Tag Archives: Theft

Tech experts clarify ins and outs of door lock security

Hotel guestroom door locks and keycard systems that are connected to the internet pose security risks, technology experts say, but there’s also some widespread misconception about the nature of those risks.

hotel door key lock

The physical and digital security of hotel guestroom door locks has been a hot topic in the news lately, with the sometimes-sensationalized story of a hacker who extracted a ransom for a hotel’s keycard system.

For some clarity on the issue, Hotel News Now reached out to tech experts who explained what can and can’t happen with electronic door locks, what is vulnerable and how hoteliers can protect their properties and their guests from hackers.

Improved security
Guestroom door locks were traditionally treated as a piece of equipment maintained by a maintenance/building facilities engineer, said Armand Rabinowitz, senior director of strategy and workgroups at Hotel Technology Next Generation. This employee didn’t tend to be well-versed in technology unless they happened to be so for another reason, he said.

“That has changed as the position has become increasingly more technical,” he said. “Ten years ago, electronic locks didn’t need to be, nor were (they) connected to the internet.”

Locks were connected to an encoder or local serial connection, he said, which is a basic protocol that doesn’t travel across internet-connected devices. The physical protocol became outdated as hotels moved to IP-based connections, he said, which requires hoteliers to be careful in how they implement the system.

Everything at Greenwood Hospitality’s properties is on a guarded back-office, closed network, said Paul Wood, VP of revenue generation. The network is scanned for malware and viruses, he said. Locks are sequenced with encoders, he said, and this is a safe process as long as hotels have the system set up correctly.

The code connects the guest key with the lock, he said. Once it hits checkout time, the sequence says it’s time, and the keycard access shuts off.

“From a safety factor/feature perspective, it’s been this way more than 20 years,” he said. “The industry has it down pat.”

Systems today have a long history in the industry, Rabinowitz said, and they’re widely adopted in the world. In most cases, the communication protocols between online door locks are so limited that to transmit a code that would constitute a virus is challenging, if not impossible, he said.

“There would have to be a physical compromise to the point of replacing parts, rendering it unusual by the existing system,” he said.

Training and policies
Hotel managers should treat a door lock system like any other valuable IT asset, Rabinowitz said. That means ensuring all implementation security standards have been put in place for both physical and remote access, he said. There also should be an update process to ensure the system is running on the latest software, he said, and antivirus and security software must be installed on all machines that touch or run any of the lock system-based software.

Click here to read more about Hotel News Now Tech Impact Report Article

 

Comments Off on Tech experts clarify ins and outs of door lock security

Filed under Hotel Industry, Hotel Security, Liability, Risk Management, Technology, Theft

The Ransomware Dilemma: Is Paying Up a Good Idea?

The ongoing fight against ransomware attacks and the cyber criminals perpetuating this menace is more than a full-time job. In a cyber world without boundaries, ransomware has become a worldwide problem where no organization is immune to victimization.

According to some security experts, the first known reports of ransomware attacks took place in Russia in 2005. Over the past 10 years, these attacks have spread to all corners of the globe, successfully targeting hundreds of thousands of business systems and home PCs. And, the effects are mounting: the FBI reported ransomware-driven losses of $18 million over a 15-month period in 2014 and 2015.

The way ransomware works is by making an infected device unusable by locking the screen or system, encrypting its data and then demanding a ransom to unlock and decrypt this data. In some cases, once the user’s PC is infected, the ransomware also displays threatening messages disguised as coming from a law enforcement agency in order to appear credible while intimidating the PC owner. Payment is usually demanded in the form of bitcoins, a virtual currency that is untraceable.

ransomware

This is apparently what happened at Hollywood Presbyterian Medical Center in California in early February 2016 when it fell victim to malware, which locked the hospital’s computer infrastructure. According to reports, to remain operational and continue providing patient care, the hospital was forced to use “old school” methods including paper records, faxing, and good old-fashioned pen and paper.

In a letter regarding the attack, following a bitcoin payment of $17,000, hospital CEO Allen Stefanek stated “…The quickest and most efficient way to restore our systems and administrative functions was to pay the ransom and obtain the decryption key. In the best interest of restoring normal operations, we did this.”

Click here to read the entire article: http://bit.ly/2c6mdvh

Comments Off on The Ransomware Dilemma: Is Paying Up a Good Idea?

Filed under Business Interruption Insurance, Claims, Crime, Hotel Industry, Insurance, Management And Ownership, Privacy, Technology, Theft

Join Petra Risk Solutions at CH&LA’s S.A.F.E Forum & Expo

Petra CH&LA SAFE

Register today at CH&LA

Comments Off on Join Petra Risk Solutions at CH&LA’s S.A.F.E Forum & Expo

Filed under Conferences, Crime, Guest Issues, Hotel Employees, Hotel Industry, Risk Management, Theft, Training

What’s your data breach response plan?

data breach

While businesses prefer to avoid cyber perpetrators entirely, these days nearly all organizations are at risk of a breach.

As the number of incidents (and claims) continues to rise, the prudent strategy is for firms to not only work diligently to prevent an intrusion, but also to have a plan in place to respond quickly and effectively if they suspect information has been compromised.

A data breach response plan proactively outlines the necessary actions a business must take, providing a framework that can be regularly matched against emerging risks and updated if the firm’s situation changes — for example, if additional staff are added in key data privacy or technology roles or if partnerships are formed that could change the way sensitive information is processed.

Developing a data breach response plan, one that is easy to follow and quick to implement, gives businesses time to prepare the necessary resources and mitigate the damage an exposure can inflict. Leaving key tasks to the last minute, such as scrambling to identify qualified outside legal counsel, is unwise and can significantly impact the timeliness and expense of a breach response. Likewise, pulling the plug on a single server without seeking guidance from an experienced technology expert may not shut down the unauthorized access that caused the exposure, thus leaving the business open to further harm. Worse, it may even erase key information a computer forensics company may need to assist the investigation. Getting the firm’s ducks in a row in advance of any breach is a far more effective cyber mitigation strategy.

One component of many small business breach response plans is accessing the financial and technical support available through a well-structured Cyber Liability insurance policy. Coverage options vary widely, so businesses (or the insurance broker) must carefully examine their needs before crafting a policy. For those firms with lean internal resources and thin financial margins, the right insurance can be a key asset when it comes to implementing a solid breach response plan. Below, three steps that will help organizations mitigate data breach disruptions before they occur.

1. Assemble the team

Who needs to be involved in responding to a breach? Before attempting to pull together more than a cursory list of post-exposure action items, it’s critical that the firm identify those individuals or groups that should be contacted in the event of a potential breach. The team will vary from one business to the next, but most organizations will want to include representatives from the executive group, legal (either internal or an outside consultant), privacy or information security, risk management, information technology, human resources and public relations.

Given the growing reliance on external partners — cloud providers, payroll processors and the like — firms should also consider where vendor touchpoints exist and how or when those third parties will contribute to the breach response process. They may need to be included on the contact list or they may even be responsible for raising the initial alarm if a breach occurs. It’s also important to ensure vendor contracts clearly spell out the company responsible when a breach occurs and who is liable for notifying those impacted. Other vendors are also commonly part of the response team, such as media relations consultants experienced in crisis management and notification firms with the resources necessary to quickly inform breach victims about the situation.

If the business has Cyber Liability coverage, the insurance company should also be part of the breach response plan. There are support services included in many policies that will be helpful in the event of an exposure, ranging from forensic investigation teams to data recovery specialists. To maximize the value of any applicable coverage, firms must be ready to access available features quickly and through the most efficient channels.

Click to read the article

Comments Off on What’s your data breach response plan?

Filed under Crime, Insurance, Liability, Management And Ownership, Risk Management

Insurance Helps Protect Against Data Breach Fallout

data

Joshua Gold of Anderson Kill speaks about the different types of insurance coverage to protect against data breaches at the Hospitality Law Conference. (Photo: Bryan Wroten)

The past year was a big year for data breaches in the hotel industry, and industry experts say there’s no sign of it stopping any time soon. That means hoteliers not only need to work on prevention, but they also need protection in case an attack does occur.

Panelists in the session “Nailing down responsive cyber coverage that responds to hospitality industry risks” at February’s Hospitality Law Conference told attendees that everything about the current digital age that makes it great, such as connectability and massive data storage, also makes it a risk.

Attempting to list all of the data breaches in the past 12 months would overwhelm the presentation screen, said Joshua Gold, a cyber-insurance attorney at Anderson Kill, and the problem continues to grow.

“It’s getting worse, not better,” he said.

Insuring for different scenarios
Darin McMullen, an attorney at Anderson Kill, said there are four overlapping causes of data breaches at a company:

  • Accidental internal, a common cause of breaches, occurs when an employee loses a device with company business data on it, and it might fall into someone else’s benign or malicious possession.
  • Accidental external breaches occur through third-party vendors or subcontractors who have access to a company’s system or network. While they’re not trying to compromise their client’s security, they may cause harm through their own negligence.
  • Intentional internal breaches happen when a disgruntled employee creates the breach. This can be a common problem in hospitality where turnover can be high. Employees don’t necessarily have to be high-level to access sensitive data.
  • Intentional external breaches are the more traditional hacking events caused by criminal organizations or hacker activists, or hacktivists.

“Some you have control over; some you have virtually no control over,” McMullen said, who added that hoteliers should review their insurance options to protect against different risk exposures.

Gold said he’s working on an insurance claim for a client who had a former employee introduce malicious code into the company’s system. The code fried every controller, he said, causing physical damage to real pieces of hardware. For a networking company, this was a huge loss.

“The insurance company is saying electronic commands can’t cause real property damage,” he said. “It is covered under the literal language, but they don’t want to set that precedent. We will have to sue them.”

When looking for different cyber-insurance policies, Gold said, it’s important to keep in mind all the potential scenarios as some have provisions that exclude what hoteliers might need and think would be included, such as the physical damage in his client’s case. He said hoteliers should work with a savvy broker who specializes in cyber-insurance packages. There are so many different primary forms out there, he said, which can change every three to four months based on what clients face.

For more: http://bit.ly/1TZLnue

Comments Off on Insurance Helps Protect Against Data Breach Fallout

Filed under Guest Issues, Hotel Industry, Insurance, Management And Ownership, Risk Management, Technology, Theft

Congress Cracks Down on Hotel Scams

congress

Imagine you’ve been planning all year for your family vacation at the beach. You find the perfect hotel—a spacious room with a view of the ocean and a big pool for the kids—and book the room using an online travel site. The whole family is excited for a week of surf, sand, and relaxation.

Everything is going great until you arrive at the hotel. After a few minutes of clicking around on the computer, the front desk woman asks you to spell your name again. Her brow furrows, and you start to worry. You are exhausted and just want to crawl into a clean bed and get some sleep. What is going on with this hotel room?

Now the manager arrives to help. “When did you make this reservation?” she asks. You tell her and you hear her typing some more. “Could it be under another name?” You feel a sense of panic as you shake your head no. What could be happening?

Finally, the bad news: There is no reservation. The website where you made your booking was a fraud, and now your dream vacation has become a nightmare. Many vacationers, and hoteliers, find themselves in this exact situation. According to the American Hotel & Lodging Association, millions of fraudulent bookings are made every year as these deceptive websites and call centers mislead vacationers by giving the appearance of being connected to a hotel, but actually have no legal relation to the brand or lodging property.

For consumers, the fraud takes several different forms. Unassuming guests could be charged additional hidden fees when they arrive, fail to get the accommodations they requested, lose expected loyalty points, or worse, they could learn that their reservation was never actually made. In the last year alone, close to 15 million reservations were made on such deceptive sites, resulting in hotel guests finding themselves out hundreds of dollars for either a worthless reservation or one that delivered much less than promised. It is estimated that these scams have cost upward of $1.3 billion per year in lost reservations, extra fees or charges, lost rooms, and costly inconveniences.

As you know, hotels are often mistakenly blamed for these fake reservations. Though they do all they can to assist swindled travelers, their reputation suffers as these stories are shared online or by word of mouth.

For these reasons, I have introduced bipartisan legislation with U.S. Reps. Ileana Ros-Lehtinen (R-Fla.) and Bill Shuster (R-Pa.) in Congress to help crack down on call center and online hotel scams. First, our legislation would require all third-party hotel booking websites to disclose, clearly and conspicuously, that they are not affiliated with the hotel for which the traveler is ultimately making the reservation. This new requirement would help consumers tell the difference between name-brand hotel websites and fraudulent ones masquerading as name-brand sites.

Second, our legislation would give state Attorneys General the ability to go after perpetrators in federal court with the same remedies available to the Federal Trade Commission (FTC). Today, only federal authorities can fully penalize individuals who commit online hotel booking fraud. If the offense is small, federal authorities may forgo prosecution to go after more expansive crimes. Giving state Attorneys General the ability to pursue damages and restitution for victims will leverage the power of all 50 states to hold fraudsters of all levels accountable and deter criminals.

Our bill would also require two provisions to help illuminate the true extent of these crimes. It requires the FTC to produce a report on the impact of these fraudulent sites on consumers and it encourages the FTC to simplify its online complaint procedure for reporting hotel booking scams, a request we have recently made in a letter to FTC Chairwoman Edith Ramirez.

My colleagues and I understand that online fraud is a serious problem for not only consumers, but also the entire lodging industry. It is also an especially significant issue for Florida, which is the top travel destination in the United States. With that said, I look forward to continuing to work with the AH&LA to move this important legislation forward to Congress, and tackle these scams. This way, travelers can get back to their vacations and hotels can focus on providing the world-class services that the American hotel industry is known for.

 

For more: http://bit.ly/1Qgrg7k

Comments Off on Congress Cracks Down on Hotel Scams

Filed under Crime, Guest Issues, Hotel Industry, Management And Ownership, Technology

How to Ramp Up Employee Cybersecurity Training

employee

In 2015, the hotel industry suffered unprecedented cyberattacks. In one month alone, Hyatt Hotels Corporation, Starwood Hotels & Resorts Worldwide and Hilton Worldwide Holdings all fell prey to savvy cyber thievery.

Hyatt confirmed hackers used malware to collect cardholder names, card numbers, expiration dates and verification codes from at least 250 hotels globally. Just a few days after the company announced its planned merger with Marriott International, Starwood Hotels also stated malware had been used to steal credit and debit card data that was found on point-of-sale cash registers.

Hilton also began investigating credit card breaches at several of its properties, including its Hilton, Embassy Suites, DoubleTree, Hampton Inn and Suites, and Waldorf Astoria Hotels & Resorts brands. Hilton confirmed the breach and, much like Hyatt and Starwood, cited unauthorized malware that targeted payment card information in point-of-sale systems as the cause of the breach. Additional hotels targeted by hackers in 2015 included The Trump Hotel Collection, Mandarin Oriental and White Lodging Services Corporation.

To help prevent breaches, management should take steps to clearly define employee policies and procedures, which include:

Create protocols for access and transfer of sensitive information

Once a hotel has its IT network secure, only certain individuals should have access to the data. Further, user activity should be monitored using insider threat detection solutions that notify management of suspicious activities, both externally and internally. This includes monitoring applications for phones or computers that have access to sensitive data.

Hoteliers should tighten all network security. Simple ways to help accomplish that include:

  • ensure logins expire after short periods of inactivity;
  • require strong passwords that are never written down in public or unsecured locations; and
  • scan devices for malware every time they are plugged in.

Confirm that off-site technology is secure

Data housed off-site should be routinely backed up, and hoteliers should ensure that Web application firewalls are cloud-based solutions that are secure and encrypted. Hoteliers also should use top-notch anti-malware software and update it routinely.

Securing paper files that might include personal information

Employee files are a major target area for data breaches by way of paper files. They are typically easy to access (particularly in smaller hotels) and provide a significant source of data for a low-tech inside job.

Employee files also might include medical information protected by HIPAA. According to the Department of Health and Human Services, hacking has been involved in the HIPAA breaches of nearly 3 million patient records since 2009. Employees across all industries, including hospitality, should be aware that this highly sensitive information needs to be protected.

For more: http://bit.ly/1mHKrMn

Comments Off on How to Ramp Up Employee Cybersecurity Training

Filed under Crime, Employee Practices, Hotel Employees, Hotel Industry, Management And Ownership, Risk Management, Training

The 2016 Hospitality Law Conference

hospitality

Intensive Hospitality Education. Exceptional Networking. It’s Not Just for Lawyers.

From development deals to management agreements, from food and beverage liability to labor and employment, and from claims management to anti-trust issues, the latest cases, trends and challenges in compliance, finance, law, risk, safety, and security are up for exploration at the 14th Annual Hospitality Law Conference, February 22-24, 2016.

The Owner Management Summit, co-located with The Hospitality Law Conference – 2016, intersects legal, finance and technology and includes sessions on: who owns the data, who is responsible for the data, development and unwinding management contracts.

The Hospitality Insurance and Loss Prevention Summit, co-located with the Hospitality Law Conference, includes sessions on risk management, the top claims in 2015, and coverages for cyber & data breaches.

Hotel and Restaurant Corporate Counsel have several opportunities to meet with their peers in facilitated conversations to explore common challenges, solutions and law department management.

Also featured during The Hospitality Law Conference – 2016, are break-out sessions and roundtables in Food & Beverage, Lodging, and Human Resources & Labor Relations.

Join Petra Risk Solutions’ very own Todd Seiders for, “Discussion of Most Frequent Claims and How to Prevent Them”

 

Todd Seiders - Petra Risk SolutionsSlips, falls, breaks, disruptions.  If you are involved in the hospitality industry, you face very real threats to your financial well-being and your reputation.  A security breach at your property, a slip by a patron, a defect in construction, or a natural disaster are examples of problems that could and should be addressed by your risk management program and your insurance.  In this session, Todd Seiders, Director of Loss Control at Petra Risk Solutions, and Allen Wolff, Insurance Recovery Attorney with Anderson Kill, will identify and analyze some of the most frequent claims that arise in hospitality industry and will offer analysis and insight for managing the risk of such claims, mitigating the losses caused by them, and obtaining insurance coverage for them.

Click here for more infomation on: TODD SEIDERS
And for more info on the conference: http://bit.ly/1KfrDiI

 

Comments Off on The 2016 Hospitality Law Conference

Filed under Conferences, Hotel Restaurant, Management And Ownership, Risk Management

Management Update: “How to Future-Proof Your Hotel Company”

Smart hotel executives spend time dealing not only with the challenges of today but also the challenges of tomorrow. I don’t mean tomorrow as in the day after today. I mean tomorrow as in the future, six months from now, five years from now.

Our copycat industry is historically bad at this. We often take note of obstacles only after we’ve hit them head on. In a daze, we then rush to adopt the tactics of our nearest competitor.

Why? Maybe we’re not looking far enough ahead. Or maybe we’re not looking for the right signals ahead.

Across all industries, executives’ future-proofing exercises typically revolve around the proverbial Next Big Thing—what’s coming down the pike that’s going to change the world as we know it.

During a keynote at this week’s Marketing Outlook Forum, J. Walker Smith of the Futures Company suggested a different tact: The “Vanishing Point” approach.

It’s hard to spot the “Next Big Thing,” Smith said. When they first materialize, they’re often too small to notice. And they come on quickly, which makes it difficult to react when you finally do notice them.

Vanishing Points are the opposite, Smith said. They are the points at which big, established factors of influence wane out of relevance. That creates a vacuum that must be replaced by something new.

Spot them early, and you can begin to anticipate what will fill the void.

It’s like a big tree falling the in the forest, Smith said. That allows sunlight to penetrate the canopy and foster growth for something new.

An example: Screens are getting smaller. What once was a desktop became a smaller laptop which became a smaller tablet which became a smaller smartphone. Now wearables are on the rise, and screens are getting even smaller.

“This is the big vanishing point,” Smith said. “The active digital screen is going away. It is being replaced by sensors, or passive digital.”

Shoes will connect to Google Maps and buzz the right or left foot depending on which way you need to turn. Embedded technologies will track your health and fitness.

Instead of inputting data into a screen, sensors will track your behavior and send you information before you even know you needed it, Smith said.

He called it the “pivot to passive.” In the ecommerce space, Amazon is working to patent anticipatory shopping software that sends you products without you even putting them in your online shopping cart.

Think of that in travel context, Smith imagined. The agonizing booking funnel becomes an intuitive, anticipatory process that actively monitors your behavior and schedules a hotel stay accordingly.

Will it happen tomorrow? I hope not. (I’m not ready for buzzing shoes.) But it could happen one day. Maybe it will even be the Next Big Thing. Time to get out in front of it.

For more: http://bit.ly/1LGI05j

Comments Off on Management Update: “How to Future-Proof Your Hotel Company”

Filed under Hotel Industry, Management And Ownership, Technology

Hospitality Industry Security Update: “Developing a Cyberbreach Strategy”

RM_10.15_cyber_strategy-630x420

Throughout the business world, breaches have become a constant reminder of the critical need to assess and take action on cyberrisk. But they can also make addressing the issue seem like an ever more daunting task, leading many to either put off substantive measures or blindly buy the latest insurance or software to “take care” of the problem and move on.

“The biggest mistake companies make in the breach recovery process is just not being aware of the risk in the first place,” said John Mullen, managing partner at Lewis Brisbois Bisgaard & Smith LLP and chair of the firm’s data privacy and network security practice. “You would be amazed—I do up to 100 presentations a year, and at 80% of them, people still look at me like it’s the first time they have heard about it, and I have been doing this for over a decade. The people in the know are in the know, but there is an amazing amount of people who have no clue.”

There are countless ways a cyberbreach can unfold, and countless ways response can go wrong, but laying the strongest possible foundation ahead of time ultimately makes the difference between successful response and absolute disaster for a company that gets hacked or otherwise compromised. According to Mullen, a breach coach who reports that his firm sees a new breach case every business day of the year, “If you don’t do all of the prep stuff, you’ll never get response right.”

For more: http://bit.ly/1GycVMP

Comments Off on Hospitality Industry Security Update: “Developing a Cyberbreach Strategy”

Filed under Crime, Hotel Industry, Management And Ownership, Risk Management, Technology