The Intercontinental Hotels Group (IHG), which was hit by a data breach late in 2016, recently reported that a data breach, originally reported around April 17th by security blogger Brian Krebs, was caused by a malware attack. Originally thought to affect a dozen or so properties, the investigation has uncovered that more than 1,200 hotels within the IHG brand were affected by the attack. With a network of more than 5,000 hotels in more than 100 countries, only time will tell if the list of breached hotels will continue to grow. What is known so far is that malware infected the front desk cash registers of IHG hotels, stealing customer debit and credit card data as it passed through IHG’s infected server, or point of sale system (POS).
Malware has been the culprit of many high-profile data breaches, exposing POS systems to steal clear-text cardholder data later to be sold on the black market, costing companies hundreds of millions of dollars, hurting their reputation and brand while rocking consumer confidence. In 2016, the Identity Theft Resource Center (ITRC) reported 1,093 reported data breaches, a 40% increase over the 2015 data breach number of 781. Hotels are especially at risk for POS (cash register) breaches because payment card data is used throughout each hotel location on multiple terminals sharing card information throughout the hotel. Customer card information can even be shared with the hotel before the guest arrives through the booking process. All of which give cybercriminals multiple opportunities and points of entry for malware attacks.
About 90% of all POS data breaches are due to malware, with five malware attacks occurring every second, or 170 million each year, according to the 2015 Verizon Data Breach Investigations Report (DBIR). There are many different types of malware with differences in how the varying malwares work. All of them, however, have the same intent – hacking into a POS system.
According to Bluefin, there are two security paths that businesses can take in the fight against malware: defend the fort or devalue the data. With the former approach, merchants build stronger, higher walls of security around their systems and data. Merchants can install and maintain all of the security technologies specified in the PCI-DSS requirements including firewalls, intrusion detection, constant patch updates, 24/7 monitoring and 330 other security requirements. To say the least, this can be an arduous and costly effort.
But in the process of maintaining such a security program company-wide, there may be unknown security holes that an IT staff doesn’t know about until it’s too late. This was certainly the case for many of the major retailers who were assessed to be PCI compliant only months before hackers breached unknown security vulnerabilities in their systems.
With the devalue the data approach, merchants employ security technology to devalue the cardholder data before it reaches their point-of-sale systems, rendering the data useless to hackers if it is exposed.
According to IBM and Ponemon Institute’s 2016 Cost of Data Breach Study, the average total cost of a data breach is now $4 million, with the cost per stolen record of $158. This marks a 29% increase in total cost per breach since 2013. The study also determined that one in four businesses would experience a data breach of 10,000 records or more during 2016.
As the numbers on data breach statistics continue to rise, the big question for 2017 is how will organizations protect themselves from data breaches?
In fact, the PCI SSC Council, the gold standard in payment security, states that the solution to stopping malware is PCI-Validated Point-to-Point Encryption (P2PE). Only by encrypting cardholder data, can a merchant or hotel group prevent clear-text cardholder data from being present in their enterprise’s system or network, where it could be accessible in the event of a data breach. By devaluing any data that is stolen, it removes the incentive for hackers to breach the fort in the first place.