Ransomware and PII: Protecting Your Resorts and Guests
In recent years, ransomware attacks have been increasing in numbers and severity. Resorts are particularly vulnerable due to their access to sensitive guest information. Many of us are aware of some high-profile cyber-crimes that have made the news recently, such as the Colonial Pipeline ransomware attack carried out by the hacking group DarkSide. DarkSide attacked the billing infrastructure of the Colonial Pipeline Company, preventing the company from billing its customers, which ultimately led to the company halting its oil pipeline operation. The attack caused fuel shortages at filling stations throughout the southeastern US after several days of panic buying. Darkside required Colonial to pay a ransom of $4.4 million to regain access to its systems. Eventually, the Department of Justice recovered approximately $2.3 million of the ransom paid to DarkSide. However, most organizations are not as lucky to have the federal government recover any ransom paid from an attack.
The Cybersecurity and Infrastructure Security Agency (“CISA”) describes ransomware as “…malware designed to encrypt files on a device, rendering any files and the systems that rely on them unusable. Ransomware actors often target and threaten to sell or leak exfiltrated data or authentication information if the ransom is not paid.” There are several ways these ransomware attacks can occur. In the case of the Colonial Pipeline attack, the hackers were able to access the company’s network through an employee’s password that was part of a separate data breach (which is why it is so important to change your password frequently). Another often-used method of a ransomware attack is phishing. In a phishing attack, the cybercriminal sends malware or malicious links in the message that, when clicked on, install the ransomware program on your computer. These emails can be highly deceptive and can appear to come from a well-known source, such as a vendor, a customer, or a bank.
Related: Ransomware Attacks: Part 1 – Understanding and Prevention
The deceptive nature of these phishing emails baits users into clicking the links or attachments embedded in the emails and installing the malware into their company’s network without realizing it. Once the malware is installed, the criminals can now hold the company’s (and customers’) data hostage.
Reports of ransomware incidents increased 62% in 2021 compared to 2020. Ransomware became the third most used cyber-attack method in 2021, accounting for 10% of all data breaches. This trend is only expected to continue to increase in 2022 and beyond. An independent global survey conducted in September 2021 found that out of the 1,100 IT and cyber security professionals, ransomware attacks affected 80% of the organizations surveyed in 2021, with more than 60% of those who were hit by the attacks paying the ransom. These attacks can be quite costly as well. The average ransom payment reached $812,000 in 2021, up from $170,000 in 2020.
Beyond the costs to pay ransoms from ransomware attacks, data breaches, in general, can be costly to organizations simply due to the costs of business interruption, as well as the costs to recover any lost data and regain your reputation with your customers. According to a study by Kaspersky Labs, a data breach can cost a small business around $38,000. For larger organizations, the cost can be exponentially higher. An IBM report estimates that the average cost is around $8 million. Many companies do not realize they’ve been victim to a data breach until it is too late – either they’re informed by law enforcement, or their business partners, banks, or the media discover that the company’s data is being sold on the black market.
Related: Keeping Data Safe: Ransomware, Crashes, and Backups, Oh My!
“PII” or Personally Identifiable Information
Not only can proprietary data be compromised in a cyber-attack, but other types of data are vulnerable as well. Among the most sensitive data companies should safeguard is “PII” or Personally Identifiable Information. This type of information can include their employees’ and customers’ social security numbers, financial information, and medical information. Once compromised, this type of data can result in inconvenience, unfairness, embarrassment, or even substantial harm to the impacted individuals.
A recent example of a PII breach involves Marriott International. In June 2022, an unnamed hacking group tricked an employee at a Marriott hotel in Maryland into giving them access to the employee’s computer. Although Marriott claims the hacking group did not gain access to Marriott’s core network, they were able to steal 20 gigabytes of sensitive data, including guests’ credit card information and other confidential information about guests and employees. The hacking group contacted the hotel chain in an extortion attempt (much like in a ransomware attack), which Marriott ultimately did not pay. As a result of the attack, the company has notified law enforcement and must notify the 300 to 400 individuals whose data was compromised in the incident.
Related: Ransomware Attacks: Preparation is the Best Protection Part 2 –What to do After Attack
Despite a company’s best efforts, sophisticated hackers may still successfully breach its data. As a safeguard, companies should consider purchasing cyber insurance, a type of business insurance that protects your organization by reimbursing you for any expenses caused by ransomware, fraud, and other types of data breaches, and offers a barrier against liability to customers. Cyber insurance providers can also reduce your company’s risk by providing guidance and training on how to avoid phishing scams.
If a breach does occur, there are several immediate steps a company should take to mitigate any impacts. The priority should be to figure out the extent of the breach and what kind of data might have been impacted. A forensic expert can analyze the company’s equipment and data to assess what happened and how to prevent future breaches. Getting in touch with an attorney who specializes in data security can provide guidance in notifying consumers, the public, insurance providers, and regulators. Once your organization has assessed the initial damage and cause of the breach, notifying any parties involved in the breach is critical to recovering your company’s reputation. Your company should provide these parties with an explanation of the data breach and offer a remedy such as an identity theft protection product. It is also important to have a point person at your company for official responses to questions about the breach, to help provide clear and consistent information regarding any inquiries involving the breach. Finally, it is important to stop using any infected equipment and disconnect the equipment from the internet. Once the equipment has been disconnected, be sure to back up any critical data such as payment information, customer lists, and trade secrets.
ABOUT WITHUM
Withum is a forward-thinking, technology-driven advisory and accounting firm, committed to helping clients in the hospitality industry be more profitable, efficient, and productive in the modern business landscape. For further information about Withum and their cybersecurity, digital advisory and hospitality services teams, contact Lena Combs (LCombs@Withum.com) at (407) 849-1569, or visit www.withum.com/hospitality.
