicted to reach $550 billion (USD) in 2016. This makes large and small businesses and individuals working in this industry high-value targets for cybercriminals. Even industry trade associations like the Association of British Travel Agents (ABTA) are not spared.

WannaCrypt ransomware and other industry security concerns

At the time of writing this, no hospitality brands have been identified as WannaCrypt victims. However, ransomware is a concern for the hospitality industry.

Our own research shows that the top three industry concerns are: payment card system compromises (accounting for 96% of breaches affecting this sector according to Verizon), supply-chain risks and an indifferent attitude to security risk management by executives.

Prominent security researcher and blogger Brian Krebs has tracked fraud related to compromised payment cards, ATMs and point-of-sale (PoS) terminals for years. Assessing the recently reported breach at travel industry giant Sabre Corp.’s hospitality unit, Brian noted similar breaches at other industry brands including: Hilton, IHG, Oriental, Starwood and Hyatt.

“In many of those incidents,” Brian reports, “thieves planted malicious software on the point-of-sale devices at restaurants and bars inside of the hotel chains.” Unsurprising to those who follow IT security news, many of the breaches were caused by known vulnerabilities that could have been fixed by applying readily available patches.

Cyber security breaches continue to hit the global hospitality industry. @Sabre_Corp and @IHG latest victims https://t.co/PixGJeTD8y

— Hey Dip Your Toes In (@dipyourtoesin) May 8, 2017

Another industry concern is the exposure of many hospitality brands to compromises which originate outside of their networks, often from third-party vendors who provide on-premise or remote (e.g., cloud-based) software, hardware and PoS solutions and services. As hospitality brands pursue an asset-light strategy, this supply-chain exposure is set to increase.

[clickToTweet tweet=”As hospitality brands pursue an asset-light strategy, supply-chain exposure is set to increase.” quote=”As hospitality brands pursue an asset-light strategy, supply-chain exposure is set to increase.”]

Other areas of concern include website vulnerabilities, property management systems connected to IT networks (which host critical accounting, marketing, booking/reservations and CRM systems) and the privacy of personally identifiable information which could expose customers to identity theft and fraud.

ETOA, the leading trade association for Europe’s tour operators and suppliers, predicts a continued rise in online bookings, including bookings through online travel agents (OTAs). This trend implies a potential increase in attack vectors for internet facing systems.

Data analytics presents an opportunity for hospitality brands to unlock the potential within their customer data, thereby helping them to deliver more personalised customer experiences and build stronger relationships. Ransomware attacks could render customer data inaccessible and cause total system failure.

Finally, with brands increasingly relying on technology (including emerging artificial intelligence platforms) and interconnecting systems to improve customer experiences, the security and privacy of customer data has never been more important.

From complacency to action

When discussing security breaches, it is often better to think in terms of ‘when’ rather than ‘if’ they happen. Unfortunately, attitudes across many large and small hospitality brands remain indifferent to this reality.

“A cyber criminal’s greatest ally is complacency. Whether you are a Fortune 500 company or a family-owned business, if you don’t take cybersecurity seriously, you are at significant risk of being attacked,” says Paul van Kessel, Global Advisory Cybersecurity Leader at Ernst & Young.

The Ernst & Young 2017 Global Hospitality Insights report advises companies to be prepared to quickly detect an attack, correctly diagnose the causes and mitigate financial and reputational damage.

Why are orgs vulnerable to ransomware like #WannaCry? (And will it strike our smartphones next?) @Mikko weighs in. https://t.co/gwovsLuCHY

— Kristie Lu Stout ✌🏽 (@klustout) May 15, 2017

Hospitality brands need to adopt an integrated approach to cyber security which must begin with us customers and extend all the way to their third-party vendors. The ‘tone from the top’ (referring to executive leadership and support) is also critical if brands must respond effectively to cyber-attacks.

Mircosoft’s MS17-010 describes the computer flaw that allowed the WannaCrypt ransomware to spread so rapidly is a vulnerability in a service which computers running versions of Windows (mostly XP and Windows 2003 Server) rely upon to share files and printers across a local network.

In the light of this recent attack, companies that can afford to should consider replacing outdated systems and patching vulnerable PoS terminals, desktops and servers. In addition, implementing network monitoring for active threats and vulnerabilities is a wise move.

More actions for brands and customers

Hospitality brands must determine what customer trust and brand reputation is worth to them and take the necessary steps to protect those assets.

Small business operators (e.g., restaurants) with little or no budgets for security, but who rely on larger brands for payment and reservation technology platforms, should pay more attention to the security credentials (e.g., PCI compliance) of their providers and what support (if any) they provide before and during a security incident.

We as customers must educate ourselves about staying safe online and exercise vigilance on our transactions before, during and after engaging with brands. We must also begin to demand more transparency from those we entrust with our personal data.

Industry trade associations could do more to raise awareness and provide forums where stakeholders can share intelligence and hold each other accountable for improving security and privacy across the hospitality ecosystem.

The WannaCrypt ransomware may be the latest high profile cyber-attack making headlines but it certainly will not be the last.