It was reported across the media late last month that the Hilton Hotel chain had a credit card breach. While some media is reporting that the dates of the attack are from April 21 to July 27 of this year, Brian Krebs is reporting that sources are telling him that the breach may go as far back as November of last year and may still be going on – a much bigger window, if accurate, than earlier reported.
What is more interesting is that – and we have seen this before – that the attack did not affect the front desk charges; it only affected restaurants, coffee bars and gift shops.
Why would it only affect those credit card readers and not the ones at the front desk.
According to Krebs, those locations are franchised. While that term is a little vague to me (many of the hotels themselves are franchises), I think what he means is that those operations are not run by Hilton and are not run by the hotel franchisee either; they are operated by a third party.
Assuming this is accurate and I think it is, what it means is that one or more VENDORs that Hilton selected had poor security.
As more and more businesses outsource little bits of their business (besides this one, the Target, Home Depot, Office Of Personnel Management, the Zoo gift shop breach (a number of zoos that outsource their gift shops), this breach, T-Mobile (twice) and a number of others all started with a vendor.
I understand that a vendor risk assessment program costs money, but as Hilton and T-Mobile, this month, are learning, it is also expensive NOT to have a vendor risk assessment program.
It is a classic case of pay me now (have a vendor risk program) or pay me later (deal with the vendor being breached).
Just to be clear, a vendor risk assessment program will not STOP all breaches, but it will improve your odds, if you do it right.
If the program is a paper exercise and no one really cares about the results, then it won’t do any good. On the other hand, if the business is willing to fire the vendor (not give them any more business) if their risk profile is not at the level that the company wants, then the vendors will improve their security.
Each company needs to identify their high risk vendors. These are the ones that either have data which, if compromised, will cost the company a lot of money to deal with or have direct access to the company’s computer network. Those are the first vendors to do a risk assessment on.
Vendor risk assessments – they are an important part of your security program.
Information for this post came from Krebs On Security.