Hackers are now stealing credit-card data from hotels more often than any other industry, according to data-security companies.
In a recent report, SpiderLabs, a unit of data-security firm Trustwave, said 38% of its data-breach investigations in 2009 occurred at hotels. Financial services accounted for 19% of the company's data-breach investigations. Once an attack occurred, it took an average of 156 days for the business to realize it, according to the report. The problem has continued into 2010, says Nicholas Percoco, senior vice president of Trustwave and head of SpiderLabs.
Verizon Business, another data-security firm, noticed a similar increase in attacks on hotels starting around last April, says Dave Ostertag, manager of investigative response at Verizon Business, a unit of Verizon Communication Inc.
Hackers "find a weakness, flaw or common problem in an industry or organization. Once they find that, they want to replicate it as many times as they can," says Mr. Percoco.
The most common weakness at hotels is the security surrounding point-of-sale software—the software hotels use to process credit-card transactions. For example, often the systems are maintained remotely by an outsourced information-technology company. To maintain the computer system, the IT firm employees must sign in remotely. When remote access user names and passwords are left blank or not changed from their default setting, hackers can find those usernames and passwords to gain access to the system to steal credit-card information.
Last August, Radisson Hotels & Resorts said the computers at some of its Radisson hotels in the U.S. and Canada were hacked between November of 2008 and May of 2009. After announcing two credit-card breaches in recent years, Wyndham Hotels & Resorts LLC recently announced 37 of its Wyndham Hotels and Resorts branded properties experienced credit-card data breaches between October 2009 and January 2010.
There is little customers can do to protect themselves besides checking their credit-card statements carefully.
To protect customers, both Trustwave and Verizon recommend that businesses follow data-security standards established by the PCI Security Standards Council, an organization founded in 2006 by the credit-card industry to improve commercial and customer protections. Verizon has never run "an investigation of a successful data breach where a merchant was PCIDSS compliant," says Mr. Ostertag. The initials stand for PCI Data Security Standard. All Wyndham hotels are in the process of becoming PCIDSS compliant, said a Wyndham spokeswoman.
Airline Requests Fine Exemption
American Airlines has asked to be temporarily exempt from new tarmac-delay fines at New York's JFK airport while the airport's largest runway is undergoing construction. JetBlue Airways and Delta Air Lines Inc. asked for exemptions earlier this month. The three carriers are the largest airlines that fly out of JFK. The Department of Transportation, which has the power to grant exemptions, is reviewing the requests.
As of April 29, carriers that don't allow passengers off airplanes after three hours of delay could be subject to fines of up to $27,500 per person, or about $4 million for a fully loaded Boeing 737.
In a filing to the DOT, American said that delays caused by the closing of JFK's main runway could cost the carrier millions of dollars and cause airlines to cancel more flights to avoid fines.
"This cancellation tendency will be particularly strong at JFK given the fact that many JFK flights are long-haul and operate with larger aircraft which carry more passengers and thus expose carriers to large fines," American said in the filing.