The hotel industry has had a rough time with cybersecurity over the last four or five years. Some very high-profile cyberattacks have affected the largest hotel groups. At times, it seems like the hotel industry is under siege by cyberattackers as they compromise point-of-sale (POS) systems, centralized booking systems, guest laptops, and mobile devices. Guests are aware that the hotel industry is under attack. In a recent survey, nearly 70% of hotel guests said that they do not believe that hotels are properly protecting themselves from cyberattacks or investing enough in cybersecurity measures.
That’s a large percentage of guests with a negative opinion about hotel cybersecurity. Let’s take a look at where this reputation comes from.
Data breaches have become the scourge of the hotel industry over the last few years. The most notable of these attacks was on Marriott International. They were forced to disclose that nearly half a billion of their guests had personal information compromised when reservation systems were hacked by what appears to be China-sponsored nation-state actors. They were later fined $123 million by the UK Information Commission (government regulator) for this data breach.
The Hilton group fell victim to not one, but two serious cyberattacks on their POS systems. Close to half a million of their customers had their credit card details compromised. As a consequence of these data breaches, Hilton had to pay a $700,000 fine to regulators in Vermont and New York.
Another large group, Wyndham Worldwide, was attacked by cybercriminals no less than three times resulting in 619,000 customers details and credit card information being compromised. Worse, the cybercriminals behind the attacks ran up more than $10 million in fraudulent charges on those compromised credit cards.
Recently, Kimpton Hotels, a subsidiary of the much-larger InterContinental Hotels Group, had its customer’s credit card details compromised after a breach at more than 60 of its hotels across the country. The disclosure severely damaged its reputation among customers, who saw fraudulent transactions appearing on their credit card bills.
The cybersecurity woes affecting the hotel industry are not just about data breaches and credit card details. In a much stranger case, a hotel in Europe was forced to pay $1,800 in Bitcoin to hackers who had penetrated their IT systems and remotely locked their room doors, locking guests out of their rooms. The hotel paid the ransom to the hackers, who then unlocked the doors.
According to a recent report from Big Four auditor PricewaterhouseCoopers (PwC), the hotel sector suffers from more data breaches than any other industry apart from the retail sector. Why are hotels and hotel groups so attractive to hackers?
When it comes to technology infrastructure that is not public-facing and/or is not a driver of revenue, the hotel industry inconsistently invests in new technology. If their guests can access the internet and their reservations/billing systems are working properly, many hotels don’t seem interested in technology.
When investments are made, those investments are squeezed to show the largest returns over the longest amount of time possible. Therefore, many hotel groups employ older technology which may or may not be properly patched and updated. This is especially true if the technology was custom-built and the original coders/developers have since moved on.
Of course, that leaves the hotels vulnerable to cyberattacks. Old, unpatched systems are the most vulnerable of all and represent easy targets to increasingly sophisticated attackers.
Not all hotel employees lack conscientiousness when it comes to security, but in general, hotels suffer from a high employee turnover rate. Combine this with the fact that many hotel employees have access to the hotel's customer and financial data, and it's a recipe for disaster.
The truth is, hotels have long been fertile ground for credit card fraud and identity theft, even when employees have been given thorough background checks. It doesn't take long for an unscrupulous employee (or one who simply doesn't care about security) to become a major cybersecurity risk, especially when they have not been properly trained to recognize common cyber threats.
Because the hotel industry is mostly a franchise business, each franchisee has a lot of freedom when it comes to their IT infrastructure, how they secure it, and who manages it. Combine this with open access to the hotel group’s database, billing, and reservation systems, and it's only a matter of time before an attacker infiltrates the wider group.
The open nature of hotel franchise networks makes it much harder to centrally secure and contain cyber threats than it would to organizations with closed IT networks and systems, like financial groups. It increases the risk of malware, ransomware, and other cyber threats affecting the whole group.
The hotel industry is constantly consolidating with mergers and acquisitions, which naturally creates many cyber risks. When a merger happens, it means that different information security procedures and policies have to be reconciled with each other across the newly-merged group. That is very time-consuming.
When you factor in the employee changeover that comes with mergers, it can make it difficult to stay on top of who is responsible for what. Plus, vulnerabilities may already exist in the system, as was the case with the Marriott/Starwood merger. Attackers had already infiltrated Starwood when Marriott acquired them.
Individually, each cybersecurity challenge is difficult to manage but put them all together and you create the perfect hunting ground for cyberattackers. Unless the hotel industry gets on top of these challenges, it will continue to be targeted by organized cybercriminals.
In a cross-industry effort to get their cybersecurity in order, the hotel industry is taking strong steps to implement best practices. Increasingly, they’re leveraging cybersecurity technologies like intrusion detection software, data encryption, firewalls, and strong access controls limiting who can access data.
However, this is all part of what large organizations should already be doing to secure their business against attackers. It typically provides a false sense of security and doesn't completely address the threat landscape they face.
The more forward-thinking hotel groups have adopted what we call a ‘data-centric’ approach to cybersecurity, meaning they understand that their data is what attracts hackers. A data-centric model focuses on how data can best be secured as it travels around a network and the wider organization. It also focuses on denying illegal infiltrators access to data should the group be compromised by tokenization technologies, making it useless if it is exfiltrated by attackers.
Hotels are also trying different ways to secure themselves. For example, the Hyatt Hotel group is experimenting with a bug bounty program (via HackerOne) and allowing white-hat hackers to attack their IT infrastructure, applications, and websites to find vulnerabilities. They let the ‘good hackers’ find the vulnerabilities before the ‘bad hackers’ do, and it's been highly successful for them so far.
Another approach are new products designed to protect guests and make staying at hotels safer for them. A company called Cino released a product that keeps personal data safe from data breaches by protecting guests' mobile devices. It uses military-grade technology with login breach protection, keystroke encryption, and defenses against screen-scraping and clickjacking.
The good news is that with each new product and approach, hotel guests are becoming more secure than they were before. As most of us are hotel guests at some point, it’s better to be secure than sorry.
Digital Hands employs a deeply experienced team of cybersecurity professionals who can help your hotel protect itself from cyberattacks.
If you or your partners need a competent security services provider to ensure that you are making the right moves with cybersecurity, call Digital Hands at (855) 511-5114 today.