Data breaches confirmed this week by two of the world's biggest hotel chains highlight the growing threat posed to retailers and other companies by malware that targets point-of-sale (POS) systems, experts have warned.
Earlier this week, Hilton Worldwide confirmed that hackers had stolen customer details - including names, credit and debit card numbers and expiration dates - after gaining access to its POS systems. This came shortly after its competitor Starwood disclosed it had suffered a similar breach at more than two dozen of its properties.
In Hilton's case, it is thought the malware was in the network for at least 17 weeks across two separate time periods before being discovered.
There are several reasons why POS systems are particularly vulnerable targets for hackers. They are often not covered by the same level of protection that is seen in other parts of a corporate network, while specialist malware kits aimed at these systems are widely available online.
Chris Strand, senior director of compliance, Bit9+Carbon Black, told Dark Reading that many of these devices still run outdated operating systems that are no longer supported, which means vulnerabilities are likely to go unpatched.
Such malware could be particularly common in the coming weeks as retailers gear up for their busiest period of the year. A recent report by Trustwave estimated that around 40 per cent of data breaches last year were traced back to POS systems - with almost all of these the result of remote access vulnerabilities and weak passwords.
Mark Bower, global director of product management for HPE Security, explained these areas are often the weakest link in a business' security chain. He said: "A checkout terminal in constant use is usually less frequently patched and updated, and is thus vulnerable to all manner of malware compromising the system to gain access to cardholder data."
Any such problems could be particularly damaging to businesses this holiday season, Dark Reading noted, particularly in the US, where it will be the first major shopping period since a change in EMV liability went into effect - meaning that if retailers have not implemented EMV chip and PIN technology, they will be held responsible for any fraud that occurs as the result of a data breach.