It seems like I write one of these every day. Today it is Millennium Hotels and Resorts, an international hotel chain based in Colorado. They are saying customers that used their credit cards at 14 of their hotels between early March and the end of June need to keep an eye on their credit card bills.
What is important here is not that another hotel has less than stellar information security practices. It is not that the hackers were in the system for 4 months before they were detected (actually, that is less than the average of around 200 days).
What is important about this breach is how they (and we) found out about it is that the United States Secret Service paid Millenium Hotels a visit and, to paraphrase that famous NASA quote said, “err, Boulder, we have a problem!”
What we don’t know is whether this is part of the Oracle Micros breach; hopefully Millennium will release more details soon.
What is important to point out is this. They would not know today that they had been breached if the Secret Service did not pay them a visit.
Let that sink in for a minute.
The Secret Service can only work on a TINY fraction of all of the breaches out there due to limited resources. Since this breach is not, in itself, huge, I have a thought that it may be part of a larger breach, hence my comment about Oracle above.
So if your company is not lucky enough (if that is the right term) to be breached in a way that the Secret Service thinks it is important enough to work the case, you might never know that you have been breached. Credit card fraud is easy to detect. Stolen intellectual property is ten times harder to detect.
This takes us back to former FBI Director Robert Mueller’ quote:
“I am convinced that there are only two types of companies: those that have been hacked and those that will be. And even they are converging into one category: companies that have been hacked and will be hacked again “
So if we take the depressing view that you are going to get hacked at some point in time, what does that mean?
It means you should plan to deal with it –
- Create a cyber incident response plan
- Identify and engage the third party resources that you will likely need in case of an incident, in advance. They last thing you want to do after you have a breach is be negotiating terms of a letter of engagement.
- Identify your internal breach response team
- Train that team so that they know what they should do in case of a breach. Think of this as a cyber fire drill.
- Review the results and tweak the system
Some of you may be old enough to remember the Cocoanut Grove fire in Boston in 1942. It was – and still is – the deadliest nightclub fire in history. 492 people lost their lives.
Why did so many people lose their lives? Because the club was not prepared for an event like this. Today, many businesses are not prepared for a cyber breach incident and while, for the most part, people won’t die because of this, businesses will spend millions to hundreds of millions of dollars as a result.
After the Cocoanut Grove fire, United States building codes were revised. Emergency exits were required, signs with independent power were required; flammable decorations were banned along with other changes.
In the cyber security business, we have not had the equivalent of a Cyber Cocoanut Grove, although you would think that Target, Home Depot, Anthem Blue Cross or the Office of Personnel Management would qualify.
What is true is that behind the scenes there are a lot of efforts going on to legislate changes. When or what we will see is not known. Many businesses have realized that it makes sense to get in front of that freight train rather than looking at that bright headlight and wondering what is coming their way.
We are also seeing cyber insurance carriers refusing to pay out in case of breaches where they think the companies contributed to the breach in a way that violates the terms of the policy.
If your company is not ready for a Cyber Cocoanut Grove, now is the time to get started.
And, equally importantly, if your key vendors are not ready for a Cyber Cocoanut Grove, it is your tushy that is going to be in tight spot. The stories this week and last about all of these hotel and retail breaches that are tied to a third party should bring this part home.
If you need help with this, please contact us.
Information for this post came from the Denver Business Journal.
Information on the Cocoanut Grove fire can be found here.