Hotel hack puts legacy POS back in the spotlight

The hotel chain Mandarin Oriental has confirmed that credit card data has been stolen as a result of a hack attack on the company's network.

It's reported that the data was taken from card processing systems in the company's hotels across the US and Europe and was spotted by tracing a pattern of fraudulent payments back to systems used at Mandarin hotels.

The hack is the latest in a long line of corporate data thefts which made the majority of the security headlines in 2014. In September last year, US retail giant Home Depot discovered the details of 56 million credit and debit cards had been compromised in one of the biggest hacks on record.

It's not known how many customers have been impacted by the Mandarin Oriental breach but it does put the spotlight firmly back on the security weaknesses of legacy Point of Sale (POS) systems.

Andrew Avanessian, EVP of consultancy of technology services at Avecto said organizations need to address POS concerns by going back to basics:

"This breach has once again brought to light concerns around point-of-sale (POS) systems. We know that Mandarin Oriental was targeted through these terminals, and the technology they are built on is often antiquated.

"These terminals tend to be legacy systems run on Windows XP for example, which aren't patched regularly. Though XP expired last year, there is still a perceived supportability of POS via limited patching until 2016 due to a 10 year license of embedded systems, so a lot of organizations are sticking with it for the next year, despite its risks.

"For those organizations wishing to revamp their POS systems, fixing these issues should be less about rash, reactive decisions like ripping out old systems and installing new, more secure Windows platforms. It should be more about understanding and refining existing systems by going back to basics: altering existing permissions and management of privileges, and controlling how programs are allowed to interact with the wider company network."

For more information on managing permissions within the enterprise, visit http://www.avecto.com/defendpoint/privilege-management