United States

Data privacy

Clubs must be diligent in protecting sensitive information


Data privacy is a tricky topic in today’s world. A large number of organizations are pushing for big data, amassing as much information as possible to find unique correlations that might enhance the guest experience.

Plus, data storage is cheap. For example, storing more data than the entire printed collection of the U.S. Library of Congress can be done on hard drives that retail for about $300 at the time of this writing. For context, that is the full text of almost 24 million books.

So storing mass data is logical. It can provide good forecasting information for next year’s season, identifying which members use the most incentives and promotions, analyzing energy rates against weather patterns to maximize energy efficiencies and provide distribution information that allows us to maximize pricing. It can also improve the member experience by noting anniversaries and other celebrations and even frequently ordered dishes and cocktails.   

Having all that data is both an asset and a liability. While most of the data is not sensitive, such as energy data and whether a person likes shrimp scampi, these are not typically the types of data that cause concern. But data privacy is an intensely personal thing. Each of your members might have a different expectation regarding their data and what needs to be protected.

What’s protected by law

Legally, in the United States, only two categories of  data are protected for individuals over 18 years of age: electronic protected health information and financial information. While the Federal Trade Commission (FTC) does have legal authority to protect consumers from unfair and deceptive practices, which has been applied in the case of data breaches, this has usually been in cases in which the company had major violations of its own privacy policy. There may not be legal consequences for the loss of the type of data a private club may store, but certainly significant contractual, reputational, operational and civil consequences exist.

It should be noted, at the time of this writing, the FTC is still pursuing a suit against the Wyndham hotel chain claiming three breaches suffered at the hotel chain from 2008 to 2010 had a potential of more than $500 million in damages to their customers. While this suit is still in progress, it appears to be going in the FTC’s favor so far, but may not be resolved anytime soon.1 If Wyndham were to lose this case, it would significantly change the financial damages assessed against breached entities.

Private clubs and hospitality companies are not immune to data breaches. As of July 15, news was released of a data breach in the Trump brand hotels that is believed to have begun in February 20152. This adds to the breaches at the Mandarin Oriental3 and the second White Lodging4 breach (inside of 12 months) that occurred earlier this year.

In the Trump example, while very few actual details have been revealed, public reports have indicated that it is believed the breach was active from February to July. Conservatively, that is four months during which hackers had access to the network, payment card information and other information stored on the network. If the Trump properties had a big data program, four months would have been ample time for a hacker to find the system, potentially gain access and remove sensitive data of interest from the network—and maybe even make a complete copy of the data.  

What the thieves are after

While all three of these breaches appear to have been focused on obtaining credit card numbers and all targeted the point-of-sale (POS) system to get access to that type of information, there has not been disclosure yet to confirm that card data was the only thing the attackers removed. Payment card numbers are easily monetized by attackers and therefore, an obvious target.

Other recent online  breaches have proven that hackers are not interested in only credit card data. The criminals who accessed Sony Pictures’ computer network released confidential data that included personal information about employees and their families and information about executive salaries. Fall-out from the data hack ranged from the resignation of its co-chairperson to employee lawsuits against the company for failure to protect their personal information.

Private clubs similarly retain a wide range of information that is not legally protected and could be detrimental to a member if released or sold. An executive who met at a club with a prospective new employer or investor, for example, likely would want that information to remain confidential until he chose to disclose it himself. A member in the midst of a child custody battle certainly would not willingly disclose details to opposing counsel about favorite cocktails or dinner guests.

 How attacks proceed

While every data breach is unique, we have seen a pattern from the  attacks disclosed in the news. Typically, the attack starts with something nontechnical, tricking a person with access to the system to click a link or download a program. Then, the attacker usually has access to the tricked user’s system.

However, in most cases, that lone system is not going to pay off for the attacker fully. They will begin a discovery phase, mapping out your network and finding other systems they can access and finding ways to elevate their access. The goals of an attacker are to gain full control of the network as well as persistence, so that if you find and eliminate one of the attacker’s backdoors, they have others that will let them back in.

Part of this discovery process is trying to find where sensitive data is located. In most data breaches, the attackers did not know where to find sensitive data, so they had to look for it. During this process, they will have to feel around for data, like someone looking for a light switch in a records room.

For the attacker, this groping in the dark has some advantages (as long as they do it quietly). They can follow the data wherever it leads them. Perhaps they will find a connection to a third party that is a much juicier target than the one they initially compromised. Or maybe they will find the database or big data store with all the member records, credit card numbers and information the attackers were initially looking for, mixed in with demographic information, family information, weather reports and previous rental history.

Once the information is found, it is just a matter of exfiltrating the data from the system so the attacker can examine it at their leisure. If our big data stores have not been anonymized, then the attacker knows as much about our members as we do. That will certainly make some of our members and their guests uncomfortable.—and vulnerable.

Unfortunately, once hackers obtain data, there is no way to get it back. At least with lost credit card numbers, the card can be reissued with the numbers changed. While inconvenient to the customer, it is not a huge issue. However, other private data is unlikely to change and the Internet never forgets. Data embarrassing to members will regularly pop back up and forever remind them about the loss of their data and the organization that was the cause of it.

Protecting your club

The first step should be to conduct a data inventory. Understand what type of data you are storing and if it actually benefits the club. We often find that organizations store information because it is cheap. If you have not found a use for the data, delete it; you cannot lose data you do not have.

For data that is being retained for long- term trends, etc., anonymize as much as possible. While loss of anonymized data might lead to a competitor getting access to some research and trade secrets, it is generally difficult and time- consuming to link the anonymized data to an actual individual.

Finally, segment and secure your internal network, similar to how you would protect your external facing network. This will slow down internal attacks and give you the ability to detect the attacker before a full data breach occurs.

Used with permission by Club Management Magazine.

1 FTC V Wyndham

2 Banks: Cards Breach at Trump Hotel Properties

3 Credit Card Breach at Mandarin Oriental

4 White Lodging Confirms Second Breach