A data buffet for cyber criminals

Both the hospitality and healthcare industries have found themselves in cybersecurity news lately.  Last month, we covered a mysterious data breach where the owner of the compromised server was in question.  As it turns out, vpnMentor researchers Noam Rotem and Ran Locar, who discovered the initial breach, have since published findings of another breach, involving major hotels and resorts.  An unsecured server owned by Pyramid Hotel Group exposed over 80 GB of data pertaining to the various properties the firm manages.  This includes Marriott, Sheraton, Plaza and Hilton locations around the world.

Security logs for 96 total properties were among the data, but that’s not all.  IP addresses, firewall data, restricted applications, malware logs and even hotel employee information were also made available.  Although no customers were seemingly impacted, the biggest risk of this incident lies in the comprehensive window it could allow cyber criminals into the inner security workings of the affected locations.  The breach could make it easier to scope out network vulnerabilities, optimal access points, valuable asset locations, and more.  It could even, according to the research, give information on hotel locks and room safes, data which was also stored on the server.  Not a pleasant prospect for any guest.

While we don’t know yet how many actual, individual people may feel the repercussions in this case, that isn’t so when it comes to two healthcare companies.  Both Quest Diagnostics and LabCorp recently disclosed their own breaches of 12 million and 7.7 million patients, respectively.  The common culprit in these instances was American Medical Collection Agency (AMCA), a collections agency that worked with both companies.  Information provided to the vendor included patient names, addresses, credit card and other financial data.

Unauthorized activity on the AMCA system prompted an investigation which led to the vendor notifying its two associates, and offering free identity protection and credit monitoring to those affected.

What this ultimately highlights is the continued risk posed to businesses by their third-party partners.  Fortunately, medical companies in this day and age are of necessity becoming savvier at this sort of thing.  LabCorp immediately announced that they do not store Social Security numbers or other highly critical information.  Attitudes are perhaps gradually shifting among organizations, to avoid collecting data they don’t use.  Excess data gathering only gives cyber criminals a broader buffet.  More options to choose from on the hacker side will only make stories like these more frequent.