The Most Common Cyber Threats For Every Hotel in 2019

Hospitality technology is evolving at a remarkable pace facilitating guest experiences across the world. The integration of both guest-facing and backend technologies is allowing hotels to be more efficient while decreasing overall costs of operations.  

The real challenge for hoteliers, however, is identifying and protecting their technology infrastructures against possible cyber threats. Over the last 6 years, there has been a radical increase in the number of data breaches and hacks on hospitality businesses.

The Marriot data breach identified in November 2018 compromised the data of close to 500 million guests who had stayed at Starwood Hotels & Resorts since 2014. The newest brand of Marriott International Group had been breached a year before they acquired Starwood in 2015.

Similarly, the Hyatt Hotels Group reported a massive payment data breach in October 2017. Payment card data was hacked from 41 Hyatt properties across 11 countries, with 18 of the affected hotels in China alone.  

As hospitality technology demands grow, so do the number of vulnerabilities that accompany them. Today we take a look at seven cyber threats every hospitality business should be prepared to handle in 2019.

Ransomware

A “ransomware” as the name suggests is a cyber-threat that hijacks a hotel’s systems sabotaging its data or functions unless a payment is made. The WannaCry ransomware that encrypted data of users and demanded a $2500 Bitcoin payment per computer for the decryption key comes to mind.

Ransomware is usually sent out to an unsuspecting user via email attachments or malicious links. Once the ransomware is clicked a  screen displays to explain that the system is now locked and how to unlock it. Experts believe hotels get hacked so easily is because of two major reasons. One, there is an abundance of systems to manage across hotels, and two, the use of outdated hardware & software on properties.

Robert E. Braun from Jeffer Mangels Butler & Mitchell LLP also claimed the same about ransomware in a 2017 interview, “In some cases, it can be actually taking control of your hotel because there are so many systems.”

In 2017, the Romantik Seehotel Jaegerwirt in Austria was the victim of clever ransomware that locked out all the guests out of their rooms. The electronic keys of all of 180 rooms of the 11-year-old ski resort were locked out by hackers. A ransomware email was received the following morning demanding $1800 in Bitcoin to unlock the keycards.

While no hotel is free from ransomware attacks due to their stealthy nature, some hoteliers are reluctant to upgrade technology on their properties. Scott McAfee, Senior Director of I.T. at VIPRE antivirus, established in an interview that:

“One of the things that I hear a lot from the tech side is, ‘we’re not a big enough company that somebody wants our data.’ It’s a misconception that you’re not being targeted because you’re not a big company, or that you’re not being targeted because you don’t have enough valuable data…”

The first way to counter ransomware is by being proactive and having a cutting edge technology infrastructure. Hotel staff, guests, and management have limited contingencies for ransomware, since its the user themselves that activates the threat in the first place. Second, it is also essential to train staff & management about modern-day cybersecurity best practices.

The third element of ransomware security is a leading edge security solution for threat detection and protection. The latest security solutions with updated vulnerability patches, virus definitions, and innovative features act as your first line of defense against prevailing ransomware threats.

POS Payment Card Data Hacks

Properties usually have multiple POS and touch points both on-site and online. This type of breach is most unwanted in hospitality since it can lead to some dire consequences and settlements to guests. Most hotel businesses shocked by the liabilities arising from a payment data breach, comments Jackie Collins, Senior Director & VP of Hospitality practice at Arthur J. Gallagher Risk Management Services.

Experts deem POS data breaches as the “single biggest” cyber threat to the hospitality industry. These attacks generally target payment vendors rather than the hotel itself. Payment data & POS systems are usually secured with what is popularly known as PCI compliance standards. PCI or Payment Card Industry compliance is made up of 12 rigorous standards that reinforce the security of this critical information, read more about this in our blog.

Data Breach & Loss of P.I.I

Data breaches and theft of personally identifiable is simply destructive for any business, and even more important for hotels to prepare against. With thousands of guests staying at properties over time, there is a huge amount of guest data just laying dormant in databases, website cookies, and devices.

Three aspects are vital in securing the personal information of guests namely the network design, network security (firewalls), and a cybersecurity solution (antivirus & internet security apps). Hackers are readily looking to infiltrate organizations to extract highly sensitive data including payment card information, names, addresses etc. to sell online.

Securing guests personal data requires a proactive approach to eliminate the chance of hacks & breaches from occurring. In her research paper, Neda Shebani identifies 3 steps to countering cyberattacks as recommended by Accenture:

Prepare & Protect

It is essential to have policies, procedures, and a plan to protect guest data. At this stage the hotel must conduct a comprehensive audit of their cybersecurity systems, business functions, databases, network design, and assets. Most companies also establish data access and distribution policies for their staff at this stage too.  

Defend & Detect

At this stage the cybersecurity action plan goes into motion. Systems are constantly monitored for vulnerabilities, looking for possible upgrades while improving the network design. Once detected vulnerabilities are studied for evolved variants and measures are taken to enhance the overall cybersecurity plan.  

Respond & Recover  

This step requires imminent action from hotel technology managers to respond to the attack and recover lost data and revitalize network defenses.  In case recovery is not possible, hoteliers must go back to the drawing borad to design an updated plan.

Constantly evovling technology has stern demands for hospitality businesses with new vulnerabilities arising in legacy systems. It is highly suggested to contract a managed technology partner to undertake the management, support, and updates for any hotel. These vendors have vast industry experience handling cybersecurity, designing cutting-edge I.T. infrastructures, and managing the entire system remotely.

Final Thoughts

Cybersecurity is a popular topic both discussed and followed by a vast number of hospitality professionals. Due to its constant development and new vulnerabilities coming up quickly, hospitality companies are required to stay ready to completely isolate threats once discovered.

We have previously discussed the importance of PCI compliance and P.I.I protection in our blog that you will also like. Do remember to bookmark our website, and visit us again for some amazing hospitality insights, reports, articles, and infographics.

Mohammad Shoaib Ziaee

Director of Information Technology

Mohammad Shoaib Ziaee is Director of Information Technology at Advanced Hospitality Technologies. Mohammad has been a lifelong technology enthusiast, starting out in the technology management industry as far back as 1996. His passion for progress, innovation, and creating technology marvels has made him one of the top most hospitality technology consultants in the US.