Jason KadahJessica Wilson has been on the hunt for things people leave behind at hotels. Not for physical items, but for potentially sensitive personal information left behind on public computers found in hotel business centers. The purpose of her hunt is all positive-- but what she has found over the course of two years is concerning. As a cybersecurity student at Embry-Riddle’s College of Security and Intelligence, her ultimate goal is to raise awareness and help keep you safe.
For her research project, Wilson collected business center data from 22 U.S. hotels located in 17 different states. Due to the nature of her project, no specific hotel brands were identified and no data or documents were saved.
There are two types of business centers, connectivity zones or traditional. Connectivity zones are usually a dedicated area in the lobby and a traditional business center is in its own room. Connectivity zones were easier to walk into and collect data because they did not require key card access. Traditional business centers can be accessed with or without an RFID hotel key card, depending on the property.
Wilson’s theme throughout her research was “if a bad guy has unrestricted physical access to your computer, it’s not your computer anymore.” Her findings on the breakdown of data collected were as follows: Log Files (files that record or keep a “log” of keystrokes or sites visited online), 50 percent; Medical Info, 15 percent; Personal Identifiable Information (PII), 10 percent; and 25 percent was identified as “other.” PII and medical information included any document that would allow someone’s identity to be stolen, such as insurance documents, resumes, and doctor’s information.
Additional factors that could compromise business center cybersecurity include tailgating, where a legitimate guest with keycard access allows someone to follow in behind them, possibly possessing a flash drive or the ability to install malicious software. Wilson also notes that security cameras and reliable shredders are also missing from some business centers.
“Considering the amount of information I recovered, I don’t think hotel guests are aware of this problem,” said Wilson. “If I were a hotel GM, I would put up signs informing customers about safe data management practices, and hotel employees trained on proper data disposal.”
Wilson’s number one piece of advice is to be sure to log off your session and log out of all accounts. “Also check to see if you can delete any items from the ‘Downloads’ folder. And if you’ve printed something out, be make sure you go and pick it up.”
Wilson’s full report and analysis can be found at: https://jesswils.com/
To learn more about Embry-Riddle’s Department of Cyber Intelligence and Security, visit: http://prescott.erau.edu/college-security-intelligence/department-of-cyber-intelligence-and-security
Posted In: Security Intelligence and Safety