Contrary to popular belief, the hospitality industry is an excellent target of cybercrime because of the sheer amount of personal and sensitive data held. In fact, there are several businesses that have already faced data breach fines.
Every day, hotels, hostels, and restaurant chains handle credit cards, emails, contact preferences, home addresses, and other sensitive data from millions of customers, and hackers want to get their hands on that information.
A data breach can go undetected for quite a long time, as some of the cases below demonstrate, which would only increase the GDPR fine nowadays!
Here are 6 hospitality businesses who have recently faced data breach fines, and the cybercrime that caused them.
Back in 2014, Hilton hotels were a victim of a data breach, followed by another breach during 2015, which resulted in the data loss of over 360,000 customers. The data that was stolen held sensitive information like credit card numbers, names, addresses, and more.
The biggest issue is that Hilton failed to inform its customers about the breach in a timely manner. It took them ten months after they learned about the breach to inform their customers. This resulted in a $700,000 fine for lack of adequate security and failing to inform customers about the breach. If this had happened recently, their fines would be much higher under GDPR – they would probably have to pay around $420 million.
Radisson Hotel Group faces fines under the newly adopted GDPR. The breach was discovered in 2018, with Radisson claiming to have promptly informed the EU regulators within the 72-hour timeline. It was detected in the Radisson Rewards database, and some members of their Rewards programs were compromised.
Apparently, credit card or passwords were not stolen. Stolen data included names, addresses, email addresses, company names, Rewards member numbers, and frequent flyer numbers. As a result, the hotel chain might be facing a €10 million fine.
Even Trump hotels aren’t spared of data breaches. The hotel chain suffered a data breach back in 2014 when over 70,000 credit card numbers and other personal data were stolen via the payment processing system that was infected. The now president Trump agreed to cover the $50,000 fine that was issued because the hotel chain didn’t bother to inform their customers about the breach even though they knew about it for months.
Restaurant chain Wendy’s had to pay a hefty fine because of the data breach that happened in 2015 and 2016 when 1,025 POS systems used at their locations were infected with malware that led to a lot of stolen credit card info. It is reported that over 18 million cards were compromised in the breach.
Many of these cards were used to commit fraudulent online purchases. As a result, Wendy’s had to face a class action lawsuit from affected financial institutions and consumers. Wendy’s reached a settlement that required them to pay $50 million by the end of 2019.
Zippy’s restaurant chain based in Hawaii suffered a data breach in November 2017. They first discovered the breach in March 2018. All cards used during that time might have been affected. The compromised information included credit card numbers, expiration dates, names, and security codes.
There is no information about how many customers were affected, but a class action lawsuit was filed against FCH Enterprises, the owner of Zippy’s Restaurant. It’s worth noting that not only the restaurant chain was affected. The other franchises held by FCH – Napoleon’s Bakery, Kahala Sushi, Pearl City Sushi, and Pomaika’i Ballrooms. FCH reached a settlement and agreed to pay $725,000.
Probably the case that got most traction is the large data breach that occurred with the Marriott hotel chain. Personal data and credit card details, even passport numbers and dates of birth of more than 500 million of their customers were stolen. The Marriott group includes hotel chains such as Sheraton, Westin, W, Le, Meridien.
The breach was first discovered in September 2018, while detailed investigation revealed ongoing unauthorized access dating back to 2014. They did encrypt sensitive data such as credit card information. However, the group stated they cannot be sure that encryption keys were not stolen too.
The most concerning part is that this was ongoing for four years, meaning security monitoring profoundly failed. The fine: $3.5 billion dollars plus $915 million from ICO GDPR.
With the rising risk of data breach and rising prices of fines, make sure you protect your customers’ sensitive data. This is especially true with the GDPR in place. By doing so, you avoid fines and ensure your guests rest easy knowing their personal information is safe with you.
Did you delete metadata on redacted documents the last time you sent them?
If not, it’s easy to see the original information if you know where to look and then you might as well not have redacted them at all! This doesn’t just apply to ‘Top Secret’ documents anymore, it also poses a problem under GDPR.
For example, it’s easier to redact personally identifiable information (PII) you don’t want to share when sending a document to third parties or externally. Rather than getting consent from each user or changing your document (or database) altogether.
Some people have been making mistakes. The ICO reported that in Q4, failure to redact data was one of the most common types of data security incidents. So, ultimately, if you don’t delete the metadata on redacted documents it can lead to a data breach! To remove the risk, it’s best to remove the metadata. Here’s how it’s done:
Delete Metadata on Redacted Documents in Word
Select and open the Word document you want to remove the data from.
Click on the “File” tab and select “Info” from the menu.
Choose “Check for Issues” and select all the data you want to check the document for:
Comments, revisions, and versions
Properties and personal information
Headers, footers, watermarks
Document server properties
Custom XML data
Click “Inspect” and review the results.
Choose “Remove all” to strip the document of metadata.
Delete Metadata on Redacted Documents in Excel
Select and open the Excel workbook you want to remove metadata from.
Select “File” > “Info” and under “Check for Issues” choose “Inspect document.”
Select the data you want to check:
Comments and annotations
Properties and Personal Information
Hidden rows and columns
Hidden worksheets and names
Custom XML data
External links and embedded files
Choose “Inspect” and review the results.
Select “Remove all” on each type of information you want to remove.
NOTE: If an Excel workbook was saved as a shared file, some information can’t be removed. This includes document properties, personal information, comments, annotations, headers, and footers. To remove these, you first have to unshare the workbook. Should you remove hidden rows and columns with data, this can affect calculations and formulas.
Delete Metadata For PDFs
Unfortunately, in the free version of Adobe, access to metadata is limited. So whilst you can view the properties, you can’t edit or remove them. To remove you’ll need a subscription to Adobe Acrobat XI or a specialist tool. But, here’s how to do it with an Adobe Acrobat XI license.
In Adobe Acrobat XI, locate the Tools panel in the top right corner.
Open the “Protection” tab and locate the “Hidden information” heading.
Select “Sanitize document” and click “OK.”
To choose what to delete, select the “Remove Hidden Information” option.
Name your file and click “Save.”
Delete Metadata on Redacted Documents in PowerPoint
Select and open the Powerpoint presentation you want free from metadata.
Under the “File” tab, go to “Info” > “Check for Issues” > “Inspect document”
Select the data you want to check:
Properties and personal information
Custom XML data
Off slide and invisible content
Click “Inspect” and wait for the results.
Click on “Remove all” on all the information you want gone.
Delete Photo Metadata
Okay, this one might be a bit of a stretch as far as GDPR is concerned, but we figured we might as well show you how to do this as well whilst we were here! Also note that you can access photo metadata if you’re adding it to a document, so you’ll need to remove it before adding to a redacted document.
Right-click the image file and go to “Properties.”
Go to the “Details” tab.
Select “Remove properties and personal information.”
Select which data you want to remove.
Although it might seem like a faff! Incorrectly or failing to redact documents properly will lead to data breaches. Particularly when sending files publicly! so, delete metadata on redacted files and you should reduce your risk significantly.
One of the challenges of implementing GDPR for businesses is the technical GDPR staff training.
But, you need to be prepared.
Your organisation’s compliance depends on having informed and well-trained staff, and the larger your business, the more difficult and vital this becomes.
We’ve dealt with many GDPR staff training sessions approaching from the technical standpoint and often consult with organisations to ensure they are passing on their knowledge correctly.
As such, we’ve decided to put together this brief list of essentials for a technical GDPR staff training session to get you started.
Before Your GDPR Staff Training
Data protection should already be part of the company culture meaning that your staff aligns with a privacy-first approach.
In practice: Incorporating privacy and data protection to your core values ensures you adhere to the GDPR “data protection by design and default” guideline – this means that your default settings should be privacy friendly, and all processes and operations, from sending GDPR Compliant emails to app development, include data protection measures at their core.
What To Include in GDPR Training Sessions
A well-rounded GDPR training should start with the basics and work towards the technical aspects of GDPR compliance like new policies and frameworks that you’ve adopted as an organisation. Key points to include are:
GDPR is all about consent, and ‘legitimate interest’ cases when contacting others and this needs to be thoroughly understood and explained.
If not, any one of your employees could contact someone without permission and it could lead to a complaint to the ICO and fines. This is one of the most misunderstood points of GDPR currently, particularly for marketers and businesses that thrive from reaching out to potential customers. You and your staff need to understand where the line is, and how not to cross it.
2. The Risk of Non-Compliance
Your staff should learn about all the principles of data protection and be aware of the financial risk of not being compliant, how it hurts reputation, and what disciplinary measures the business (and they) can face. When they can connect the risks and arguments on why GDPR is necessary, they will understand just how important it is.
3. Understanding Your Business’ Role
Ensure your employees understand where your business stands. Participants should learn the difference between data processors and collectors, which category the business falls into, and the category of any other third party they conduct data-related business with.
There’s no point in explaining the rationale behind GDPR and the fines without some context. Your employees need specific guidelines about data-related operations and processes they do daily.
For example, your GDPR email training might be highly technical, so make sure that everyone understands how new regulations affect their daily email communication and work in general, with a focus on how it makes it better.
6. New Company Policies
Your business’ policies should be at the core of the staff training. Ultimately, you’re the ones to police your own staff and if it is enforced companywide, it’s more likely to be adopted (and stuck to.)
Every department should be aware of new company policies that ensure GDPR compliance and how they affect them – from developers working on a new app to the sales team dealing with customer data, to marketing staff sending out emails.
7. How To Spot Data Breaches
The staff should also learn how to recognise red flags – because a data breach has to be reported to ICO within 72 hours, knowing to spot one is crucial. They should also learn the correct procedure in case of a data breach, such as who to report it to in the company and whether additional measures are needed.
8. SAR Requests
Under GDPR, a company has to respect a subject access request – request for data. SAR requests need to be handled within 24 hours of being received, so having a policy in place and making sure your staff knows the correct way to respond to it is key, because the public and customers don’t always send requests to the right location straight away.
The Technical Side of GDPR Staff Training
Implementation of new technologies and software solutions that ensure data safety is the next logical step for GDPR compliance. But this can be difficult to implement itself.
Ensuring your processing systems and services are confidential and resilient
Being able to restore access to personal data quickly if there was a physical or technical issue that prevented access
Regular testing and evaluation of technical and organisational measures that were implemented to ensure data security
For example, your email communications should be secured through solutions like Azure Information Protection – which provides email and file encryption that protects data in such a way that it’s secure no matter where it goes. Deploying systems like Azure Information Protection across your organisation can be tricky if you don’t know what you’re doing, but training your staff to use AIP should be easy – from GDPR email training to sharing documents securely – to ensure the highest security and your ‘best effort’ towards GDPR.
Continuous GDPR Training Ensures Compliance
The last point to note is that reminders and refreshers are the way to really reiterate the importance of GDPR to your business, to staff.
Hold refresher sessions after the initial GDPR staff training on a regular basis. Data protection should be ingrained into every single business process. Make sure new members understand this too – make GDPR training an integral part of the onboarding process and make sure it becomes part of your company culture.
If you need help with implementing Azures Information Protection in your small business, check out our fully comprehensive and supported course here:
With our increasing reliance on our phones, computers, and other internet-connected technology and accessories, security is more important than ever. To be able to recognise when our tech might be compromised can save you from potential catastrophic losses. It’s therefore important to be on the lookout for computer malware signs.
How often do you pay for something using your credit card or online wallet? How many passwords do you have saved or “remembered” so you can quickly log in? Hackers can gain access to your devices in numerous ways, but in many instances, it’s not immediately apparent.
In a business environment on a company network, this can give hackers access to the same shared systems and folders that your computer has access to, leading to a data breach with far-reaching consequences. All it takes is for a high-level executive, member of the C-suite, or HR personnel with access to sensitive records to click that infected email and it’s game over for some businesses.
Being aware of the dangers and spotting the computer malware signs is, therefore, more important than ever to prevent the disastrous effects of a successful cyberattack. These are the warning signs of a possible data breach and that your system has been infected.
20 Computer Malware Signs To Be Aware Of
Very often, malware and viruses will be disguised as regular notifications. Your computer will display the notification, often saying that your PC is infected and offering help to remove the threats. If you accept “help,” you will be prompted to visit a website and leave your credit card information to pay for the service of removing the threat. Even though such an attack pattern is not new and has been present for a while, people still fall for it very often. This is the most common of all computer malware signs.
2. Sudden Sluggish Performance
If you notice that your computer is slower than usual, the first thing to do is check the TaskManager. You can access it by simply writing “Task Manager” after hitting the Windows key on your keyboard.
Once there, check the Performance tab to see whether any of your hardware is being used too much: the CPU, memory, disks, or GPU. Chances are, your memory might be compromised by malware.
Some glitches in your system might appear like your computer has a mind of its own – usually a brief glimpse of a registry change or your mouse moving by itself. In most cases, these are just little glitches – a speck of dust on the mousepad, for instance. But this could also be one of the computer malware signs. If mouse movements are deliberate and make sense, like the mouse moves and opens or closes applications, then you are definitely dealing with a far more serious threat than a dusty mouse pad.
To disable this kind of remote access, the first thing you should do is disconnect your PC from the internet, disable network drivers so it can’t connect again, and make sure any connectivity options are disabled, e.g. Bluetooth. Then, you can start dealing with removing the issue.
Your computer might crash for no apparent reason. Often, software and hardware incompatibility are to blame, but if this is excluded, computer malware infection is a real possibility. To see what the crash was caused by, go to Event Viewer by hitting the Windows button on your keyboard and writing “Event” – it should be suggested as the first option. Once opened, go to Windows Logs and go through those that are marked as an error. This will give you more insight into what caused the crash and help you or your IT team find a solution fast.
5. Low storage
If your computer is suddenly running low on storage, it might be that you have not been paying attention to how much you have left. Some malware and viruses, however, are programmed in such a way that they replicate endlessly until they use up all the storage space you have.
Always ensure you know how much space you have left. If you know for sure that your hard drive partitions had more than enough, suspicious activity is to be expected.
6. You Don’t Appear to Have Security Measures Working, e.g. No Antivirus etc.
Your computer might notify you that your security isn’t working – that your antivirus has been disabled. If this is the case, check the status of your antivirus immediately. While this can be a system glitch while your antivirus is updating, it is often a sign that you were infected.
If you can’t get your antivirus software up and running, you will have to either install a new antivirus and antimalware software or, if you’re using a paid version, contact your antivirus manufacturer’s support and let them lead you through the recovery process.
Malware software can also cause pop-up ads, new tabs in browsers, or change homepages, and search engines, without the user’s consent. To get rid of these annoying pop-ups and ads, you will have to find the infected software and remove it from your device.
8. New Icons on Your desktop
If you notice a new icon on your desktop that you don’t know the origin of, suspect foul play right away as new icons are computer malware signs. Malicious software might be installed on your device, threatening to steal your credentials, cause havoc, or even lock you out. If this is your work computer, contact your IT department right away as it could have been installed on the network, not just your own device.
9. Corrupted folders or Missing folders
If you get a prompt your file is corrupt or you realise some folders are missing from where they are supposed to be, it could be an infection. Some malicious software will not be after your credit card data – the intent can simply be to erase all your data from your drives. While this is less of a threat today than it was before thanks to various online storage solutions, not all your data is stored online. If you have lost files, a system restore might be a way of getting them back.
Some malware acts as a simplified version of ransomware by locking you out of your computer until you pay. But, unlike hardcore ransomware, there are some things you can usually do to unlock it.
Using Windows safe mode might do the trick. Once you have booted Windows that way, you can run a virus scan and remove the ransomware. There are also dedicated ransomware removal tools from established antivirus brands, and even Microsoft itself has tools available. Another option is to use System Restore to restore your computer to a version that wasn’t infected yet.
11. Errant Messages
Your system might notify you that an application requires permission to do something, for example an application trying to change something on your computer or connect to the network. This usually happens when you start up, update or install a new application. However, if none of these have happened recently and you’re still getting the messages, your PC might be infected.
12. Redirecting Web Browsers
If you notice that your browser started redirecting you to random sites, you might be dealing with a browser redirect malware, whose aim is to use these redirects to artificially boost traffic to such sites, gather search data, or to try to scam users and steal their personal data. Search for suspicious programs on your device if you suspect this to be the case.
13. New Home Pages
If you open your web browser and your homepage is changed, you need to check which program might have caused this. Usually today, a lot of software will come with additional taskbars or options to change your homepage while you install them. You can opt out of it easily during installation, but many people oversee this. While such changes and additions might not be viruses themselves, they often lack proper security and can easily be used as a point of entry.
14. You’re (Not) Reaching Out
You might find that new conversations are popping up in your email inbox or social media that were started by ‘you’, but you can’t recall starting them.
These spam messages encourage your contacts to click on links that will then infect them. A popular scam is the malware will send an SOS email or message saying you’re stranded and need cab money or a train ticket. It might not seem like a lot but if every one of your friends and every one of their friends become infected, it’s a lot of potential.
15. BSOD – Blue Screen, Will Not Boot
If your computer suddenly becomes unresponsive and you see the dreaded blue screen of death (BSOD), it could be malware.
However, BSOD often happens after you install new software or hardware. Check whether you have the latest drivers installed for all your components and search for possible incompatibility between programs and hardware you are using.
If this is not the case, you will have to consult the Event Viewer again to see what exactly caused the BSOD.
16. Credit or Bank Purchases
If you get notified that there were purchases made with your credit card, or money was taken from your bank account but you didn’t do it, ask your bank to verify how payment was made. If it was done using your card (not in person) it means it was an online transaction. This can mean your device is compromised and they’ve taken the details, particularly if you have them saved e.g. Google online.
Cancel your cards, disconnect from the internet and do a thorough sweep of your devices to make sure that the breach didn’t come from them.
17. You can’t login to your accounts
If you can’t get access to your account because your password suddenly isn’t working, there’s a good chance you’re dealing with a case of account theft. This is already one of the serious computer malware signs. Always have a fallback option for such cases – a way to reset your password via your phone number, for instance. To minimise such a risk, have two-factor authentication that will request a code sent to your phone or a generated code from an app installed on your phone.
If you get a notification from your authenticator, for example, a code on your phone but you’re not trying to log in, check your system for malware and change your passwords immediately. It could be someone with a keystroke logger.
18. Your Hard Drive Appears to Be Constantly Working Even When Doing Nothing
Erratic and sluggish operations can be caused by a lot of software and hardware issues. To see what is happening, you will have to open your Task Manager by hitting your Windows key button and typing “task manager” for it to appear on the list. Once opened, look at the performance of your hardware. If you see that your disk is on ‘100%’ most of the time, you will have to check which processes are running and might have caused this. Note that certain Windows processes might cause this from time to time – recently microsoft.photos.exe, a legit Microsoft application, was causing this issue for some users.
If you find any other applications that are unfamiliar to you and are using your disk fully, terminate the process by right-clicking on it and selecting the “End Task” option. Find which program the task belongs to in order to see whether it’s a real malware or virus issue or just an incompatible program.
19. File Names Change or Are Missing
Any changes to files – either the names or the location of the files – should immediately be attributed to malicious software activity. A deep scan with a dedicated software will be needed to find the infection. Any files that were affected – renamed, deleted, or removed – might be beyond saving, so always make sure you have your data securely backed up online.
20. Unusual login pages
Any changes to login pages you often use – either for work or personal – should be deemed suspicious. Usually, changes like this are announced in advance, so check for news about the changes before you log in. Any pages that require your work, Google, or social media account credentials (both username and password) for login should also be avoided as these might be phishing sites that are trying to steal your credentials.
If you’ve navigated to the page through an email, close the tab and go to the company you’re trying to login to directly. If you don’t recognise the site, NEVER give your credentials away!
It’s important that if you feel there is something wrong with your computer, particularly if you are on a company device or part of a shared network that you report it! Small and subtle changes can lead to big data breaches and catching malware early is key.
Running a small business comes with a very specific set of challenges, like having limited resources, and often cyber security falls to the bottom of the list. But, the cost of a data breach, no matter the size of your organisation can be huge and the bad PR or image alone could be crippling as small businesses have to rely on reputation!
Why Would Anyone Target Small Businesses?
Many small business owners don’t understand why their company would be an appealing target for hackers. They are small, don’t have vast funds or sensitive secrets that anyone would care about. They believe they are not big enough to be a target, so they don’t invest as heavily in cyber security as larger businesses do.
Some hackers do not target small businesses specifically but try to infect as many devices as possible, and without protective measures, backups in place, or the education, small businesses can very quickly become victims too.
The most common type of tactic that casts a wide net are ransomware attacks and more recently, cyber-attacks are becoming more targeted and specific.
The top 3 reasons why small businesses are targeted specifically by hackers are:
The lack of investment into security makes it too easy for those looking to make quick money by selling details.
Small businesses often work with larger enterprises and if they’re not careful can serve as a point of entry for a large data breach.
A small business is more likely to meet the hacker’s demands, such as a ransom, to get their data back because without it, their business is at a standstill.
Cyber-attacks against Small Businesses are on the Rise
According to Keeper Securities’ State of Cybersecurity in Small & Medium-Sized Businesses (SMB) report from 2017, attacks against small and medium business owners are on the rise. A staggering 61% of small businesses that were interviewed reported they were affected by a cyber-attack. The most common type of attack included phishing or social engineering, with web-based attacks and general malware following closely behind.
What Small Businesses Should do to be Safe from Cyber Crime
Change of stance is the most crucial thing.
If small business owners continue to believe they are not a good target to hackers and believe they don’t matter, they will continue to be vulnerable to cyber attacks. Small businesses should focus on the following areas:
New Technology and Software – Investing in the newest software solutions can give small businesses the edge that they need to catch breach attempts early. Machine learning can detect anomalies in network traffic or credit card fraud attempts so that small businesses don’t have to pay as much attention.
Employee Education – Teaching employees about cyber security lowers the risk considerably. Get them on board about it and teach them about password policies, what makes a strong password, why password sharing is risky, and signs that indicate a possible breach. Check out the TowerWatch Academy for regular courses that you might need for educating staff and using protection software.
Regular Updates and Patching – Ensure all your systems are up to date and patched regularly. New patches are applied to parts of code that could have been used as points of entry before the patch which is why you should always keep up to date.
Use Encryption – Encryption is a precaution in case a data breach happens. If hackers get to your data, having it encrypted will render it useless to them.
Physical Security – Have surveillance in place in areas where you keep your sensitive data to avoid malicious actions from the real world.
Two Factor Authentication – In case a cyber attack is successful in getting credentials to log in to your system(s), a two-factor authentication will stop them from getting further than trying to log in and will immediately alert you so you can lock it down and change your passwords.
As IT guys, it’s very easy to blame users for data breaches but it’s not always just their fault. Sometimes, data breaches aren’t users’ fault.
Sure, they need to update their passwords, stop giving things out and clicking on the suspicious email links. But, the buck stops with you as their IT professional. We thought these statistics from the IS Decisions’ research into IT Security managers in both the UK and US were very enlightening.
It shows that, compromised credentials are one of the main causes of data breaches and we must remember our users are human! It’s up to us to help limit the risk by:
Forcing users to frequently change their password – even if they hate us for it
Making sure policy dictates a different password for each program or part of the system
To give regular training on Phishing or data security that affects them – and stop assuming they will know something is off when they see it
To be approachable so that any issues are quickly reported
Doing these small things can make a big difference in data security and protection to minimise the risk of a breach due to compromised credentials. Here is the infographic and statistics below with some interesting results:
You’ll learn: The main vulnerabilities of a home or small office – including what to look for and how to combat them. Understand cyber security threats and what they look like at home. How you can make sure you’re GDPR compliant at home! How to protect yourself in the event of a breach
Privacy & Cookies Policy
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.