The Mandarin Oriental Hotel Group admitted that their credit card system at an unknown number of their hotels was hacked and credit cards compromised AFTER they were outed by Krebs On Security. The upscale hotel chain, where rooms at the New York property start at $850 a night, would be a great target for hackers since credit cards are likely to have very high limits.
Krebs is reporting that sources say that the attack started before Christmas 2014, so the time to detect is about 75 days. That is going to become a metric to determine the effectiveness of a company’s cyber security program – how quickly you detected the hacker, boxed the hacker in and determined what the hacker got. What the hacker got in this case has not been publicly announced.
What is interesting to me is the wording of their press release below.
Mandarin Oriental can confirm that the credit card systems in an isolated number of our hotels in the US and Europe have been accessed without authorization and in violation of both civil and criminal law.
Of course the hackers broke the law. Is that supposed to make me feel better that the people who stole my credit card broke the law? Are they next going to stomp their feet and hold their breath? We expect hotels to know that hackers are out there and protect us anyway.
We take the protection of customer information very seriously. Unfortunately incidents of this nature are increasingly becoming an industry-wide concern and we have therefore also alerted our technology peers in the hospitality industry.
This whole paragraph is fluff; do they think that their competitors are not aware that hotels everywhere are suffering credit card breaches? Does the fact that breaches are becoming more common mean they have less responsibility? Or are helpless to do anything to stop them?
Mandarin Oriental moved swiftly to address this issue by working with forensic experts and has removed offending malware. While the Group has leading data security systems in place, this malware is undetectable by all anti-viral systems. Guests can be confident that security protocols are being thoroughly tested at all hotels to protect guest information and prevent a recurrence of such an attack.
This is probably the most honest statement in the press release; I hope that they are testing their security protocols now – given that they failed. The better question to ask is when they last tested their security protocols chain wide. That would be very telling.
While it is fun to beat up on the hotels, in one sense, they are victims. But in another sense, they are likely accomplices since they most likely did not spend a whole lot of effort in making life hard for the hackers. The hospitality industry (hotels and restaurants) are hot targets for hackers for many reasons and they must know that. Still, their controls are inadequate.
From a PR standpoint, they need to try and calm their high end guests. Those are the people that have the resources to sue them and the staff around them to cancel all future reservations and move to a different hotel chain.
I can whine about their press release, but if it was me that was hacked, I would probably do something very similar. In fact, many of the words are identical from other company’s press releases after a breach. It will be interesting to see how many cards were compromised. From the hotel and credit card company’s perspective, getting this under control quickly is important. While they might be able to steal $400 from my credit card before it is maxed out, they may be able to steal $4,000 or $40,000 from some of these credit cards. Ouch!