Prime Factors Blog

Hackers, Hotels and Ransomware: How Key Management Caused a Commotion

Posted by Pete Flagella on Feb 28, 2017 10:00:00 AM

Find me on:

HandHotelKeyCard.jpgWhat's more exciting than a trip to the Alps to hit the slopes and kick up some snow? Apparently the answer for hackers is a virtual break-in against the hotel that hosts the skiers of the world. Romantik Seehotel Jägerwirt in Austria saw hackers use ransomware to gain control of their locks, making it impossible for guests to come and go. While the direct financial costs could have been a lot worse, there's a lot that every company should learn from this incident. Here's what happened, why the hospitality industry is so enticing to hackers, and what could have been done to prevent this.

To learn how encryption can lower the cost of regulatory compliance while enhancing security, download our white paper Reducing the Cost of Regulatory Compliance with Encryption 

The Value Behind the Chaos

Most hotels operate on a system of electronic key cards, which makes those locks as vulnerable as a credit card number or medical file. The more we automate, the easier our lives become, but it comes at a price if we take that automation for granted. It makes sense that a hotel would be willing to pay ransom demands, so guests could enjoy their stay without ever knowing anything was amiss. After all, if the hotel did refuse the hackers, their act of bravery would mean little to guests who have to get home the next day. However, the demands went further than just the guests' rooms. Romantik Seehotel Jägerwirt not only had their central key management system hacked, but also their reservation system and cash drawers at the front desk. Without a way to book and gain access to these tools, the entire operation could be put in serious jeopardy. Hackers likely could have extracted a lot more money from the hotel, but they only asked for around $1,600 (in Bitcoin) to release the systems. But the story doesn't end there.

Leaving the Door Open

The hackers didn't simply receive the money, release the files, and then venture onto their next victim. Instead, they left a back door open directly into the hotel's systems so they could return anytime they wanted.

For most hotels, switching out systems takes a lot of time, and major changes can impact profits in the long run. Hackers know this, and they may have been counting on the hotel to just accept their fate and get back to business. Or maybe they thought the hotel would never notice that their systems were still unsecured. Whichever one it was, hackers know they're likely to make major bucks if they hit the right institutions.

Hollywood Presbyterian Hospital infamously paid $17,000 to have their patient files unlocked, while a Canadian university paid $20,000 for the privilege of getting their own data back. With these types of earnings, ransomware exploits are likely to continue to attract more and more hackers to the field. While some criminals may be put off by basic perimeter and anti-malware software, others will push through those barriers to find the treasures that lie within. Fortunately for Romantik Seehotel Jägerwir, management understood that the risks were too great for the company to take their chances.

Springing to Action

The hotel did replace their systems, and they did so rather quickly. They cut the internet connection of several of their computers in the process so they could continue running their business without endangering their files. They also decided to go back to their original door locking system — with a regular lock and key. However, it's important to note that despite their reaction, only time will tell whether they've actually done all they need to do. Even companies who specialize in technology (e.g., Yahoo, Apple, etc.) can believe they've put all the necessary blockades in place, only to find that they've made a fatal flaw and exposed customer data to prying eyes.

Why Hackers Are Here to Stay

Every mistake a hacker makes is a learning opportunity for the hacker. The experts find ways to use codes, error messages, and software to probe systems and start devising an attack plan. They know that (for the most part) police won't understand how to fight this type of crime, and law enforcement will have a very difficult time tracking them down. And not every industry is treated equally by hackers. Resorts, casinos and hotels make up 38% of all data breaches. Just like the hackers saw with this Austrian hotel, hospitality is a highly transactional business, and the cost of an interruption can be substantial. In addition, many of these businesses are branches of a major franchise, so access into one can mean access into the central mainframe. Smaller hotels and resorts may have minimal security, if they have it at all.

What You Can Do

Hospitality as an industry is subject to federal regulations regarding the handling of data, so part of any successful strategy is keeping up to date with changes outlined by HIPAA, HITECH, or PCI DSS. The longer a hotel holds onto a customer's personal or financial data, the more likely they are to experience a breach. Any property management system that holds guest or employee information should be encrypted and enforced with key management. Encryption is what keeps hackers from getting the financial information even after they've found a way to infiltrate the system. It's possible that with highly managed encryption, there may have been no need for Romantik Seehotel Jägerwirt to switch to mechanical keys. Now they risk having to change the locks out every time someone loses a key, or potentially harming their brand in the eyes of their customers for being so low-tech.

Fortifying a security system may not be as easy as making a single phone call, but it is possible. Regardless of what industry you're in, it's currently the safest and most effective way on the market to keep your data from hackers. Your chances of an attack only continue to rise as the years roll on. Key management isn't just a term used in hotels, it's a way of keeping codes private so only authorized people can gain access to or manipulate the data.


To learn how encryption can lower the cost of regulatory compliance while enhancing security, download our white paper Reducing the Cost of Regulatory Compliance with Encryption.  

Topics: Enterprise Data Protection, encryption, data breach