Friday, InterContinental Hotels notified the state of California [PDF] that point-of-sale terminals at three of its bars and restaurants in San Francisco were infected with card-stealing slurpware from (at least) Aug-Dec 2016, during the huge DREAMFORCE and ORACLE OPENWORLD conventions. This, according to our good friends at El Reg.
The San Francisco bars affected were the Luce Bar/888 at the Intercontinental Hotel – one block from Moscone Center – the Top of the Mark Bar & Restaurant at the Intercontinental Mark Hopkins Hotel (another convention hot-spot), and the Bristol Bar & Grille at the Holiday Inn in Fisherman’s Wharf, a popular hotel with companies that wish to punish their sales reps for missing last quarter’s number.
Analysts estimate that hundreds of conference attendees had their payment card data stolen. Intercontinental Hotels has said it has cleaned up the infection but is advising anyone who visited these bars or restaurants to keep an eye on their bank statements… and… well, that’s all they offered. Thanks, guys.
Industry watchers say security operations in the hospitality vertical typically aren’t as well-funded or mature as their counterparts at banks or financial services companies. But perhaps they should be. With a customer demographic characterized by frequent travel, big spending and perhaps a touch of “not my money, not my problem” laissez-faire attitude, it might behoove hospitality giants to step up their game. A good first step would be to initiate programs of continuous validation, to prove which of the (F500 industry average) 50(!) different security products they are using are still working/not really working/are totally misconfigured and are now simply contributing to the inevitable entropic heat-death of the universe.
Continuous validation really just means continuous testing, because our network environments are constantly shifting around us. Security controls setup last week are commonly thrown under the bus by things as simple as a span-port change. To battle this, hospitality security pros need to start instrumenting security… something that Verodin knows a little something about.
50,000 security pros are anticipated to descend on San Francisco in a few days, and if history is any guide, this horde will consume prodigious amounts of alcohol at the many glittering venues the City has to offer. But don’t be surprised if you see a few more of these battle-scarred security pros pay in cash…. and ask for a paper receipt.