Today's Wall Street Journal has a report in its travel section headlined "Data Breaches Are Heaviest at Hotels". Somewhat alarmingly, the article notes that "hackers are now stealing credit-card data from hotels more often than any other industry, according to data-security companies." According to SpiderLabs, a unit of data-security firm Trustwave, 38% of data-breach investigations conducted by the firm in 2009 occurred at hotels while financial
services accounted for a mere 19%.
What is worse is the fact that it takes an average of 156 days for a
business to realize it has been a victim of an attack.
Earlier this month Wyndham hotels admitted on their corporate website that they had "‘discovered a sophisticated hacker
penetrated the computer systems of one of the Wyndham Hotels and
Resorts (WHR) data centres over a three-month period'. Wyndham's breach occurred in the third quarter of 2009 but was announced only this month. It is not clear when the company discovered the breach.
Hotels may be the most susceptible but higher profile breaches have occurred with distressing periodicity in financial services including last week when HSBC announced an eye-popping 24,000 clients had their personal information compromised!
Privacy Rights Clearing House, a non-profit primarily associated with advocating consumers' privacy rights, has a chronology of data theft that goes back to 2005. While not comprehensive it details data-breaches across industries including the hotel industry with the first incident being at the Atlantis hotel in January 2006 and all the way to the Wyndham loss of last year.
Data thieves are likely to improvise continually in an attempt at keeping ahead of regulators and corporations seeking to erect barriers but for now as the Wall Street Journal article suggests "there is little customers can do to protect themselves besides checking their credit-card statements carefully." Suggestions for businesses include "follow(ing) data-security standards established by the PCI
Security Standards Council, an organization founded in 2006 by the
credit-card industry to improve commercial and customer protection". Apparently, companies that are PCI Data Security Standard compliant are less likely to fall victim to cyber-thieves. Wyndham is among the hotels seeking to become PCIDSS compliant. It behooves every hotel company, big or small, to strive for the same.