Hilton Worldwide Holdings is investigating a report that alleges hackers breached multiple Hilton properties.
In a statement sent to Reuters, a Hilton spokesperson commented that the company takes any potential security issue very seriously and is looking into the matter.
“Unfortunately, the possibility of fraudulent credit card activity is all too common for every company in today’s marketplace,” Hilton stated.
The news about the alleged breach against Hilton comes just over a month after a U.S. federal appeals court ruling brought by the Federal Trade Commission against hotel chain Wyndham Worldwide Corp. That ruling found that Wyndham failed to protect consumer data against hackers. Wyndham was attacked on three occasions in 2008 and 2009, leading to information theft and fraudulent charges.
Security experts contacted by eWEEK were not surprised that Hilton Worldwide Holdings now finds itself investigating a potential data breach.
“Cyber-criminals are targeting and exploiting vulnerabilities at companies handling the largest volume of payment card transactions, and Hilton is clearly on that list,” James Socas, executive chairman of iSheriff, told eWEEK. “Point-of-sale [POS] devices, long ignored from a security perspective, are more frequently being used to gain entry into the system and extract valuable data.”
Kevin Watson, CEO of Netsurion, noted that data networks are continuously under attack, and as such, it’s not a matter of if—but when—hackers will be able to penetrate a network. In the case of Hilton, the bigger the brand, the bigger the target, he added.
“No matter how secure we build our networks, there is always a weak link, and in most cases, that weak link is the humans that interact with the network on a daily basis,” Watson told eWEEK.” A compromised password, malware on a laptop used at home and at work, a phishing attack that looks too real to pass up—these are all viable ways networks with top-quality security are breached every day.”
In the context of the modern landscape where organizations are facing continuous attacks, the key is not only to do everything possible to keep hackers out but also to work proactively to keep sensitive data in, even in the face of a compromised network, Watson said.
Cyber-criminals are getting to the payment card systems through vulnerabilities in the corporate network, Socas said.
“Hilton needs to find that entry point and shut it down,” Socas said. “Often, the breach point is a spear-phishing attack, which can be addressed through better training of employees and suppliers.”
Hilton will need to review its security policies, particularly, what is in place to make POS endpoints much more secure, Socas said.
“Each of these devices is a potential open door to the network,” Socas said. “Once a cyber-criminal is through the door, they are much harder to detect and prevent.”
POS systems are currently on the verge of a major transformation as EMV, also known as chip and PIN, credit cards are set to officially debut in October. EMV is intended to be more secure than magnetic-stripe-based credit cards, though risks still remain. Socas commented that while EMV cards will make security better, it will take years to become the standard.
“However, Hilton and other retail organizations will still store massive amounts of sensitive data and will be a target,” Socas said. “This is not a problem that will fix itself with one solution. Better security that really does protect the network needs to be in place, and POS devices should be viewed as an entry point.”
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.