The hotel chain Mandarin Oriental have released a statement revealing that credit card systems in some of its hotels in the US and Europe have been hacked. In a statement made on their website, the company have highlighted malware, which they now cite as having been removed, as the source of the breach and that they are currently working with forensics specialists, law enforcement and credit card agencies to minimise the damage and any risk to information.
The statement they have released has little detail relating to the specifics of the hack, but they state that the incident was the result was the result of “an unauthorized cyber-attack” and that the malware was “undetectable by all anti-viral systems”. Which hotels were compromised was also not divulged and neither was the numbers of their customers that were affected. This wording suggests Point Of Sales terminals infected with malware.
There are many challenges facing merchants that store, process or transmit credit card information, and the hotel industry is no exception. Rising to the challenges of protecting both their customers personal information and their credit card details can be very difficult. Factors such as large global interconnected networks, the use of aging, legacy systems for point of sales terminals and back office systems, the necessity to allow public access to many areas of a hotel and the susceptibility of hotel reception and booking staff to social engineering and phishing make this an ongoing battle.
The consequences of such a breach can be considerable from the actual penalties levied at them by acquirers and the payment card brands, through to a loss of trust from clients and the negative publicity of such a high profile breach.
The Payment Card Industry (PCI), including sponsors such as Visa and MasterCard created the PCI Security Standards Council to improve security around credit cards. Version 1.0 of their Data Security Standard in 2004 and the requirements on businesses handling credit cards has become steadily more rigorous over the years. There are a myriad of vectors that thieves can use to try and steal card information. The standard tries to reduce the risks posed by technology, physical access and people and ensures the use of strong effective policy.
Version 3.1 of the security standard will be released later this year and is hoped to raise the bar even further.
Dionach are a PCI QSA company and can provide consultancy around PCI DSS. See the following link for further information: