Electronic lock need to take seriously
It’s just a electronic lock. How often have we heard this from hotel management and ownership? This may have been true in the past, but the recent security breach from one of the largest electronic door locking companies this past July highlighted that times have changed. This is largely attributable to the electronic age and that criminals are far more sophisticated. Where the previous generation’s criminal simply applied brute force, the new criminal is armed with technology and does not even need to be onsite to breach a network or gain access to applications. Looking at it differently, the industry moved from the old manual key locks to enhance guest security and now finds that in some cases it may be more secure if we went back to these antiquated systems. Today’s criminal probably does not know how to breach the old style locks.
There have been numerous articles written about the recent ASTC electronic door locking breach, and in most instances the tone of the article portrayed both ASTC and the industry in a less than favorable light. While there is no denying that many of the comments were potentially justified, there was little or no mention of the positive contributions that many of the hotels and other industry participants have made to address the situation.
There are many accounts of hotels immediately beefing up their security efforts and taking the necessary remediation efforts to shore up their systems while fixes were either being generated or distributed. There were also quite a number who elected to make the necessary capital infusion to replace or update their systems in their entirety. However, rather than attracting attention to the fact that these remediation efforts were being conducted, many of the entities have only made this information known when asked. While the negative press has brought the necessary attention to the issue, what appears to be lacking is the concerted effort to bring all the industry parties together to combat the issue and provide effective solutions to the problems.
The industry faced a similar situation with credit card fraud and compromises, and until a concerted effort was made by the industry to combat the issue through education and a focus on PCI compliance, the number of breaches continued to rise. Once hotels and companies were educated on the potential steps that they could take to secure their networks and remove credit card data from their systems, the industry saw a remarkable improvement in the number of breaches year over year. The same type of effort needs to be initiated with the locking system issue. While credit card data breaches and PCI compliance issues took a toll on properties and the industry in general, it didn’t have the instant negative impact that the locking system issue has generated. What is different is that we potentially have the guest’s or general public’s physical safety at stake.
Background
The now infamous disclosure of the security flaws found in one of the largest electronic door locking system provider’s locks last July caught many hoteliers by surprise. The disclosure of the flaws and the apparent ease of how to breach the Hotel locks became an immediate media sensation, cumulating with an exposé on NBC’s Today show. The industry’s response to the problem was slow and measured, and in many cases it appeared that we were simply sticking our heads in the proverbial sand. The general public viewed the industry’s tempered response as a sign that it simply did not care about the safety and security of the guests and that we were simply out to take their money. Subsequent to that, when two hotels in Texas were breached, the public’s fears were confirmed and it appeared that the industry was ill prepared to deal with the problem.
The first thing that struck me about the problem was the way we found out about the breach. Cody Brocious, a hacker and senior security consultant with Accuvant LABS, was speaking at the annual Black Hat information security conference in Las Vegas, a conference frequented by security experts and hackers alike, and chose the opportunity to publicize the deficiency in the ASTC security locking system. A further complication was the fact that the hotel card locks could be breached by what amounted to a inexpensive homemade device costing about $50. This meant that it did not require a sophisticated hacker to breach the system and that many would-be criminals could develop a device to breach this particular brand of hotel door locks. The disclosure went viral and was picked up by many online publications and social media outlets. Articles started appearing online and there was genuine concern of what this could mean to the traveling public if the issue was not addressed immediately. It should be noted that this is not the first time Cody Brocious has targeted the ASTC locking system. In 2010, he successfully demonstrated how he could duplicate the magnetic swipe key card using a metro subway card.
Unfortunately, it appeared that the industry and the manufacturer did not respond to the story in an effective and timely manner, and so the story grew. It seemed as if the public relations strategy was to not say anything at all in the hopes that the hype on the story would blow over and that the issue could be resolved over time. This unfortunately didn’t transpire and eventually the issue gained the public’s ire.
Some Lessons Learned from the Initial Response
As is in most cases, there are always two sides to a story. Subsequent investigation of what transpired revealed that while there are many cases where the ball was dropped, there were also many cases where the response to the problem was almost immediate, and while the fixes might not have been completely effective, many hotels did respond with effective security plans highlighting the fact that the industry does care about its guests. However, quite a bit of criticism continues about how the hospitality industry as a whole has responded to this particular breach.
Communications and Public Relations
When the issue was first realized, the communication between the door lock manufacturer and its hotels was reportedly slow and measured. If there is one thing we learned from credit card breaches it is that timing is key. This situation was different in that it was initially an individual company that had to respond and not the industry per se. That said, the communication between all of the entities involved was apparently poor, with many hotels indicating that they were not made aware of the issue or how to address it.
Another thing that has been learned over the years is that taking the approach of sticking your head in the sand and hoping things will blow over does not work with today’s highly connected world. We’ve seen with the adoption of social media, Internet chat sites, blogs, TV and other press that the public will make you pay for any perceived hiding of information or shying away from a negative situation. Not only was there limited information on the issue at the time that the story broke, but it is still continuing today with a number of solution providers and hotels still not wanting to comment on this situation.
Fallout from the Breach
While most of the public response to the breach has been via the media, hotels and resorts are now starting to feel the impact of the issue at the property level. Meeting planners are now requesting that the hotels disclose information on the locking systems in place, and in some cases are eliminating hotels from competing in group RFPs if they have electric locks from certain manufacturers. Karin Faircloth with Millennium Technology Group, a subsidiary of Rosen Hotels and Resorts, cited a case when during a group tour of one of the Rosen Hotel properties, the meeting planners where actually looking at the locks. The property subsequently was informed that the card locks needed to be replaced by the time the groups arrived at the hotel or they would not book the group.
Responsibility
If there is a glaring question that is still being debated it’s the question of who is responsible for the cost of the remediation of the problem. (The overall liability issue will be addressed later in the article.) ASTC for its part has indicated that it is providing mechanical remediation plugs and screws free of charge to its customers. However there have been reports from hotels that they were initially charged for the materials, and that in all of these cases they were responsible for the labor involved in installation of these devices.