case studies
Hospitality
HomeCase Studies → Breaches Happen, but It Doesn’t Mean You Are Liable

Breaches Happen, but It Doesn’t Mean You Are Liable

Threat Landscape

Hospitality companies face significant cyber security risks. A hotel processes millions of records containing personally identifiable information (PII) and transmits and stores vast amounts of credit card and employee data. As hotels collect more and more customer information from digital marketing and loyalty programs, the amount of data is rapidly increasing. Cyber criminals want this data. While Europay, Mastercard and Visa (EMV) chips and anti-fraud programs have helped, the challenge to secure the potential entry points for hackers remains, from point-of-sale (POS) systems to mobile devices and insecure WiFi networks.

Challenge

A global hotel company was forced to rapidly respond to a breach. The company’s processing bank notified them that three of their major properties were likely compromised.

Solution

The hotel company and their outside counsel came to us for help. We advised on the extent of the compromise, the scope of affected credit cards that could trigger reporting obligations, and the presence of any digital forensic evidence that might limit the liability of the hotel company. Ultimately, our team preserved over 250 servers or workstations from more than 100 hotels. Using Lima, our proprietary scanning tool, we searched for evidence of any security breaches across thousands of servers within their hotels in the U.S., Latin America, Europe, the Middle East, and Asia.

Results
  • Delivered forensic evidence that minimized legal exposure and defined the defensible limits of the breach
  • Diagnosed the type, timing, and scope of the breach swiftly, months ahead of the Payment Card Industry (PCI) forensic investigator (PFI)
  • Instilled confidence in our client by providing our intimate knowledge of the legal procedures arising from a breach

Looking to safeguard your organization? Find out how our cyber security solutions can help you.



Cyber security services offered by Stroz Friedberg Inc. and its affiliates. Insurance products and services offered by Aon Risk Insurance Services West, Inc., Aon Risk Services Central, Inc., Aon Risk Services Northeast, Inc., Aon Risk Services Southwest, Inc., and Aon Risk Services, Inc. of Florida and their licensed affiliates. Aon UK Limited is authorised and regulated by the Financial Conduct Authority in respect of insurance distribution services. FP.AGRC.238.JJ The following products or services are not regulated by the Financial Conduct Authority:
• Cyber risk services provided by Aon UK Limited and its affiliates
• Cyber security services provided by Stroz Friedberg Limited and its affiliates.


Copyright 2021 Aon plc. All Rights Reserved.


Copyright 2021 Aon plc. All Rights Reserved.
Cyber security services offered by Stroz Friedberg Inc. and its affiliates. Insurance products and services offered by Aon Risk Insurance Services West, Inc., Aon Risk Services Central, Inc., Aon Risk Services Northeast, Inc., Aon Risk Services Southwest, Inc., and Aon Risk Services, Inc. of Florida and their licensed affiliates. Aon UK Limited is authorised and regulated by the Financial Conduct Authority in respect of insurance distribution services. FP.AGRC.238.JJ The following products or services are not regulated by the Financial Conduct Authority:
• Cyber risk services provided by Aon UK Limited and its affiliates
• Cyber security services provided by Stroz Friedberg Limited and its affiliates.