Ransomware, The Next Generation

Hackers are nothing if not creative.  Combine that with businesses not paying enough attention to security and you get a mess.

Researchers discovered an unprotected database with over 5 million client records belonging to Choice Hotels.

The hotel says there is good news.  Only 700,000 of those records were from real customers.  Doesn’t that make you feel better already?

However, that good news is limited.  The researchers were not the first ones there.  They found a ransom note in the database.  It appears that the bad guys copied the data and tried to delete it but something went wrong.    They wanted 0.4 Bitcoin or about $4,000 for the data.  Given the company and the data, they must have been hoping for an easy payday because that much data should be worth a lot more.

That is the next generation of ransomware.  COPY the data, then encrypt it or DELETE IT.  Then demand a ransom to get it back.  If you don’t pay the ransom, they RELEASE the data.  Or SELL it.  For this generation of ransomware, backups do not help.  The only thing that helps is keeping the bad guys out.  Call it ransomware 2.0 .  Luckily in the case, the bad guys were incompetent.  Maybe not the next time.

The database was set up for or buy a vendor.  The hotel says as a result of breach, they won’t be working with that vendor any more.

The hotel did not initially launch an investigation, but eventually did.

So what is the message here?

Just because you are working with a vendor does not let you off the hook.

What was the hotel thinking giving a vendor live data to test with?  What might the consequences be if the data was released publicly?

How much due diligence did the hotel do on the vendor’s cybersecurity program before they gave them the data.  Under some state laws (like Colorado), the hotel would be responsible for ensuring that the vendor had the ability to protect the data BEFORE they handed the data over.

Now the hotel chain will have to face the regulators and the lawsuits and the fines. 

All of this should be part of a company’s vendor cyber risk management program.  Maybe Choice Hotels needs to rethink it’s vendor cyber risk management program.  I can think of about 700,000 reasons why.  Source: ZDNet.

Facebooktwitterredditlinkedinmailby feather

Leave a Reply

Your email address will not be published. Required fields are marked *

*

code