Trump Hotels and Management LLC has paid the price for failing to implement robust security controls to secure its POS system from cybercriminals.
The hotel chain, which is headed by Donald Trump and run by three of his children, has been fined $50,000 by the New York Attorney General for a data breach that exposed the credit card details and personal information of over 70,000 guests in 2015.
Banks conducted an investigation following a spate of fraudulent credit card transactions last year, and determined that the common denominator was all of the victims had previously stayed in Trump-owned hotels. In all of the cases, Trump Hotels was the last merchant to process a legitimate card transaction, indicating there had been a breach of credit card details at the hotel chain.
A further investigation revealed that the POS system used by 5 Trump hotels in Chicago, Las Vegas, and New York had been infected with malware. The malware was installed on the credit card processing system in May 2014 and access to the system was gained using legitimate domain administrator credentials. The malware was able to capture the payment card information of guests.
The fine, which was announced by New York Attorney General Eric Schneiderman on Friday, was issued for the failure to adequately secure its systems and for the delay in issuing breach notifications to consumers. Trump Hotels did place a breach notice on the company website, but it took 4 months for that notice to be uploaded – a breach of state laws in New York.
Schneiderman explained “It is vital in this digital age that companies take all precautions to ensure that consumer information is protected, and that if a data breach occurs, it is reported promptly to our office, in accordance with state law.”
A spokesperson for Trump Hotels explained that the hotel industry is under attack by cybercriminals looking to gain access to guests’ credit card details. “Unfortunately, cyber criminals seeking consumer data have recently infiltrated the systems of many organizations including almost every major hotel company.”
Other notable hospitality industry breaches include the cyberattack on Hyatt hotels and Starwood Hotels & Resorts Worldwide. The Hyatt breach affected 250 hotels, while the Starwood breach resulted in the POS systems of 54 hotels being loaded with malware.
Cyberattacks are to be expected; however, security controls at Trump Hotels appear to be insufficient. A second credit card system data breach was discovered to have affected the hotel chain in March this year. Investigators discovered malware had been installed on 39 computer systems used at various locations.
In addition to the $50,000 fine, Trump Hotels has agreed to adopt a corrective action plan which requires additional security controls to be installed to prevent future data breaches.
It may not be possible to prevent all cyberattacks but, with the hospitality industry coming under attack, it is essential that security controls are implemented that prevent the installation of malware. Keyloggers and other information stealing malware are usually delivered via spam email or are unwittingly downloaded from malicious websites.
In order to prevent infections via email, hotel chains can implement a robust spam filter. Web-borne infections can be prevented using a powerful web filtering solution to block malware downloads.
Although many businesses use configured DNS filters to prevent cyberattacks, UK ISPs tend to blanket-block complete categories of websites to limit access to those most likely to be harboring malware. This hit-and-miss approach to online security often blocks genuine websites, or exposes consumers who opt out of DNS filtering to every type of online threat.
However, plans have now been announced that will see the UK´s spy agency – GCHQ – partner up with leading ISPs in the UK in order to develop a more finely-tuned approach to consumer security. Effectively GCHQ will advise the ISPs on how to configure their DNS filters to prevent cyberattacks on consumers based on individual sites known to harbor malware.
By preventing consumers from accessing “bad addresses” that appear to be legitimate domains, GCHQ hopes to reduce the number of malware and phishing attacks launched on the UK public each year. The organization is reported to routinely use DNS filtering to filter out some parts of the internet that the government asks to be banned, and this new initiative is an extension of its existing service.
The plans were announced by Ciaran Martin – head of GCHQ and the recently formed National Cyber Security Centre (NCSC) – at the Billington Cyber-Security Summit. Martin told Summit attendees, “We’re exploring a flagship project on scaling up DNS filtering: what better way of providing automated defenses at scale than by the major private providers effectively blocking their customers from coming into contact with known malware and bad addresses?”
A few years ago, former UK Prime Minister David Cameron attempted to introduce legislation that would require ISPs to block pornography. While legislation was not passed, ISPs entered into a voluntary agreement to block pornography by default. Since 2013, all new customers have been prevented from accessing online pornography by their ISPs unless they choose to opt out and lift the DNS filter. Under this voluntary arrangement, UK citizens are protected from inappropriate content, yet their civil liberties are not violated.
There would likely be considerable backlash if the government was to introduce legislation to block the accessing of certain websites, even if those sites were known to contain threats such as malware or ransomware. Martin is well aware of the potential problems that could arise. He told Summit attendees, “The government does not own or operate the Internet,” explaining that any move to use DNS filters to prevent cyberattacks would need to come from the private sector.
Martin explained that, as with ISPs blocking pornography, consumers would be given a choice to opt out of using DNS filters to prevent cyberattacks. He said “addressing privacy concerns and citizen choice is hardwired into our program.”
The plan to use DNS filters to prevent cyberattacks on consumers and UK businesses has been applauded. “The Great Firewall of Britain” will help to protect consumers from cybercriminal activity and keep electronic devices free from malware and ransomware.
There are currently millions of malicious websites that have been set up with the sole purpose of spreading malware such as banking Trojans, ransomware, spyware, or to commit online fraud. Data from the Information Commissioner’s Office (ICO) shows the number of reported online security incidents has doubled in the past year and cyber-infection rates are growing at an exponential level around the globe.
The use of DNS filters to prevent cyberattacks should go some way towards preventing consumers from inadvertently downloading malware or falling victim to a phishing campaign. However, while this is a step in the right direction, when the plan is implemented it will not spell an end to malware and ransomware attacks.
ISP DNS filters can only block websites that are known to be malicious or have been discovered to host exploit kits or malware. Cybercriminals are constantly changing tactics and are using ever more sophisticated methods of attacking individuals, businesses, and governments. The use of ISP DNS filters to prevent cyberattacks will help to deal with low level attacks, but organizations should not rely on their ISPs to block online threats.
It will still be essential for organizations to carefully control the website content that can be accessed by their employees, and to do that they will need their own web filtering solution.
The Department for Education in the UK has recently published new statutory guidance relating to requirements for web filtering in schools.
From September 5, 2016, all schools have a duty to conduct a risk assessment and, where appropriate, implement a web filtering solution to prevent children from being exposed to illegal or harmful online material.
The “guidance” from the Department for Education is mandatory and educational institutions have to comply with the requirements for web filtering in schools, unless it can be shown they are not necessary in the circumstances, or that safeguards providing adequate protection already exist.
Key Issues Covered by the Guidance
The requirements for web filtering in schools form one of three risk categories being addressed by the guidance – the other two being the prevention of harmful online interaction, and online conduct that increases the likelihood of harm.
The Department for Education makes it clear that the guidance refers not only to school computer networks, but also access to mobile technology, and stipulates that policies should be introduced regarding mobile usage on school premises.
It is also a requirement that teaching staff undergo safeguarding training to monitor use of the Internet, so that they can effectively identify children at risk and intervene or escalate where appropriate. Children should also be educated about online safety.
What are the Requirements for Web Filtering in Schools?
While the guidance outlines the requirements for web filtering in schools, it falls short of detailing specific types of website content that should be blocked. Instead it defers to the recommendations made by the UK Safer Internet Centre (UKSIC).
The UKSIC offers guides for appropriate filtering and appropriate monitoring with the caveat that what constitutes inappropriate website content for one age group, may not necessarily apply to all age groups.
It suggests any web filtering solution that is implemented should have reporting mechanisms to provide historical information on the websites visited by users, and the ability to report inappropriate content for access or blocking.
While not an exhaustive list of all types of inappropriate website content, the UKSIC recommends schools and other educational establishments ensure the following categories are blocked by their chosen web filtering solution:
- Websites that promote discrimination on the grounds of age, sex, race, and religion.
- Websites displaying or promoting the use of narcotics and/or substance abuse.
- Websites promoting acts of terrorism or terrorist ideologies, intolerance, or violence.
- Websites or tools that enable anonymous browsing of the Internet.
- Sites hosting malicious content.
- Webpages promoting hacking or the compromising of computer systems.
- Webpages containing pornographic images or displaying sexual acts.
- Websites promoting or enabling copyright violations or Internet piracy.
- Sites displaying or promoting acts of violence with intent to harm, maim, or kill.
- Sites promoting self-harm or displaying acts of self-harm, including eating disorders and suicide.
Features of Web Filtering Solutions for Schools
In addition to blocking categories of web content, a suitable web filtering solution for schools should include the ability to:
- Identify individual users, the sites visited and the searches performed.
- Make changes to filtering parameters at school level as appropriate
- Block access to restricted content from mobile devices
- Provide multi-lingual filtering support.
- Generate reports allowing administrators to view accessed content.
- Filter content without the need to download software onto devices.
It is inevitable that some legitimate web pages may be blocked by a web filtering solution. It is therefore important that a system is established that enables users to report when access is blocked to legitimate web pages so that the web pages can be added to a safe list or whitelist.
Web Filtering for Schools No Substitute for Supervision
The UKSIC points out that even the most robust Internet content filtering solutions are not infallible. It is not possible for any solution to be 100% effective, 100% of the time. The UKSIC recommends the requirements for web filtering in schools are supported with “good teaching and learning practice and effective supervision.”
While the blocking of Internet content is important to prevent children from coming to harm, schools should take care not to overblock website content. The UKSIC advises schools, colleges, and other educational establishments to take care web filtering does not unreasonably restrict access to valuable website content.
Full details of the requirements for web filtering for schools can be found within Annex C of Keeping Children Safe in Education.