When the Hilton Worldwide hotel group suffered a data breach the news was met with some surprise. Many expected the hotel chain to have better security in place and it soon became clear the attack went back as far back as over a year ago.
So what do we know? Firstly, it’s claimed the attack originated from a Point of Sale (PoS) terminal which was infected with malware. While customer addresses and PIN codes were not compromised, credit card numbers, names and security codes were. Secondly, the attackers came back for more. The original attack was between 18 November – 5 December 2014 with a second attack carried out 21 April – 22 July 2015. That suggests security mechanisms were not up to scratch in both detecting the original breach and in preventing a second wave. Hilton since claims it has strengthened its security.
So why has this happened? It’s likely that the malware was deliberately targeted to exploit weaknesses specific to this industry, demonstrating the importance of sharing sector-specific threat intelligence. Trump Hotels, Starwood and the Mandarin Oriental Hotel Group had all been targeted over recent months. And the attack was engineered to exploit a weak point in many industries: the link to a third party supplier.
The attack bears comparison with the Target data breach two years ago which saw the compromise of 25 PoS terminals and was found to have originated from a heating, air conditioning and ventilation (HVAC) subcontractor which was privy to certain network credentials. Both go to show how difficult it can be to secure the supply chain.
Systems serviced or provided by external suppliers can often be the achilles heel for credit card processing operations. Supplier relationships are often built on trust and retrofitting indemnity and liability clauses in contracts can be awkward at best. Many organisations rely on annual audits under standards such as ISO 27001 as a catch-all solution but this can miss potential weak spots when new processes are put in place or new systems brought online.
For now, organisations must steer their own supplier management policies. Start by listing the suppliers you do business with and classify them according to their relationship with you. Go further back from Tier 1 to Tier 2 and beyond to ensure you have an understanding of how data is used. Avoid alienating suppliers by involving them in the process without overburdening them. Look at the frequency with which you assess channels of communication and data management processes: is it monthly, quarterly or annually? No doubt Target thought any data held by an HVAC supplier would be worthless. They were wrong.
We don’t yet know the full extent of the Hilton Worldwide data breach, and without full disclosure there’s no way of knowing how deep rooted the attack became, making it even more difficult for other organisations to learn from one another’s experiences. Greater transparency post breach has to be the way forward, together with better supply chain security, and dare I say it regulation. There is currently no de facto supply chain standard for security. Perhaps that would be a good place to start.