Hyatt Hotels Cyber Attack and Data Breach
Question:
Discuss about the Computer Security Breaches.
According to Krebs (a popular cyber security analyst, 2016), any customer who used the services offered by Hyatt hotel between August and December 2015 is likely to have had their credit card data stolen. In fact, during this period unknown cyber criminals infiltrated the organisation’s 250 hotels across 50 different countries. An official statement by Hyatt Hotels Corporation further detailed the problem stating that majority of its payment systems were compromised by card stealing malware that targeted customer’s data. However, the said malware was precisely installed in the restaurants owned by the hotel with minimal intrusions detected in the other recreational facilities i.e. spas, shops, golf courses and parking (Krebs, 2016).
In an attempt to curb cyber security, many financial institutions are offering debit and credit cards that are incorporated with access chips. These access chips are meant to help retailers to track transactions through checkout systems that thoroughly read customer’s data off the said chips while maintaining cyber security compliance regulations (BITS, 2011). Similarly, Hyatt payment systems promoted credit and debit card payment where customer data was and is still encrypted in the existing chips. However, many of these cards shoulder little amounts of plain text data, stored in the magnetic stripes of the overall payment item. Therefore, when the cards are swiped in a transaction including fraudulent transactions, the data owned by the customer is placed at risk. Moreover, unlike in the past when data was primarily stolen off magnetic strips and replicated, Hyatt’s problem escalated beyond this basic rational where stolen data (plain text) was shipped to the United States and used to make further security breaches (BITS, 2011).
The perpetrators installed data-stealing malware into Hyatt payment system, this was done using counterfeit cards which were used in certain managerial locations. Therefore, the cyber criminals first obtained customer’s card information, most likely through the magnetic strips which were then used as a loophole to access and infect Hyatt systems (Osborne & Day, 2016). Moreover, the malware was designed to steal extensive records including; names of the cardholders, numbers, verification codes and the expiration dates. In all, these items were used by the organisation to confirm payment onsite at any given location. Therefore, with each transaction, the malicious program harvested credential information with minimal alerts to the staff or the management.
First the loophole, despite the presence of encrypted chips most transaction cards (debit or credit) holds plain text data in the magnetic strips. This outcome exposes any organisation and its customers to security breaches. Therefore, by allowing customers to swipe the magnetic stripe exposes them to grave danger. A practical solution to this problem is to have chip readers within all the organisation’s facilities (Wattles, 2015). This provision eliminates the need for magnetic strips which are essentially used by criminal masterminds to steal the data they require. Furthermore, the said solution has seen tangible results are evidenced by the reduced counterfeit incidences in other G20 countries other than the United States who still fail to regulate the card liabilities (Krebs, 2016).
Causes of Hyatt Hotels Data Breach
Secondly, the organisation should instigate and stop intrusion through all targeted areas. In most cases hackers will use system vulnerabilities to carry out attacks, this includes malware, security liabilities and even personnel. On behalf of the system, the information technology department must develop prevention solutions that shut down the relevant vulnerabilities thus maintain an optimum level of security. For instance, password violations are a common phenomenon since most users will stick with default passwords. Advising customers to change the said passwords is a step in the right direction that minimises intrusion incidences (Symantec, 2011).
Furthermore, in a case where a data breach is experienced such as the one seen in this case study, the organisation should in the future have detection systems that alert the administrators of possible data violations to prevent extended attacks. Hyatt’s systems were infected for more than four months without detection, which increased the severity of the problem. Moreover, these detection systems can identify and stop insider breaches that are caused by broken enterprise processes, for instance, an outdated antivirus. In addition to this, they automate security controls where security configurations on firewalls and even patch management are done with minimal input from the users. These functionalities introduced by detections systems can also be combined with event management systems to curb data breach incidences especially during outbound transactions where Hyatt systems were mostly affected (Prince, 2017).
In 2014, the renowned financial institution JPMorgan Chase experienced one of the biggest cyber-attacks seen in recent times. In the attack, accounts owned by both household users and small businesses were compromised. Moreover, the attack saw cyber criminals hack several computers within the financial organisation and the publisher of the financial institution. This hack allowed the perpetrators to access and steal customer’s personal information. In all, the attack is said to have affected more than 100 million loyal customers (Crowe, 2015).
The Problem
After a thorough assessment of the attack, JPMorgan revealed that the data breach targeted customer information such as contact details; names, addresses, numbers and email addresses. Moreover, the intrusion further compromised the organisation’s internal systems by collecting confidential data owned by the users. However, as stated by the organisation, the breach did not affect the customer’s financial records including the money they owned (Weise, 2014). This conclusion was provided because the details of account records were never affected by the attack including passwords, IDs, and social security numbers. Nevertheless, this information was completely contradictory with independent surveys done the New York Times that stated that the hackers obtained the highest possible level of administration within the institution’s financial system.
In essence, the cybercriminals had extended privileges on more than 90 servers owned by the bank. This access gave them the root control over the bank’s system including the transfer of funds, confidential information and the likelihood to close accounts. In a nutshell, the perpetrators could do whatever they wanted to do with the said system. Now, according to J. Thompson (2014), such attacks that have extended access but have zero money stolen are suspect to future attacks. Therefore, the hacker initially, intended to identify the organisation vulnerabilities for future exploits but were caught before proceeding with their extensive plan.
Implications of the Hyatt Hotels Data Breach
Information is the most variable asset seen today and organisations such as banking institutions protect this asset with maximum security protocols including dynamic intrusion detection systems. However, the attack on JPMorgan system was started using a basic intrusion technique as compared to the sophisticated mechanisms thought by the public. To start with, the hackers stole an employee’s login information which was then used to access the system. After gaining access to the system, the hackers then used their newly acquired privileges to manipulate the pump and dump stock exchange schemes. This manipulation allowed them to generate lucrative deals on online financial proceedings such as online gambling which generated millions of dollars (Farrell & Hurtado, 2015).
Nevertheless, the root of the problem was stolen credential information that was later used to access the company’s servers using computers in different locations throughout the world. Moreover, the criminals used the affiliate organisations owned by the institution to access their information. For instance, a website owned by a charity race hosted by JPMorgan was the first intrusion point. This cover up i.e. using affiliates and not the organisation itself, allowed the perpetrators to go undetected for an extended period of time (Goldstein, Perlroth and Corkery, 2014). Furthermore, the simple flaw was able to explain why other related organisations were unaffected by the security breach particularly at a time when controversial economic sanctions had been deployed by the United States.
From the analysis done on the security breach, it was clear that a simple flaw was the root cause of the problem unlike previously thought where experts proposed malicious bugs or Softwares sourced from the dark web. This kind of attack is easy to guard against as seen in other countless occasions. Many organisations the likes of JPMorgan invest heavily in computer security more so, on authentication and authorization, i.e. the access methods of this attack. Therefore, even though the attackers acquired login credentials of an employee, the security systems should have been able to detect and stop the violation. For one, a common practice seen today is the application of two-factor authentication mechanisms. In essence, institutions that host confidential information use different techniques to provide users access to their systems, these techniques verifies the identity of the user beyond resemble doubt. For instance, having acquired the login credential, JPMorgan should have generated a one-time access code for the user to access the system, this would have defiantly stopped the attack (TRC, 2015).
However, the attack on JPMorgan’s system showcased a common problem seen in many organisation today, that of network vulnerabilities. As highlighted by many security experts, many organisation today fail to secure their systems at certain periods of the year when their focus is shifted to other crucial activities such as payment processes done during high turnover sessions. Moreover, this problem is aggravated by the acquisitions done by the organisations. These acquisitions make it difficult to integrate security systems owned by the parent company with those of the affiliate organisation and as a result of this weakness attacks are easily conducted through the weaker affiliate systems. A solution to this problem is to develop separate security measures for the acquired organisations, this ensures security is maintained prior to the integration (TRC, 2015).
Nevertheless, despite the extensive challenges faced, organisations like JPMorgan whose annual returns surpass billions should employ basic if not sophisticated cyber security techniques. For instance, the multiple authentication techniques mentioned above where multiple factors are used to grant authority e.g. biometric, token and passwords must be used. Moreover, routine analyses should be done on existing systems through network management systems that evaluate transferred data packets for any alterations (Valdetero & Zetoony, 2014). These simple security techniques could have prevented the attack on JPMorgan’s system even if the login credentials of one of its members was stolen.
References
BITS. (2011). Malware risks and mitigation report. Financial services roundtable. Retrieved 03 March, 2017, from: https://www.nist.gov/sites/default/files/documents/itl/BITS-Malware-Report-Jun2011.pdf
Crowe. P. (2015). JPMorgan fell victim to the largest theft of customer data from a financial institution in US history. Retrieved 4 March, 2017, from: https://www.businessinsider.com/jpmorgan-hacked-bank-breach-2015-11?IR=T
Farrell. G & Hurtado. (2015). JPMorgan’s 2014 Hack Tied to Largest Cyber Breach Ever. Bloomberg. Retrieved 4 March, 2017, from: https://www.bloomberg.com/news/articles/2015-11-10/hackers-accused-by-u-s-of-targeting-top-banks-mutual-funds
Goldstein. M, Perlroth. N & Corkery. M. (2014). Neglected Server Provided Entry for JPMorgan Hackers. Deal book. Retrieved 4 March, 2017, from: https://dealbook.nytimes.com/2014/12/22/entry-point-of-jpmorgan-data-breach-is-identified/
Krebs. (2016). Hyatt Card Breach Hit 250 Hotels in 50 Nations. Retrieved 4 March, 2017, from: https://krebsonsecurity.com/2016/01/hyatt-card-breach-hit-250-hotels-in-50-nations/
Osborne. C & Day. Z. (2016). 250 Hyatt hotels infected last year with payment data stealing malware. ZDNet. Retrieved 4 March, 2017, from: https://www.zdnet.com/article/250-hyatt-hotels-infected-last-year-with-payment-data-stealing-malware/
Prince. K. (2017). 8 Ways to Prevent Data Breaches. IT business edge. Retrieved 4 March, 2017, from: https://www.itbusinessedge.com/slideshows/show.aspx?c=79585&slide=9
Symantec. (2011). 6 steps to prevent a data breach. Retrieved 4 March, 2017, from: https://eval.symantec.com/mktginfo/enterprise/other_resources/b-6-steps-prevent-data-reach_20049431-1.en-us.pdf
TRC. (2015). Data breach report. IDT911. Retrieved 03 March, 2017, from: https://www.idtheftcenter.org/images/breach/DataBreachReports_2015.pdf
Valdetero. J & Zetoony. D. (2014). Data security breaches; incidence preparedness and response. Washington legal foundation. Retrieved 03 March, 2017, from: https://www.bryancave.com/images/content/2/2/v2/2285/DataBreachHandbookValdeteroandZetoony.pdf
Wattles. J. (2015). Hyatt Hotels data hacked. CNN tech. Retrieved 4 March, 2017, from: https://money.cnn.com/2015/12/23/technology/hyatt-malware/
Weise E. (2014). JP Morgan reveals data breach affected 76 million households. USA today. Retrieved 4 March, 2017, from: https://www.usatoday.com/story/tech/2014/10/02/jp-morgan-security-breach/16590689/
Order an Essay Now & Get These Features For Free:
Turnitin Report
Formatting
Title Page
Citation
Outline
