Possible Breach At Hilton Highlights PoS Risk

Just when you thought it was safe to use your credit card we are hearing rumblings of a breach at Hilton. According to Brian Kerbs and some of our own sources a payment card breach has taken place and the only unique feature about this was that all of the affected cards were used at a Hilton Property. This is not just the regular Hilton Logo properties, but also includes Embassy Suites, Doubletree, Hampton Inn and Suites, Waldorf Astoria Hates and Resorts, and potentially others. The exact timing of the breach is unclear at the moment, but could go as far back as November 2014.

Hilton has acknowledged that something has happened, but have not go so far as to own up to a breach. They stand by their security systems and are insisting that they do everything possible to ensure the safety and security of their customers’ data.  Of course, this statement does not really mean anything as even with those sentiments it is still possible to have a breach and lose data. Most companies are very tight-lipped when it comes to a breach so this statement is not unusual. There are many reasons for this stance; some good and some bad. On the pro side if there is an ongoing breach you do not always want to alert the bad guys. If they know you are looking they can often hide their activity or start to do damage to cover their tracks. Sadly it is usually more about company reputation and protection than it is about real security.

As things stand right now it looks like the target was (once again) the Point of Sale system. In the last few years these terminals have become a bigger and bigger target due to come inherent security flaws in how they operate. In some cases these systems have default root passwords, run on older embedded systems (that have little to no updates) and often leave remote access tools on for convenience. Although there are more restrictive regulations in place to cover securing this environment the adoption rate is slow and far too many business file business exceptions or simply ignore them feeling that the risk of a breach Vs the cost of properly securing these systems is acceptable.

We will be keeping our eye open for any additional information on this one.

No comments

Leave your comment

In reply to Some User