In May of 2011, the Desmond Hotel and Conference Center in Albany, NY was compromised by an as-yet-unnamed foreign entity. Very little has been made public about the incident, and it’s possible that we will never know the true extent of the damage.
What we do know is that the credit and debit card numbers of every hotel guest from May 2011 to March 2012 were potentially compromised. At least one patron had their bank account drained.
Otherwise, it was just like the countless other breaches we’ve witnessed recently.
First, The Desmond had been compromised for nearly a year and didn’t know it. The Secret Service discovered evidence of the Desmond breach during routine investigations of foreign hackers and notified the hotel of their findings. We can only assume that the compromise would still be going on today if this stroke of luck hadn’t occurred.
Second, The Desmond didn’t have an Incident Response Plan. This is an assumption on my part, but one that I am confident in, given the post-event fallout. The incident, which could likely have been better contained, grew quickly and became a public relations nightmare that lasted for days.
Third, they didn’t think this could happen to them.
This is not a smear piece. The Desmond is my favorite hotel in the area, and one that we hope to make a client someday. Unfortunately, they became long-hanging fruit. They were simply the next target in a long line of victims, a queue that grows daily.
The Desmond made the news. 99% of breaches don’t. And it seems that until an organization experiences their own incident, there is little compelling them to protect themselves.
The industry, our peers, the media, the company where you work – all are providing us an education, but we are not learning from our mistakes. Psychology 101 teaches that human beings learn best when content is relevant, entertaining and interactive. It would seem that major public data breaches tick all of these boxes.
For now it seems the only thing that’s ticked is The Desmond’s customers.