Hilton Hotel Chain Reports Data Breach

Hilton Hotels said on Tuesday it had been the victim of a security breach. The hotel chain’s notice comes two months after the company began investigating whether hackers had attacked its properties. The news also follows initial reporting by Brian Krebs, an independent cybersecurity journalist, who caught wind that payment card terminals at the company’s restaurants, bars, and gift shops may have been compromised.

Hours after the news broke out Hilton saw it's share price drop by 0.79%. Hilton recommended that its customers check their banking records in the event that they made a purchase at one of the company’s hotels during a 17-week period spanning between Nov. 18 to Dec. 5, 2014, or between April 21 to July 27, 2015. “If you notice any irregular activity on your cards, please contact your financial institution directly for additional support,” the company said. The company has also offered one year of free credit monitoring to potentially affected customers.

Hilton confirmed the cyber intrusion in a recent statement, saying it had “identified and taken action to eradicate unauthorized malware that targeted payment card information in some point-of-sale systems.” The company, based in McLean, Va., said it “immediately launched an investigation” and “further strengthened” its systems.

Hilton did not reveal how many properties might be affected, nor did it confirm how many customers’ credit card or debit card information might have been stolen. “We cannot address the actual number of cards impacted,” the company said in an FAQ about the incident, adding that the potentially stolen information includes “cardholder names, payment card numbers, security codes and expiration dates, but no addresses, personal identification numbers (PINs) or Hilton HHonors account information.”

The hotel franchise operates more than 4,500 properties across 97 countries and territories, and its holdings include the brands Doubletree, Embassy Suites, Hampton Inn and Suites, and Waldorf Astoria Hotels & Resorts.

Target Cost of Breach $162 Million

As most people know Target got breached in 2013 just before the Christmas period; where the breach effected nearly 110 million customers. The breach cost Target an estimated $162 million 

Furthermore and two years on Target concluded that the breach cost them $162 million - more information at TechCrunch

The cost of breaches along with the new EU regulations coming into effect in 2016 should be on every board levels talking points.  These regulations see compulsory breach notification, 2-5% fine. More information here

What else have we seen over the last few weeks...

• UK Amazon customers got attacked this month in a phishing attack. More here
• TalkTalk - where 4 million customers were breached. More here
• Experian - 15 million customers personalised data. More here

The stories go on but more can be found on our past blogs.

Throwing Down the Cyber Security Gauntlet...

Guest Blogger: Stuart Peck Pre-Sales Manager at ZeroDayLab Ltd

George Osborne today announced that he plans to invest £1.9 billion in Cyber Security (which will increase the government's spending to a total of 3.2 billion), on a backdrop of ISIS threatening to attack Critical National Infrastructure (CNI), of European countries including Britain.

ISIS are building not only their Caliphate in Syria and surrounding territories but are also building a Cyber Caliphate, calling Hackers, Cyber Criminals sympathetic to their cause from all over the world, essentially creating an electronic army. This is not a Cyber Campaign driven by money, such as Cyber Crime, but idealogical objectives to attack anyone who does not conform to"al-wala wal-bara," loyalty to everything considered Islamic.

George Osborne today outlined a set of key objectives to protect our country from Cyber Crime, Cyber Terrorism and State Sponsored Espionage, including:

• National Cyber Centre- a single point of contact for intelligence and advice
• Boosting investment in National Cyber Crime Unit
• Stronger Defences in Government Security
• Working closer with ISP's to further protect customers from Drive-By sites and scamming websites.
• This investment in Cyber Security announced today by George Osborne is a step in the right direction, throwing down the gauntlet to ISIS and Cyber Criminals alike, but what does it mean for organisations not considered Critical National Infrastructure?

Well firstly, I like to think that the recent events over the last few months have jolted companies and individuals alike in to action- to the reality that we are now entering a world where Cyber Attacks are a daily occurrence and re-active security is no longer fit for purpose.

Secondly for companies not considered CNI (and those that are), there won't be any immediate fringe benefits to the work packages proposed by George Osborne today. So on one hand it's good news and great PR for the Government, on the other hand  we have just painted a huge target for everyone to have a go at before these plans have actually been implemented!

So parting words on what we all should be doing collectively to make Cyber Crime and Cyber Terrorism difficult for the Threat Actors out there:

• Review detection and prevention strategies- especially around email based threats such as Spear Phishing with weaponised attachments or links
•  Review public facing websites for weaknesses, through either code review or by employing the services of Penetration Testers (Ethical Hackers) to prevent easy to exploit attacks used to great effect on organisations like TalkTalk.
• Test and review attack scenarios, and develop playbooks for each one, to ensure your organisation can respond and deal with sophisticated attacks.

Finally what we all should be doing, is sharing intelligence, whether this is within industry, from Government, or industry leaders.

To coin a phrase regularly used  by the incumbent Government "We're all in this together" and when it comes to Cyber Security we actually are!

UK Amazon Customers Targeted in Phishing Attack

On Thursday morning a selection of Amazon customers reportedly received emails telling them that the company had suffered a data breach and they needed to verify their accounts.

The email claims that the breach resulted in the “data theft” of 2,592 Amazon accounts.

The alleged breach has since been brought to the attention of IT security firm F-Secure, which saw a spate of similar emails in September and has said that this particular phishing attempt appears to be “UK-centric”.

Researchers believe it was an attempt to trick users into disclosing their passwords.

This is the second attack on Amazon revealed this week, with discoveries that a new Trojan has been pre-installed on certain Android tablets being sold through the retailer as well as other online stores.

The Trojan, named Cloudsota, is capable of silently installing adware or malware on devices while simultaneously uninstalling anti-virus applications without the user noticing.

Cloudsota can also gain root permission on devices and automatically open installed applications, change browser homepages, redirect searches to advertising pages and replace boot animation and wallpapers with ads.

More than 30 tablets have been preloaded with the Trojan, according to researchers at Cheetah Mobile Security Lab, and more than 17,000 have been delivered to customers in 153 countries.

Researchers said that since many tablets are not protected by anti-virus, Cloudsota’s reach could actually be much larger than their analysis reveals.

Cheetah Mobile said it has asked Amazon to report users selling infected devices and notified companies where products were found to contain the pre-installed Trojan.

“Most people have no idea about Cloudsota’s potential risks, [but] it is a ticking time bomb threatening your privacy and property,” Cheetah Mobile said.

Cited at the Business Reporter 

Hackers Compromise 70m Prisoner Phone Records

An estimated 70 million phone calls made by prisoners in the United States have been hacked and leaked to The Intercept.

An anonymous hacker grabbed the files from Securus Technologies, which supplies phone services for prisons and jails across the United States. The batch unveiled contains recorded calls made between December 2011 and December 2014 in facilities located in 37 states and stored on Securus's servers. The information was released via SecureDrop, a secure server set up by The Intercept for people to make anonymous data drops.

The Intercept is claiming that about 14,000 of the recorded calls were between lawyers and inmates and hinted that the recordings broke attorney-client privilege. The website was co-founded by Glenn Greenwald.

Industry analysts are questioning the need to store such a large amount of information noting that the longer content is stored the greater the chance it could be compromised.

“Technology allows us to gather huge amounts of data, but there's dwindling value in storing that data if it's never analyzed and it may present a significant liability. It's important, in any data gathering process, to place the value on the eventual objective, and to dispose of data as quickly as possible while meeting that objective,” Tim Erlin, director of IT security and risk strategy for Tripwire, told SCMagazine Wednesday in an email correspondence.

A request for additional information from Securus Technologies by SCMagazine.com has not been returned.

Cited at SC Magazine