Hotels, Identity Thieves and Terrorism

The reservations databases of global hotel chains are a complete cornucopia for criminals.

Radisson Hotels has reported a database breach which has exposed the credit card numbers of guests said to be "limited to an isolated number of hotels in the U.S. and Canada".

The reservations databases of global hotel chains are a fantastic target for identity thieves.  International hotels don’t just hold credit card numbers and billing addresses (which are held for weeks in advance of a stay and for weeks afterwards to secure incidentals), but for many customers the hotel also has their home address, driver licence number, airline memberships, and – worst of all – passport number as frequently collected by hotels in Asia.  It’s a complete cornucopia for criminals.

And the most dangerous, most difficult to control threat vector in the hotel industry won’t be "war-driving" or "SQL injection attacks" as used by the Soupnazi hacker Albert Gonzales.  It will be the inside job. 

How many thousand itinerant hotel workers in every corner of the world will have the opportunity to sneak into an admin office after hours, break into the network, and find their way into a central registration database?  They probably won’t need any hacking skills, if the password is to be found on a sticky note somewhere in an office, or if a clerk can be lured into giving up their password for a hundred buck bribe.

I expect that counter terrorism agencies are alert to this problem.  With access to a global hotel chain’s booking system, terrorists could work out when and where the next gathering of targets is going to happen, and they could track the travel habits and plans of all sorts of persons of interest.

Stephen Wilson is the Founder and Director of Lockstep Consulting, providing independent specialist advice and analysis on digital identity and privacy. Lockstep Technologies develops unique new smart ID solutions that enhance privacy and prevent identity theft.