Hackers were able to access the network and property management systems of a prominent hotel chain on three occasions. In the first attack, they used the bruteforce method of repeatedly guessing users' login IDs and password to access an administrator account on the network. This enabled the hackers to obtain unencrypted information for over 500,000 accounts, which they sent to a domain in Russia. In the second attack, hackers accessed the network through an administrative account using memory- scraping malware on more than 30 of the hotel's computer systems. The hackers had access for approximately two months during which time they were able to obtain unencrypted payment card information for approximately 50,000 consumers. The hotel chain did not become aware of the attack until it began receiving complaints about fraudulent charges filed by consumers. In the third attack, hackers were again able to access an administrator account on one of the hotel chain's networks and obtain payment card information for approximately 69,000 customers from the property management systems of 28 hotels. In total, the hackers obtained payment card information from over 619,000 consumers, which resulted in at least $10.6 million in fraud loss.

After the breach, an investigation determined that the hotel chain had allowed their hotels to store payment card information in clear readable text; allowed the use of easily guessed passwords to access the property management systems. (For example, to gain remote access to at least one hotel's system, which was developed by Micros Systems, Inc., the user ID and password were both "micros."); failed to use firewalls to limit access between the hotels' property management systems, corporate network, and the Internet; knowingly allowed at least one hotel to connect to the network with an out-of-date operating system that had not received a security update in over three years; allowed hotel servers to connect to its network even though default user IDs and passwords were enabled; failed to maintain an inventory of computers connected to its network devices; failed to restrict the access of third-party vendors to its network and servers; failed to restrict connections to specified IP addresses or grant temporary, limited access, as necessary; and failed to monitor its network for malware used in the previous intrusions.

What standard would apply to the hotel chain's behavior with respect to data security? Explain how the hotel chain's behavior contributed to or caused the breach and identify steps that the hotel chain could or should have taken to minimize the effect of the breaches or prevent them in their entirety.