SC Media reported yesterday that hundreds of hotels suffered data breaches after hackers exploited a flaw in the popular travel website, FastBooking.com. Impacts included the theft of more than 124,000 customer records from Prince Hotels and many other similar serious breaches. We asked several leading cybersecurity experts for their views on what made the attack possible and what could be done to avoid such catastrophic incidents in the future.
According to Sam Elliott, director of security product management at Bomgar, the FastBooking breach represented yet another event caused by unpatched systems, where an attacker was able to exploit a vulnerable web application. “This is a reminder of the importance of keeping up with security patches as they are released. Given the high profile of the Equifax breach, it is disheartening to see yet another theft of personal information due to a fixable issue.”
Elliott added, “As security professionals continue to push their organizations to keep their systems patched, they also have to keep an eye on unsecured remote access and unmanaged privileged credentials. These areas are top targets for hackers whose ultimate goal is to gain access to systems with privileges so they can exfiltrate data out of an organization.” He noted that industry reports from Verizon, Trustwave and others continue to name remote access as one of the most common attack vectors used by hackers in data breaches.
As Elliott explained, this pathway is often exploited because generally the tools in place are legacy solutions that allow “all or nothing” access. Once attackers gain access, they then can move laterally across a network. To mitigate this threat, organizations need to build a true defense-in-depth strategy with more robust and secure solutions that allow for granular controls for secure remote access to critical systems.
Tom Miller, senior vice president at Virsec, offered context, explaining, “The number of breaches in the travel industry is disturbing. Here’s yet another example of third-party processors with inadequate security, vulnerable web servers, and thousands of unwitting customers having personal data exposed through hundreds of hotels. In the new GDPR era, there’s a faulty assumption that tough penalties will quickly result in improved security. Perhaps the expanded notification requirements will raise consumer awareness that they can’t implicitly trust this industry with their data.”
Cybersecurity expert Tamulyn Takakura of Prevoty echoed Miller’s sentiments, saying, “Hospitality and retail companies are attractive targets for hackers because they collect troves of passwords, personally identifiable information (PII), credit card details, and other sensitive information. In recent high-profile hacks, they have often been the victim, and it’s because they have a larger attack surface. Unlike other industries, more of their applications and systems are exposed to the internet, creating more entry points for attack. Hospitality and retail security requires ongoing diligence and multiple layers of defense.”
Takakura also observed, “As attacks continue to grow in frequency and sophistication, the need for attack-based security becomes clear. It’s impossible and impractical to find and fix every vulnerability to account for every threat. Attack-based security offers real-time attack protection, without hampering scalability, availability, or performance. They detect, prevent, and neutralize attacks in production, so business keeps going even in the face of an attack. It buys time, which we argue is the most critical asset when responding to incidents.”
“As always, you are only as strong as your weakest cloud infrastructure link,” noted Pravin Kothari, CEO of CipherCloud. He advised security managers to “think carefully about all of your SaaS vendor services and integrating them with your cloud infrastructure,” adding, “Proceed cautiously until your security operations center team has a chance to thoroughly audit their security and assess their risk as a potential vendor.”