Questions raised over Hilton Worldwide point-of-sale hack
Hilton customers email Computing with their experiences
Questions are being raised over the security breach at hotels group Hilton Worldwide, with testimony from customers suggesting that the breach could potentially have been more far-reaching than the company has so far admitted.
Furthermore, as Dragan Pendic, the former chief security architect at drinks giant Diageo, and now vice president of consulting at Blockchain security company Guardtime, noted at Computing's Enterprise Security and Risk Management Summit 2015 last week, it takes an average of around 200 days before IT security breaches are typically discovered - and Hilton's breach goes as far back as 18 November last year, more than a year ago.
"The long time between breach and discovery here adds another to a long list of incidents that show that perimeter security is failing to address the fundamental problem of securing networks and systems against digital attacks," said Pendic.
He continued: "Until the security industry starts developing new, data-centric models for ensuring the integrity of networks and systems, there's little to stop or identify malicious intruders once they break through the security perimeter."
And Hilton customers have also emailed Computing to tell their stories. One, based in Australia, told Computing: "We stayed at several Hilton properties in the US during July and, in fact, when our card was hit, I joined the dots and wrote to Hilton to tell them that it had happened at one of their properties, since we only used it there."
Crucially, she continued: "We never used it at any point of sale counter - only for reservations, so they need to take another look." She added that an $800 fraud had subsequently taken place on her card in a CVS drugstore in Lafayettville.
The implication of Hilton's explanations so far is that the attack had only affected point of sale terminals, but if customers using credit cards to make bookings have been affected too, it indicates that the attack might have been deeper and more far-reaching than the company has so far admitted.
Computing has put a number of questions to Hilton about the extent and severity of the breach and will update the story later today.