Hotel businesses have become the second most popular target behind the retail sector in the USA, taking over 2nd place from financial institutions. Cyberattacks are constantly evolving in nature and becoming difficult to detect.
IBM discuss in their cybersecurity ebook that “… it’s not a matter of IF you will be attacked, but WHEN …”. Since 2017, IBM reports a 250% increase in the number of ransomware attacks, while the number of spam email breaches rose 4 times. In addition, IBM identified that 82% of insider cyber-attacks & misuse of privilege events too years to identify.
Why Cyber Criminals Target Hotels & Hospitality Businesses?
TrustWave Holdings reported in 2018 that hospitality was the 3rd most infiltrated industry by cybercriminals. This year PriceWaterhouseCooper’s Hotel Outlook report 2018-2022 informed that the hospitality industry has been the victim of the 2nd largest number of cyberattacks.
In their March 2019 report, Cyber Threat Report Gaming, Leisure & Hospitality Industry, IntSights establish four reasons for the increase in cyberattacks on hotels. These include:
- Collection of highly sensitive personal information by hotels
- Processing millions of bytes of financial data and transactions
- Connected international data servers & warehouses
- Loyalty programs
The Attack Surface of Hotel Technology
Hotel technology managers need to anticipate where the hotel and its underlying technology is exposed and may be targeted. Understanding and identifying the “attack surface” is critically important for organizations to detect & defend against breaches effectively.
There can however be challenges in identifying the attack surface at hotels due to the diverse technology application across a single property. IntSights identifies the following as possible hurdles:
In hotels, the attack surface is usually very broad, primarily due to a large number of touchpoints and endpoints for guests. PCs, tablets, laptops, mobile phones, POS machines, signage hardware, WIFI routers etc.all make up the diverse IoT framework of the entire property. These multiple touchpoints become easy to access gates for cybercriminals to latch onto a hotel network.
Globalized Networks & Data Warehouses
The bigger a hotel franchise is, the larger its attack surface becomes. A global hotel chain usually synchronizes all its properties through a centralized network. All cybercriminals have to do is breach one of the properties and they have access to the entire chain. This was the case in the Starwood Hotels by Marriott breach which cost over 500 million guests their data and $120+ million in law-suites for the Marriott Group.
One of the most crucial attack surfaces in hotels is the staff themselves. Staff is termed the most “profound vulnerability” by IntSights due to their lack of cybersecurity awareness. They even go as far as to claim that staff can even be “threat actors” due to their constant interaction with guests, management, and hotel systems.
Staff access & authorization is of great concern with the researched fact that employee turnover in hotels is often high. Managing user permissions and access restrictions are of utmost priority for any hotel I.T. manager to ensure a mistake does not cost the hotel its brand equity.
Brand Standards, Multiple Technologies & Security Systems
Every branded hotel franchise has its own technology benchmarks that all of its franchisees must adhere to. The brand owner (franchisor like Marriott, Sheraton & Hilton) indicates to the hotel owner (franchisee) the required hardware & software for standardized service.
While the core technology standards are the same, franchisees can install separate POS machines and retail outlets at their hotel. The problem arises when any of the technology are legacy systems that have few or no security safeguards. When these unsecured technologies interact with the PMS or other systems at the hotel there is a massive risk of breaches.
Even is the case of a distribution service for reservations and booking like TripAdvisor, Booking.com, or Expedia a hotel is dependent on 3rd party systems. It is therefore essential for hotels to have the standardized tech, simplified infrastructures and relevant security apparatuses for all these technologies in place to ensure minimum attack surfaces.
The Five Most Dangerous Security Threats for Hotels
Ever since financial institutions began enhancing their digital security, hackers have turned their attention to the hospitality industry. Using a variety of attacks, cybercriminals can not only steal data but even render an entire hotel useless.
• POS (point-of-sale) attack
POS systems are the most common to get hacked in hotels. POS machines have direct access to credit card data and personal information through payment processor gateways. While credit card issuers have upped their security, the integrity of POS machines is still questionable.
Card data malware can find its way into a hotel due to a variety of reasons including improper configurations, weak passwords, insecure remote access, etc. Since POS security is delegated to the processors there is a greater chance of data breaches.
• Personal data theft over Wi-Fi systems
WIFI is one of the core offerings of a modern-day hotel with everything from mobile devices, laptops, and POS machines connected with it. The sad part is that most public WIFI networks are highly insecure, and are not powered by stringent security measures.
The rapid development of WIFI security tools has ramped up protection for connected devices, but human errors remain. Cybercriminals employ a variety of techniques to cash in on human errors to quietly listen on to hotel activities. This means they can not only breach financial and personal data, but also the habits of guests staying in hotels.
• Ransomware attacks
One of the most common attacks used by cybercriminals today, ransomware defines itself with its name. Once hackers breach a hotel’s tech they then hold the entire infrastructure hostage and demand a ransom to release it.
• Spear-phishing attacks
Commonly known as “phishing”, this is a very popular attack choice by cybercriminals. Spear phishing attacks usually conducted through scam emails. A malicious link/file is sent through the email and once clicked it provides the criminals access to all hotel systems.
• DDoS attacks
Akamai identified in their 2018 State of the Internet report that hospitality businesses suffer most from distributed denial of service attacks. In these events, cybercriminals use fake “botnet” traffic to flood hotel systems with requests to access.
Since hotels deploy a vast technology infrastructure that controls the PMS, signage, concierge, mobility, room technologies, POS, security cams, sprinklers, CCTV, etc. DDoS attacks can simply turn off entire hotel technology systems. In 2015 and 2017 Trump hotels were victim to a severe DDoS attack.
How to Protect Your Hotel from Common Cyber Threats
Breakthrough developments and best practices are now allowing CIOs, CTOs, and hotel I.T. staff to readily reinforce hotel technology systems. As hotel owners are waking up to the consequences of suffering a data breach or hack, there are several lucrative techniques that hotels can integrate to protect their assets.
Here are the best course actions highlighted by research and professional opinions:
- Routine Staff Training
- Reinforce Technology Security with Latest Solutions
- Source from Approved Vendors
- Hire Managed Hotel Technology Security Providers
- Relentless Network Monitoring & Firewalls
- Monitor Latest Threat Reports & Trends
- Develop a Digital Security Plan & Relevant Policies
I hope you found this edition of our blog informative and will help you make great security decisions for your hotel technology. For any queries and service inquiries remember to contact our customer services team or our expert sales team for assistance.