Hilton hack and the perils of delayed detection

December 10, 2015 Arctic Wolf Networks

The past few years haven't been kind to big businesses in terms of cyberattacks, and that trend doesn't look to be slowing down in the near future. While the general public may look to bigger organizations as being safer due to what's presumably a more robust IT presence than smaller organizational counterparts, that's proven to not be the case in many situations, as big name – and highly trusted – enterprises have fallen victim to massive breaches. The list of these organizations is growing, and now there's a new one that needs to be added to it: Hilton Hotels and Resorts.

Hilton hack hits payment card data
In the realm of hotels, Hilton is one of the biggest names out there, and it enjoys a vast customer base, many of whom have developed brand loyalty over time. But a recently disclosed incident could compromise that loyalty for patrons. According to Brian Krebs – a noted independent cyber security researcher who's known to get the advanced scoop on many breaches – "a large number of Hilton Hotel and franchise properties across the United States" were hit by a point-of-sale scheme that succeeded in breaching customer credit card data

Whenever a large-scale breach happens, it's guaranteed to be a source of public embarrassment for the impacted enterprise. But in the case of Hilton, that embarrassment was compounded by another fact: It wasn't the hotel chain that uncovered the breach. Instead, news of the attack gradually emerged via a different sequence of events:

  • Back in August, Visa "sent confidential alerts to numerous financial institutions warning of a breach at a brick-and-mortar entity that is known to have extended from April 21, 2015 to July 27, 2015," according to Krebs. However, it's Visa's policy not to name hacked enterprises in situations like this, and therefore the financial organizations that received this alert weren't supplied with the name Hilton.
  • Through individual efforts, however, banks began getting to the bottom of exactly which "brick-and-mortar entity" was the one that got hacked. This led various banking organizations to look into common themes that emerged across the cards that were listed as having been hacked. This investigation turned up names like Doubletree, Hampton Inn and Suites, and Embassy Suites. The common denominator here is that these are all Hilton businesses.
  • Through his expansive base of in-the-know sources, Krebs was able to put together that five separate banks had identified Hilton as having been hacked, and he therefore ran his story about it.

Faced with the news of a likely breach, a Hilton spokesperson supplied a statement to Krebs which stated that, "Unfortunately the possibility of fraudulent credit card activity is all too common for every company in today's marketplace.  We take any potential issue very seriously, and we are looking into this matter."

What the hack says about detection and response
For as much bad publicity and negative fallout as the cyberattack is causing for Hilton, it has succeeded in placing a much-needed focus on the importance of eliminating long periods between breach detection and response. That's because, as USA Today pointed out, the breach – which reportedly ended in July – may have actually gone back as far as November 2014, and not April 2015, as was originally reported.

That's not the kind of detection-response time that should instill confidence in any consumer, and Hilton will likely have some questions to answer about why its network security infrastructure wasn't able to identify the breach. For Hilton, this will almost undoubtedly cause negative fallout. For all other businesses out there, it's an important opportunity to learn about how vital it is not only to detect hacks, but to respond to them in a timely fashion as well. In the case of Hilton, the hotel giant did neither.

But other companies have an opportunity to get prepared. As Gartner Blog Network's Anton Chuvakin pointed out, a key part of that preparation is recognizing what to do in the important space between detection and response. Here are some of the things that companies need to be sure they do:

  • Trace the impact: If there's a troubling network event that could signal a deeper problem, one of the first steps should be to scour the network for any signs of an impact.
  • Put together as much data as possible: Defending against a breach is all about being armed with the right data – and devising a way to put that knowledge to use. 

As Chuvakin asserted, "you will detect way more interesting stuff than you will actually trigger a formal incident response (IR) process over." But in terms of cybersecurity, it is always better to be safe than sorry.

Cybersecurity news and analysis brought to you by Arctic Wolf, leading providers of detection and response security services. Managed SIEM, when your firewall fails.

Previous Article
Don’t just focus on malware, add network monitoring for comprehensive protection

Focusing solely removing malware that may have made its way onto an enterprise system ignores what is a big...

Next Article
Hackers in Iran leverage LinkedIn for espionage

Based on findings from of a recent study via Dell, LinkedIn is now on the list of tools hackers employ to s...


Want cybersecurity updates delivered to your inbox?

First Name
Last Name
Thanks for subscribing!
Error - something went wrong!