New Omni Hotels & Resorts CIO Ken Barnes is mulling how to shore up corporate defense in the wake of a cybersecurity attack that impacted 48 of its 60 hotels in North America. Barnes, who started in May, of course says he plans to improve the protection for Omni's payment processing systems. New defenses could include analytics that detect anomalous behavior suggesting that a hacker has entered or is trying to enter Omni's computer network.
Omni Hotels & Resorts CIO Ken Barnes.
"I want to make sure that we have our perimeter set up and that we have people watching that perimeter to protect us,” Barnes told CIO.com last Thursday, a day before the Dallas hotelier announced the breach. Hackers installed malware on point-of-sale systems to steal payment information from December 23, 2015 until June 14, 2016, Omni posted on its website on July 8. Omni discovered the intrusion on May 30.
Hackers love hotels
It's open season on U.S. hotel chains. In the past 12 months, Starwood Hotels & Resorts Worldwide, Hilton Worldwide Holdings, Hyatt Hotels and Trump Hotel Collection have all announced data breaches targeting consumers' debit and credit card information. As in most of those incidents, the Omni perpetrator collected the information from purchases guests made with their physical credit and debit cards in the chain's hotels and bars, Andrei Barysevich, director of cybercrime research at Flashpoint, told the Wall Street Journal.
Barnes says hotel chains are an attractive target for hackers because they support hundreds of thousands of guests at locations all over the world. Moreover, the hospitality and retail industries are far more decentralized than other industries, with business segmentation making it more challenging for experts to protect and easier for perpetrators to gain entry.
Omni doesn’t operate under a franchise model but Barnes is weighing whether to hire additional technical cybersecurity staff or procure a managed security service provider to bolster its posture, including applications that provide better warnings when something is awry. Such software might, for example, detect when someone using credentials from an employee in HR logs into the system from the Ukraine and tries to access financial files that he or she would have no reason to view.
"[The idea] is to absolutely put applications in place that do more alerting and alarming above and beyond the table stakes [apps], such as those that lock out a user when their password fails three times," Barnes says. “It’s about really looking deeper and aggregating data within logs to show you the bad stuff.” Barnes declined to reveal more about his cybersecurity plans, citing sensitivity around discussing the company’s data protection profile.
Sign up for CIO Asia eNewsletters.