Workforce Capability

Hackers are checking into hotel systems

It’s official, ‘hackers are checking into hotel Systems’, have you been Phished[1]?

Criminals are after your data so they can steal credentials and use them to get money, and this time it seems the gang associated with these attacks are the same as the ones who took USD 1Billlion from banks.

So how do they do it?

The first step is not hacking a computer but socially engineering[2] a person![3]

Step 1 – A phone call is received at a hotel reservation desk by a pretend hotel guest to discuss a problem confirming a reservation. They say they have a question, and can they help?

Step 2 – The caller says they have information about the reservation and would like an email to send to the reservation desk so the hotel can help them.

Step 3 – The caller sends an email to the reservation desk with an attachment.  The hotel opens the attachment, which has malicious software called ‘Malware’.  The malware is designed to find the sensitive information the caller wants and downloads more Malware tools to assist in its search.

Step 4 – The hotel system is now compromised and send all the information that the caller needed to them and the malware can stay on the system if they want to download future reservation information.

While this story was about a hotel chain, the same approach can be used for many businesses alike, and this is called a ‘Phishing Scam’.  There are different types of Phishing scams, depending on the intended victim.

Help me protect myself from a Phishing Scam!

All staff should be trained on how to spot a potential scam, for example, not posting information on social media such as vacation plans, phone numbers, your address.

[1] The fraudulent practice of sending emails purporting to be from reputable companies in order to induce individuals to reveal personal information, such as passwords and credit card numbers.

“an email that is likely a phishing scam”

[2](In the context of information security) the use of deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes.

[3] https://whatismyipaddress.com/hacking-hotels

👉 Explore Digital and Cyber Capability

Category: Digital and Cyber Capability, Safety and Wellbeing Capability

The UK might fine Marriot Hotel 99 Million Pounds for data breach

The UK might fine Marriot Hotel £99Million for Data Breach!

Following on from our previous article, it looks like countries are submitting claims against the Marriot Hotel Chain according to the Register UK.[1]

The UK’s Information Commissioners office is the first to file a claim for fining the hotel chain.

If other countries follow suit, it could be a very costly affair, not to mention the reputational damage to the hotel chain.

The Chief Executive of Marriot International stated:

“We deeply regret this incident happened. We take the privacy and security of guest information very seriously and continue to work hard to meet the standard of excellence that our guests expect from Marriott.”

Marriot had admitted to half a billion individuals data had been stolen.

Hotel guests who have previously made a reservation to stay at any of the following, Marriott or Starwood hotel (among others, the group also owns the Sheraton, Ritz-Carlton, and Renaissance brands) should go to the Starwood web page about the data breach.

Tips

Your data may be used by criminals who want to use your identity for financial gain.  Go to the website and check if the breach is relevant to you.

Some password managers and Antivirus products automatically tell you if they find your credentials being used elsewhere. This can include credit card information, email addresses and passwords for sites that you need a login.

Be proactive and get good security awareness advice

[1] https://www.theregister.co.uk/2019/07/09/marriott_hotels_ico_fine_intention_99m_starwood_breach/


Book now for a strategy call

Category: Digital and Cyber Capability Tags: ,

Could your business cope with a $650,000 fine?

Bradken Resources Limited was fined in the Melbourne County Court July 2019 after being found guilty by a Wangaratta County Court jury of failing to provide and maintain safe plant following a 10 day trial.

Although there had been no prior incidents of a casting falling back onto the windscreen of a skid steer loader, the court heard Bradken knew, or ought to have known, from previous similar incidents that this could happen.

The court was told it had been reasonably practicable for Bradken to reduce that risk by using alternative machinery, such as a rock excavator, that did not put its employees as close to the castings.

No matter the size of the business you MUST complete and document a Hazard & Risk Assessment.


Book a Strategy Call

Category: Safety and Wellbeing Capability

Turnover of staff in Hotel industry creates problems

Often the hotel industry is peppered with students and part time staff, whom for many it is there first job.  It is an industry that traditionally has a high turnover of staff.  The difficulty for many Chief Fire Wardens is the requirement to “train” staff in general evacuation training within two days of commencement.  Many Human Resource Managers “train” their staff in General Evacuation Training, BUT how good is the training.

Often the quality of the training will depend on how that person is feeling that day.  There is often no consistency.

I have had many people that say that they “train” their staff by telling them… “There is the door, get out”.  Or they show them where the exits are and think this is “training”.  General Evacuation Training is soooo much more than this.  To provide comprehensive training in General Evacuation Training should take around an hour and most HR Managers or Managers don’t have the time for this.

As hotels are often targets for armed hold up, you want to make sure that your General Evacuation Training includes something on what to do in the event of an armed hold up or an active shooter.  General Evacuation Training is about helping staff to make the right decision in all types of emergencies.

Some years ago I did some training in South Australia for a company that only wanted the Chief Warden’s trained as they did not believe the other staff needed training.  So I conducted a fire drill.  I went up to a workshop manager and said to him “This is a fire drill, pretend there is a fire there, what would you do?”  He looks at me for a second… you could see his brain thinking… he says “I know! I go to the assembly area and he takes off! …. I then went to the showroom and gave her the same spiel and she said “well I have no customers in the showroom at present so I go to the assembly area” and she takes off!…. No word of a lie… I went out to the warehouse and said the same thing to a warehouse person and he said “well I’m just a casual here, but hey, I can go to the assembly area and he took off!  IF you can’t see what the problem is… YOU need General Evacuation Training…

So, what is the solution?  The Answer is Yes has created a series of Online fire training courses.  What makes them unique is they are the only company that will (without charge) customise the training course to be specific to YOUR business.  A Fire Safety Adviser ensures that the training is consistent and complies with all legislation

Fire training does not have to be done face to face and staff can do the training online.  It could also be something that staff have to do before they start work!


More Info on Fire Training

Category: People and Culture Capability

What's wrong with this picture?

This photo was taken on the third floor of a Melbourne hotel.  The electricians regularly serviced the emergency exit light and it was working, but they did not see anything wrong with this exit light.

Hotel maintenance regularly inspected the hotel but they did not see any issue.

Management when told of the issue brushed me off… can you see the issue?

The issue is that this light is in the middle of a hallway has the words EXIT… yes ideally it should be a running man sign… as not all patrons who sleep on the premises may be able to read english… but that was not the critical safety issue…

Now… imagine it is dark at night and the hallway is filling with smoke… people are trying to evacuate… they gravitate to the exit light… except… there is NO DOOR where the light is…

If the exit light had an arrow pointing to the door it would have been fine.  However the hotel potentially was putting the lives of everyone sleeping on that floor at risk.

Queensland requires that high occupancy buildings have fire safety advisers appointed to the business to ensure compliance with legislation.  Experience here would dictate that this is an unnecessary risk for clients.  This is an example of what experience gives you.

If you have not had an audit done by a Fire Safety Adviser… now is the time to take the first step.


More Info on Fire Compliance

Category: Safety and Wellbeing Capability

Is it ok to use the hotel wifi?

There are many examples of data security breaches in hotel chains. One hotel chain, ‘The Marriotts’ reservation system was hacked with an estimated 500Million reservation information stolen.  This figure was later reduced to 383Million once the investigation had completed.

Those stolen records potentially include; unencrypted names, mailing addresses, phone numbers, email addresses, passport numbers, Starwood Preferred Guest account information, dates of birth, genders, arrival and departure information, reservation dates, and communication preferences.’[1]

The company who provided the reservation service subsequently had its contract terminated.  The reservation system was compromised for four years before the discovery. For those who had their identity stolen and replaced their passports was paid for by the hotel chain.

While there is little you can do as a customer to protect your personal information given to a hotel, you assume they will protect this information sufficiently.

Steps to reduce Cyber Risks

Hotel chains can train their staff and dictate the security requirements for Cyber Security to any third party connected to their business.

A Cyber Risk assessment combined with a Cyber resiliency review would have gone a long way to help mitigate the attack, which is more than just an audit. Staff trained in Cyber Security and not just Information Technology would also help reduce the risk.

If you are using the hotel’s Wi-Fi, assume that what you send over the network can be intercepted and monitored as you do not know the level of security applied to that network.

You can use a Virtual Private Network (VPN) to help reduce the risk of eavesdropping your data.

Keep your computer operating systems and software up to date, especially since you do not know if their system is already compromised.

Keep your electronic devices with you and if you must leave your laptop in the room, then put it in the safe.  However, remember, all safes have a default backdoor to get into in case the customer forgets their code.

These simple steps will help reduce the risk of compromise.

[1]  https://www.theregister.co.uk/2019/01/04/marriott_stolen_passport_numbers/


For More Info on Cyber Reconnaissance (risk assessment) Training

Category: Digital and Cyber Capability

Book a Strategy Session Today to discuss your Training Needs

Book now