125,000 items of customer info stolen from Prince Hotels chain

More hacking from abroad. Any guesses as to who?

"We deeply apologize for the inconvenience and the anxiety we have caused to our customers," Masahiko Koyama, the president of Prince Hotels, said at a news conference in Tokyo. "We will make utmost efforts to prevent a recurrence."

"Inconvenience?" Preventing an occurrence is one thing, taking responsibility for any loses that may have been incurred is a totally different issue!

Who stores CC in plain text? Where is the tokenization and PCI compliance?

Who stores CC in plain text? Where is the tokenization and PCI compliance?

Unfortunately, a significant number of so-called 'web agencies' are not qualified to build secure systems, yet take on projects that require a high level of security. Clients don't know the ins and outs of the industry, so they don't know how to evaluate whether a company knows what they are doing or not. So companies hire sub-par agencies, often based on price, and end up with sub-par systems. The company that built the system for Prince Hotels was obviously unqualified. Or maybe Prince tried to do things cheap and hired someone unqualified internally. Either way, someone who wasn't qualified to build this system built it, and this is the result.

Unfortunately, Prince Hotels just learned a really tough lesson. Don't skimp, and get third party evaluations. I guarantee the next agency Prince Hotels uses will be better vetted. Anyone considering having a web site built that requires any level of security should learn from this failure, and find out how to effectively evaluate a web agency's ability to create secure systems before hiring that agency.

Customer information was leaked through two servers. Doesn't say what company hosted the servers... 'Customers can still email the hotel to make reservations, Price Hotels said.' Ok you've reassured me, I"ll send over my credit card info right away. NOT

I work in infosec and do bounties via bugbountyjp in my free time, you wouldn’t believe some of the utterly insane things I have seen developers do in this country.

Had one company (large, has had a lot of tv commercials over the years) that that was using tokenized credit card processing (via GMO), which was perfect. But they were also submitting all CC details without hashing to their reporting server. That’s bad, but their reporting server was on http :-/

Another decided it it was fine to store all their API keys in a public repository.

if 2020 is for japan anything like 2012 was for England, expect a lot of these stories to start appearing.

I wish they'd name the booking sites so those who may have used them can check up on their situation. All this no-naming does is create more anxiety.

There are still large online shops here with no SSL certificates. In 2018.

Customer information was leaked through two servers. Doesn't say what company hosted the servers...

Most hosting companies are actually very secure, as it is their business and their industry, so they are knowledgeable about what they are doing. Website hacks are almost always a result of poor programming, leaving security holes. So it would probably be the company that built the website(s) that is responsible, not the hosting company.

if 2020 is for japan anything like 2012 was for England, expect a lot of these stories to start appearing.

I'm always surprised at the level of computer illiteracy that I see in Japan. Also, the sub-par equipment and budgets that are expected to serve a function are quite... erm... sad. One area where Japan clearly shows how it is slow to change and adapt.

I always wondered about stolen credit cards. Let's say you have my name, cc #, exp date, and sec code and are able to use the card. You don't have my pin, so cash advance seems impossible. You are seemingly limited to ordering things. How do you order something which then needs to be delivered somewhere you can sign for it and the address you can access must have some connection to you down the line. Feels like there would be enough of a trail for police to find you.

Yuko, once I went for a business trip to the US, and I used my credit card tom pay for the hotel. After coming back to Japan, both myself and my colleague were called by the card company. Apparently somebody stole our info, cloned the cards, and with my card somebody was shopping at Target in the US, and with my colleague's card, somebody was buying computers somewhere in Africa. They cancelled our cards and issues new ones, and end of story

Feels like there would be enough of a trail for police to find you.

There is, but there is a massive number of cases, and often the person doing the action is in a nation where the police have concerns other than chasing down credit card fraud. In the end, they don't have to do the perfect crime, they just have to not be the sloppiest. The person who is the sloppiest will get taken down.

Where is the tokenization and PCI compliance?

Add some blockchain while we're at it

A lot of Japanese companies need to get up to speed when it comes to securing themselves online. For all the tech Japan is known for I have seen countless sites in Japan using decrepit web standards and most importantly failing to use SSL on their sites. I doubt the information stolen had any encryption on it, as another user said, it was probably stored on a simple text file. That apology means nothing if there is no accountability.

The hotel chain said it will suspend the websites until it confirms their security. Customers can still email the hotel to make reservations, Price Hotels said.

I doubt they'll have an influx of emails for bookings.

So have they attempted to contact the individuals concerned ?

As it's a Japanese business involved, simply saying "Ah well, we will try and prevent it in future" is okay, but if its a foreign company, Law suits follow.

This is a breach of the Japanese PPI Law. Why hasn't a bigger fuss been kicked up ?

@yuko. I have used my partners cc on occasions. No PIN required, just sign. They are Japanese and I’m a foreigner. I signed their name badly in Japanese. No problem. If you have used a cc on the internet, all you need is name, address, cc number and the 3 number on the back. Rent a P.O. Box, spend as much as you want and collect everything in a week then disappear. Close the po box.

always check your statements.

Stayed in Prince hotels several times before 2017, so tomorrow will contact the bank! Just in case.

@yuko. I have used my partners cc on occasions. No PIN required, just sign.

Most places I use mine at in Japan don't even require a signature. What's to stop someone else from using mine if they could swipe it from me? Nothing! Not even a signature. TIJ.

And the National Police Agency wants to expand the information hotels take from guests -- particularly foreign guests but also, despite there being no law on the books to demand it, resident immigrants -- and how much they store. And then they wonder why we guests are reluctant to hand over personal information like this.