HEI Hotels cyberattack could have been avoided, says security expert

HEI Hotels & Resorts recently reported a possible compromise of payment card information at its point-of-sale terminals.

The company, which manages close to 60 Starwood, Hilton, Marriott, Hyatt and InterContinental properties, said that malicious software was installed on the payment processing systems at certain properties, with the aim of harvesting the card data as it was routed through the systems.

But a technology expert believes that the attack is another example of how organizations are taking the wrong approach to cybersecurity, and that it could have been avoided.

“The HEI Hotels and Resorts cyberattack demonstrates the difficulty in securing devices when spread over a wide physical network (in this case, HEI’s several hotel locations) where staff and hackers have easy access,” says Ben Gidley, Director of Technology at Irdeto.

Gidley notes that the right way to approach such devices is with a whitebox philosophy, where organizations design software to assume the hardware can and will be attacked by hackers. However, many businesses are relying on legacy hardware security which doesn’t stand up to determined attackers.

“We often hear when these attacks occur that ‘sophisticated’ hackers defeated a big corporation; however, the opposite is true. Hackers are usually employing quite simple attacks, that corporations have left open,” added Gidley.

“If HEI properly assessed the threats to their POS devices, this kind of attack could have been avoided. All organizations with security assets to protect need to wake up and understand the world as it is, attackers are trying to break in and they need to design IT solutions assuming that a breach will occur.”