Industry Insights|业界动态

12 hotel customer information was leaked

Admin2017-02-13 15:35:45

In January 2017 the international high-end hotel brand billboard fifth InterContinental Hotel, recently came the hacking news. February 7th, according to the Beijing Business Daily reported that InterContinental Hotel group's 12 hotels in the United States credit card information disclosure.

The "daily economic news" reporter noted that as early as the end of December 2016, the hotel has been launched to investigate the credit card payment problem. In February 3, 2017, the hotel said in a statement that in the period from 2016 8 to December 12 in the hotel restaurant or bar the use of credit card customers have become the victim of data leakage, and the use of credit cards in the hotel front desk users are not affected.

Insiders said, because if the hacking of computer system so that a user information was leaked, causing losses to the user, the hotel should bear the corresponding legal responsibility, but for now the hotel information system security level in the relatively weak, although the use of hotel management information system, to eliminate safety hazards but do not place the hotel, in order to reduce the information security incidents must strengthen safety measures, protection of consumer information.

12 Hotel payment system was invaded

"Daily News" reporter noted that in February 3rd, the InterContinental Hotel group has issued a "notice" on customer card payment event in 12 hotel credit, in December 28, 2016, the InterContinental Hotel group has received a "unauthorized" transaction report, confirmed that part of the wine shop's use of credit card payment problems, the company immediately this investigation.

Subsequently, InterContinental Hotel group (IHG) hired a top network security company to check the entire District Hotel credit card payment system. According to the survey, only 12 of the hotel's restaurants or bars using credit card users have been leaked data, the hotel front desk to use credit card users have escaped. The attackers used malware to infect the hotel's payment system, including data on the cardholder's name, card number, credit card expiration time and internal validation code.

The survey, IHG first notice in the period from August 2016 to December 12 in the hotel restaurant or bar to pay by credit card customers, at the same time on other areas of the hotel of the group is also ongoing.

It is reported that 12 of the hotel suffered credit card data breaches including Intercontinental San Francisco Hotel, Holiday Inn, Chicago Magnificent Mile Aruba InterContinental Hotel, Crowne Plaza Hotel, Holiday Inn San Francisco-Fisherman's Wharf, San Jose Valley, Losangeles Century City InterContinental Hotel, InterContinental Hotel, InterContinental Hotel, Atlanta MarkHopkins Buckhead Willard Yorkville Toronto InterContinental Hotel, InterContinental Hotel, San Juan and Nashville intercontinental Resort Casino and Holiday Inn Airport Hotel.

The statement also said that IHG has been working with the security company to review, is now confirmed that the problem has been repaired and strengthened security measures. The incident has been reported to law enforcement agencies, and cooperation with the payment network allows banks to monitor fraudulent transactions. Up to now, there is no specific number of users affected by data leakage. In addition, IHG established a call center dedicated to answering questions for the customer.

Last August, the United States about 20 hotels to bank credit card information leak, in addition to intercontinental brand hotel, Hyatt, Marriott, Sheraton and Wenstin hotel are all on the list. In 2016 alone there are a number of companies launched a survey of similar activities, such as Kimpton Hotel (Kimpton Hotels & Restaurants), HEI (HEI Hotels & Resorts) Hotel, Rosen Hotel and Resort (Rosen Hotels & Resorts) etc..

In recent years, the well-known chain hotels, high-end brand hotel there are serious security vulnerabilities occur frequently, large open room information and payment information leakage risks exist, so many users think extremely fear. Especially in January 2016, Hyatt in 250 hotels in about 50 countries around the world related to payment card data breaches, accounting for about 40% of the number of the Hyatt Hotel, which has 22 China Hyatt Hotels are affected.

Tourism industry insiders 6 CEO Jia Jianqiang has publicly said that the hotel's own information and security capabilities are poor, should be more professional and PMS systems. There is a serious safety hazard present in some hotel management software, the main leakage pathways include hackers, server, management software provider is not standardized, data management is not in place as the "culprit Hotel leak door".

Domestic hotel information leakage probability is low?

The "daily economic news" reporter called the InterContinental Hotel group China hotel information management system solutions provider Beijing Shiji information technology Limited by Share Ltd, the secretaries office staff said that the removal of many large overseas hotel group will use the PMS system to its own IT team to develop the hotel information management system of MICROS company in the United States to occupy the international market five to 60%, the InterContinental Hotel group is used in the system, and the hotel management information system of the country are provided by third parties.

The staff said, because the domestic and international payment process design is different than in the credit card, the hotel management information system and the payment system is the machine via the network storage, and the bank line connection, so it is in normal operation, the probability of occurrence of domestic hotel information disclosure is relatively low."

But it is worth noting that, according to Internet security service platform vulnerabilities announced the first box "hotel information security report" shows that in 2015, Marriott, Ritz Carlton, Sheraton, Amy, Holiday Inn and other 7 well-known hotel official website there is a serious security vulnerabilities, every wine shop has tens of thousands of leaked data above, the tenant to open the room information at a glance, even for amendment and cancellation of orders for the hotel.

In this regard, they favored tourism founder, tourism O2O analyst Liu Zhaohui told the "daily economic news" reporter said, the reason, first, the Tradition Hotel group there are loopholes in the information system, vulnerability will cause the system to fully control; second, the hacking of that virus invasion, for example, members of integral system; third, the hotel industry bank card transaction volume is relatively large, the guest information has use value; fourth, the hotel information system security level in the relatively weak, although the use of hotel management information system, but to eliminate safety hazards but do not place.

Liu Zhaohui said, in fact the hotel management information system currently has the following two categories, one is the PMS system developed by the hotel group; outsourcing for large information system service providers, such as in the high star hotel in the largest stone base market share by Ctrip integration of public service in the end Hui hotel.

Orange Hotel chief legal adviser, Taihe (Beijing) lawyer Chen Tao told reporters, from a legal perspective, the protection of consumer privacy is the operator's obligation, so the spirit of "who, who collected protection" principle, the hotel should also bear the responsibility. If it is because hackers hacked into the computer system and the user information was leaked, causing losses to the user, the hotel side is also responsible.

"But because there are significant differences in the criminal incidental civil lawsuit system and the civil litigation, and the user is the spirit of the loss, so the case into the judicial way." Chen Tao lawyer added that if a crisis occurs, the first time the hotel to seek the involvement of the public security organs, and obtain customer understanding.

• Previous： Puyong News 华为
• Next： Huawei and Oracle become the power of environmental networking partners