Hotel security & data privacy are two of the most critical debates trending in the hospitality industry. HITEC 2019 was dominated by cybersecurity debates, and the need to innovate for hospitality technology infrastructure security and hotel data management.
Cyberattacks & data breaches in hotels quickly become headlines and raise awareness levels, highlighting hospitality businesses in all the wrong areas. Time and again poor hotel security and privacy standards have already caused significant damages to both travelers and hospitality businesses over the last 10 years.
The great news here is that hotel owners & hospitality groups are now rapidly realizing the critical need for cybersecurity & privacy tools for their technology infrastructures. The modern millennial guest has great expectations from hospitality companies in terms of digital security & privacy.
Today, we look back at the five most devastating data breaches and cyber attacks from the hotel industry.
InterContinental Hotels Group (IHG)
In February 2017 IHG reported that they had been affected by a data breach that had affected 12 of its properties’ payment systems in the USA and the Carribean. The group discovered malware on its payments processing servers, but only those of on-site restaurants & bars. Guests who only used credentials at the front desk remained unaffected.
The malware attack remained active for five months between August and December 2016. The group identified that stolen data included cardholder names, card numbers, expiration dates, and internal verification codes.
By April 2017, it was discovered that it wasn’t only 12 IHG properties that had been affected. The figure had phenomenally jumped to 1,200 hotels & resorts, with IHG recognizing they had not realized the malware could spread to their numerous branded franchises too. By the end of March 2017, the Intercontinental Hotel Group had eradicated all instances of the malware from its global servers.
Originally identified in November 2018, the Marriott breach remains the most sophisticated and long-lasting hack in the industry’s history. Marriott Group announced that a cyberattack was attempted on their Starwood Hotels & Resorts franchise worldwide on 8th September 2018.
In a comprehensive investigation, it was identified that the Starwood Group data servers had been breached in March 2014, before Marriott had even acquired the franchise. An estimated 500 million guests data were identified to be at risk.
The investigation established that records of nearly 327 million guests exposed name, mailing address, phone number, email address, passport number, Starwood Preferred Guest (“SPG”) account information, date of birth, gender, arrival, and departure information, reservation date, and communication preferences.
What followed was a massive lawsuit for the Marriott Group who had found the spotlight for all the wrong reasons. Nearly $130 million was paid out to UK customers of the world-renowned hospitality chain, with reconstruction efforts still underway. The EU Information Commissioner’s Office also deemed Marriott Group guilty of breaching GDPR regulations, adding to the group’s pain.
Hilton Hotel Group
Hilton hotels were possibly the most careless in identifying and handling a severe data breach dating all the way back to 2014 and then again in 2015. The breach initially began when a UK based room booking system was found communicating with an outside malicious computer in Nov-Dec 2014, and the same happening later in 2015 (April 21, 2015, through July 27, 2015).
Hilton’s disregard to inform customers as the breach was discovered was criminal. On November 24, 2015, the Hilton Hotel Group officially reported the breach. In the wake of these cyberattacks, a lawsuit followed that demanded Hilton Worldwide Holdings Inc to pay $700,000 to affected parties. The breach exposed financial information of some 363,000 customers who had used their cards in Hilton properties.
The judges ruled that Hilton hotels do not carry the essential cybersecurity infrastructure nor the right monitoring tools to identify hotel data security threats. The EU GDPR regulations also deemed Hilton’s hotel security and privacy measures inadequate. An official Hilton statement claimed the following in 2017:
“Two years ago, Hilton took action to eradicate unauthorized malware that targeted guest payment card information,” … “Hilton is strongly committed to protecting our customers’ payment card information and maintaining the integrity of our systems.”
In a professional investigation by security firm Mandiante, contracted by Sabre Corp. itself, a critical breach was identified in Sabre’s flagship reservation service. Sabre announced on May 2017 that the severe breach had provided hackers access to their SynXis Central Reservations system.
The breach led to the disclosure of personal and financial information from almost 35,000 hotels and travel agencies that Sabre’s reservation system was managing at the time. The great thing was Sabre Corp’s response to the incident which probably saved them a whole lot in penalties and publicity.
Sabre publicly announced the breach but only after it had already contracted a 3rd party security company to already secure their systems. Later, their spokespersons clarified across print & electronic media that “less than 15 percent of the average daily bookings on the Sabre Hospitality Solutions reservation system[…]were viewed”.
By June 2017, Mandiant’s investigation was over and Sabre took up the daunting task to notify affected customers, partners, and payment providers. A call center has been set up for inquiries related to the breach, while the company released a statement that informs that Sabre Corp:
“has enhanced the security around its access credentials and the monitoring of system activity to further detect and prevent unauthorized access.”
Key Lessons for Hospitality Business from Historical Data Breaches
Data breaches and cyber-attacks are now part of any industry that has a vast deployment of technology. Hospitality companies use a very strategic mix of technology that includes high-speed internet, smart mobility solutions, POS machines, data servers, PCs & tablets, communication tools, reservation systems, PMS and much more.
Hotels tend to be a goldmine for hackers and cybercriminals because of the sheer amount of quality data they have on their local servers. In their article, 3 Key Lessons That Hospitality Industry Leaders Must Learn from the Sabre Reservation System Hack, security blogging service ‘SecurityBoulevard’ establish the following:
- POS Compromise is the Industry’s Most Prevalent Threat, But Credit Card Data is Vulnerable Elsewhere, Too
- You Are Only as Secure as Your Weakest Password
- Prevention is No Longer Possible
You can learn more about securing your hotel technology and reinforcing the privacy rules at your hotel in our blog. Our previous blog ‘how technology improves hotel data security’ is a must-read for any hotel owner looking to enhance their hotel’s security infrastructure.