Hotel Business Personal Information Leakage: Learning the Importance and Measures of Security

Date: 2024.01.12.

• 2024.01.12. Hotel Business Personal Information Leakage: Learning the Importance and Measures of Security

Opportunities to enter personal information on websites, such as hotel reservations and membership registrations, have become commonplace, and it is currently difficult for users to feel a sense of crisis.

However, as for the hotel business side, thorough management is required so that customer’s personal information is never leaked to the outside.

Among them, this time, we will take up cases of personal information leakage in the hotel business and explain what kind of security measures are necessary.

Please refer to this article to learn the importance of security and use it for your company’s personal information protection management system.

Table of contents

1. Personal information leakage cases in the hotel industry
   1. Personal information leakage due to unauthorized access to foreign language websites
   2. Personal information leakage with search & reservation service for leisure hotels
   3. Personal information leakage due to unauthorized access to luxury hotel chains
2. Causes and methods of information leakage in the hotel industry
   1. Sophistication of malware
   2. Phishing sites and emails
   3. Illegal acquisition of information by employees and retirees
3. Specific measures that can be taken to prevent information leakage
   1. Thorough vulnerability countermeasures for affiliated services and websites
   2. Introduction of security software
   3. Conduct security training within the company
   4. Calling on customers to prevent information leakage
4. Summary

1. Personal information leakage cases in the hotel industry

First, I would like to introduce some cases of personal information leakage in the hotel industry. Please note that we will refrain from introducing specific operating companies and hotel names.

1-1. Personal information leakage due to unauthorized access to foreign language websites

There was a case where customer’s personal information was leaked due to unauthorized access on a reservation system site with an overseas parent company.

The number of leaks is
Approximately 166 customer’s personal information who made reservations from May 1, 2017 to June 19, 2018, and approximately 16,520 credit card information used before August 2017 were leaked
doing.

There are also domestic hotels that have been affected by information leakage in the above cases, and the current situation is that all of them are limited to customers who made reservations on websites constructed in foreign languages.

Regarding the damage situation, while reporting on the website, we are explaining the situation and apologizing via email to customers whose reservation information has been found to have been leaked.

1-2. Personal information leakage with search & reservation service for leisure hotels

In a search & reservation service for a certain leisure hotel, personal information was leaked due to a vulnerability in the security of the provider.

The content is that the ID and password at the time of login are not encrypted, and

• Email address
• Login password
• Handle name
• gender
• birthday
• address

The part was in a state where it could be easily acquired by a third party.

In the hotel business, personal information leakage is an accident that directly leads to loss of trust.

• Furthermore, if it is not another company’s system but your own company’s sloppy security awareness and measures, the social loss will be enormous.

1-3. Personal information leakage due to unauthorized access to luxury hotel chains

At luxury hotel chains, personal information leakage has occurred due to unauthorized access twice in 2018 and 2020.

The content is that traces of accessing a large amount of customer information were confirmed using employee accounts.

It is not certain that personal information was actually stolen, but the traces amounted to approximately 5.2 million cases.

In the 2018 damage, unauthorized access to over 300 million customer information was recognized.

It is not clear whether the employee is misusing the account or whether the account itself has been taken over, but the fact remains that vulnerabilities that could lead to personal information leakage have been identified.

2. Causes and methods of information leakage in the hotel industry

Information leakage in the hotel industry occurs due to the following causes and methods.

• Sophistication of malware
• Phishing sites and emails
• Illegal acquisition of information by employees and retirees

Now, let’s take a closer look at each cause and method.

2-1. Sophistication of malware

With the development of IT technology, security measures have become more robust, but at the same time, malware has become more sophisticated.

Recently, “Emotet”, which is a type of Trojan horse, is also a typical malware.

Why is it a hot topic now? What are the threats and damages of Emotet?

The damage and cases of “Emotet” that is raging now

Malware such as Trojan horses and spyware do not self-replicate or parasitize, but sneak in disguised as harmless software and apps.

Malware that is difficult for anti-virus software to detect has also affected personal information leakage in the hotel business.

2-2. Phishing sites and emails

Personal information leakage accidents are also highly likely to occur by browsing phishing sites or emails containing viruses via company computers.

Phishing sites and emails mainly steal personal information based on information entered on fictitious sites, so it is unlikely that hotel operators will leak it.

However, if a method such as installing software such as a keylogger is used, it is possible to steal information from the hotel’s management system.

In that case, it is not impossible to gain unauthorized access to hotel customer information.

2-3. Illegal acquisition of information by employees and retirees

1. Examples of personal information leakage in the hotel industry

First, I would like to introduce some cases of personal information leakage in the hotel industry. Please note that we will refrain from introducing specific operating companies and hotel names.

1-1. Personal information leakage due to unauthorized access to foreign language websites

There was a case where customer’s personal information was leaked due to unauthorized access on a reservation system site with an overseas parent company.

The number of leaks is
Approximately 166 customer’s personal information who made reservations from May 1, 2017 to June 19, 2018, and approximately 16,520 credit card information used before August 2017 were leaked
doing.

There are also domestic hotels that have been affected by information leakage in the above cases, and the current situation is that all of them are limited to customers who made reservations on websites constructed in foreign languages.

Regarding the damage situation, while reporting on the website, we are explaining the situation and apologizing via email to customers whose reservation information has been found to have been leaked.

1-2. Personal information leakage with search & reservation service for leisure hotels

In a search & reservation service for a certain leisure hotel, personal information was leaked due to a vulnerability in the security of the provider.

The content is that the ID and password at the time of login are not encrypted, and

• Email address
• Login password
• Handle name
• gender
• birthday
• address

The part was in a state where it could be easily acquired by a third party.

In the hotel business, personal information leakage is an accident that directly leads to loss of trust.

• Furthermore, if it is not another company’s system but your own company’s sloppy security awareness and measures, the social loss will be enormous.

1-3. Personal information leakage due to unauthorized access to luxury hotel chains

At luxury hotel chains, personal information leakage has occurred due to unauthorized access twice in 2018 and 2020.

The content is that traces of accessing a large amount of customer information were confirmed using employee accounts.

It is not certain that personal information was actually stolen, but the traces amounted to approximately 5.2 million cases.

In the 2018 damage, unauthorized access to over 300 million customer information was recognized.

It is not clear whether the employee is misusing the account or whether the account itself has been taken over, but the fact remains that vulnerabilities that could lead to personal information leakage have been identified.

2. Causes and methods of information leakage in the hotel industry

Information leakage in the hotel industry occurs due to the following causes and methods.

• Sophistication of malware
• Phishing sites and emails
• Illegal acquisition of information by employees and retirees

Now, let’s take a closer look at each cause and method.

2-1. Sophistication of malware

With the development of IT technology, security measures have become more robust, but at the same time, malware has become more sophisticated.

Recently, “Emotet”, which is a type of Trojan horse, is also a typical malware.

Why is it a hot topic now? What are the threats and damages of Emotet?

The damage and cases of “Emotet” that is raging now

Malware such as Trojan horses and spyware do not self-replicate or parasitize, but sneak in disguised as harmless software and apps.

Malware that is difficult for anti-virus software to detect has also affected personal information leakage in the hotel business.

2-2. Phishing sites and emails

Personal information leakage accidents are also highly likely to occur by browsing phishing sites or emails containing viruses via company computers.

Phishing sites and emails mainly steal personal information based on information entered on fictitious sites, so it is unlikely that hotel operators will leak it.

However, if a method such as installing software such as a keylogger is used, it is possible to steal information from the hotel’s management system.

In that case, it is not impossible to gain unauthorized access to hotel customer information.

2-3. Illegal acquisition of information by employees and retirees

Personal information leakage can occur not only through unauthorized access from the outside but also from the inside, such as employees and retirees.

For example, it is a method of hiring hotel employees at a high price and encouraging them to acquire personal information.

Also, retirees who know the password of the management system may be able to steal information by unauthorized access.

The damage caused by leakage of customer’s personal information is enormous, and no matter how much you are hired at a high price, you will not be able to cover the liability for damages.

3. Specific measures that can be taken to prevent information leakage

Now, I will explain specific measures that can be taken to prevent information leakage, including personal information.

• Thorough vulnerability countermeasures for affiliated services and websites
• Introduction of security software
• Conduct security training within the company
• Calling on customers to prevent information leakage

If there are any measures that can be taken for each, implement them promptly.

3-1. Thorough vulnerability countermeasures for affiliated services and websites

Vulnerabilities in affiliated services and websites have a significant impact on the activities of the hotel business, so thorough diagnosis and countermeasures should be taken.

Attacks that exploit vulnerabilities include:

• SQL injection
• Cross-site scripting
• OS command injection
• Directory traversal
• Buffer overflow

The above are typical.

It is also necessary to determine whether there are any vulnerabilities in other companies’ services and systems that you are considering using.

Even if personal information is leaked only once, enormous damage will occur, so take thorough measures with a thorough awareness.

3-2. Introduction of security software

The most efficient and effective measure is to introduce security software.

Considering the sophistication of malware, it is best to introduce the latest security software and update it as soon as it is updated.

Select highly secure security software such as firewalls and IPS, as well as access management, to protect the safety of customers using the hotel.

3-3. Conduct security training within the company

In order to prevent personal information leakage from the inside, it is recommended to conduct training to raise security awareness within the company.

Have them periodically re-recognize the damage and loss of personal information leakage, and thoroughly manage security throughout the company.

In addition, if an employee who had access management privileges retires, be sure to change the password and delete the management ID and access privileges.

3-4. Calling on customers to prevent information leakage

In the hotel industry, it is also effective to call on customers to prevent information leakage.

• Encourage them not to open phishing sites or emails that impersonate your company
• Make hotel reservations and log in with your own smartphone or computer

By making such calls, let’s also improve customers’ security awareness.

Summary

This time, we explained the importance of security and countermeasures from personal information leakage in the hotel business.

Cyber ​​attacks never stop and are a threat to hotel operators, so thorough security measures are essential.

Personal information is important information that customers can obtain as a result of their trust, so please thoroughly implement security measures and protect and manage it.

Click here for EXO Security usage fees

Click here for EXO Security free trial

Please contact globalsupport@jiran.com for inquiries.