Hotels in the crosshairs of hackers as technology replaces the personal touch

Hotels and hospitality businesses are now the third most targeted targets for cyber attackers across all industry sectors. Although these are brick-and-mortar businesses – created to physically profit from their conveniences – they have become a rich data mine for hackers with nefarious intentions.

Before Covid-19 forced hotels into a two-year period of intermittent closures, they suffered 13% of cyber breaches, according to Trustwave’s 2020 Global Security Report – ranking just slightly lower than companies retail and financial services.

And with hotels facing a difficult pandemic recovery and severe staff shortages, the increased use of technology to replace face-to-face services such as check-in and on-site payments has only increased. this risk.

“Historically, hospitality has been a personal service, but I think they’ve started to realize that technology can make that a lot easier,” says Tristan Gadsby, managing director of hospitality consultancy Alliants.


Percentage of all cyber compromises suffered by hotels (source: Trustwave 2020 Global Security Report)

What would previously have been, say, an in-person chat or a phone conversation, Gadsby notes, is now more often a virtual chat exchange. “We are seeing three times more messages sent post-Covid, compared to pre-Covid, per guest.”

In a sign of the times, the US Department of Commerce released its first set of guidelines last year on how hotels should secure guest data and critical software systems.

Meanwhile, authorities monitoring the spread of Covid have also demanded more data from hotels – including guest contact details and health status.

Thomas Magnuson, founder of Magnuson Hotels, an umbrella company of hundreds of independent properties, says his company tries to collect minimal information from guests because “sometimes when you’re traveling you feel like it’s is the greatest data entry of all time”.

Hackers view international hotel chains, which handle a huge volume of transactions, as easy choices. Hotel groups also organize valuable loyalty programs with millions of members, who give up their data in order to earn points and improve their stays.

One of the most publicized cyber incidents of recent times was the breach of Starwood’s database shortly after it was taken over by Marriott, the world’s largest hotel chain. That hack exposed data for about half a billion customers, Marriott said, when it disclosed the impact in 2018.

In a test case for the then relatively new General Data Protection Regulation (GDPR) in Europe, Marriott was later fined £18.4 million by the UK data regulator, acting on behalf of the company. EU – far less than the £99m fine originally threatened.

Marriott – which says in its privacy statement that it collects 15 different types of data throughout a guest’s stay, from email addresses to passport information and preferred languages ​​– has since “doubled down” on its efforts” to detect and respond to threats,” according to Arno Van Der Walt, its director of information security.

The company has accelerated planned investments in data security and improved technologies, such as software that detects suspicious cyber behavior in real time, Van Der Walt adds.

Yet hotels can be vulnerable to a range of cyberattacks, from ransomware to more specific intrusions, such as DarkHotel, a type of hack that targets high-profile business guests through a hotel’s WiFi network.

Luxury hotels are a particularly attractive breeding ground for criminals. In August 2020, scammers hacked into London’s Ritz hotel’s restaurant reservation system in an attempt to trick customers into handing over their valuable payment details.

“The amount of data that [hotels] have is a legend, so their data retention procedures need to be really up to date,” said Fedelma Good, co-head of PwC’s data protection practice.

© Mike Kemp/Getty Images

As cloud computing services have grown, hotels have pushed more data storage to external custodians such as Amazon Web Services or Oracle — a move that at least means systems are overseen by software experts , according to the leaders.

Many hoteliers also use third-party agencies to manage credit card details and separate different forms of data: “At the push of a button, I can tell what time [a guest] checked in, what time he left, what time he had lunch,” says Sean McKeown, general secretary of Irish hotel group Dalata. “I have CCTV, but not everything is in one place.”

However, staying safe doesn’t come cheap for already cash-strapped hotels. Gadsby says running a single penetration test to find vulnerabilities in computer systems can cost up to $25,000.

Staff training is crucial. Several hotel executives point out that it’s when staff are processing guest details that information is most likely to leak.

“You wouldn’t dream of appointing a chief executive who doesn’t understand hygiene, so why would I appoint a chief marketing officer who doesn’t have a deep understanding of data protection?” McKeown asks. He says Dalata has spent tens of thousands of dollars upgrading information security systems and training employees.

The GDPR has forced companies to adopt much higher standards when it comes to data protection. But Good points out that, for hotel groups with large cross-border footprints, ensuring they comply with regulations in each jurisdiction is “a real challenge”.

Magnuson thinks hotels should just demand less data, not monetize it in vast loyalty programs like the big global chains do. Hilton, for example, raised $1 billion during the pandemic simply by selling loyalty points in advance to its credit card partner American Express.

“They talk about their millions of reward owners and the number of points associated with them and these are particularly popular assets,” observes Magnuson.

And with guests demanding increasingly personalized and bespoke service, especially from well-known hotel brands, data is likely to remain a valuable asset to protect.

As Marriott expands its online services — from phone notifications that tell you when your room is ready, to using your cellphone to unlock your door — Van Der Welt says the company remains “laser-focused” on the environment increasingly complex cybernetics: “It’s a race that doesn’t really have a finish line, hacks remain a threat.

Comments are closed.