Hotels and hospitality businesses are now the third most targeted by cyber attackers of all industry sectors. Despite being bricks-and-mortar enterprises — set up for physical enjoyment of their amenities — they have become a rich mine of data for hackers with nefarious intentions.
Before Covid-19 forced hotels into a two-year period of on-off closures, they were the victims of 13 per cent of cyber compromises, according to Trustwave’s 2020 Global Security Report — ranking just a little lower than retail and financial services companies.
And with hotels facing a difficult pandemic recovery and acute staff shortages, the increased use of technology to replace face-to-face services such as check-in and on-site payments has only raised this risk.
“Historically, hospitality has been a personal service but I think they have started to realise that technology can facilitate a lot of that,” says Tristan Gadsby, chief executive of hospitality consultancy Alliants.
Percentage of all cyber compromises suffered by hotels (source: Trustwave 2020 Global Security Report)
What would previously, for example, have been an in-person chat or phone conversation, Gadsby notes, is now more often a virtual chat exchange. “We are seeing three times as many messages being sent post-Covid, compared to pre-Covid, per guest.”
In a sign of the times, the US commerce department last year issued its first set of guidelines for how hotels should secure customer data and critical software systems.
Meanwhile, authorities monitoring Covid’s spread have also required more data from hotels — including guests’ contact details and health status.
Thomas Magnuson, founder of Magnuson Hotels, an umbrella company for hundreds of independent establishments, says his company tries to take minimal information from guests as “sometimes, when you travel, you feel like it is the biggest data grab of all time”.
Hackers see international hotel chains, which process a huge volume of transactions, as easy pickings. Hotel groups also run valuable loyalty schemes with millions of members, who give up their data in order to earn points and improve their stays.
One of the most high-profile cyber incidents in recent times was the breach of the Starwood database, shortly after it was bought by Marriott, the world’s largest hotel chain. That hack exposed the data of about half a billion customers, Marriott said, when it revealed the impact in 2018.
In a test case for Europe’s then relatively new General Data Protection Regulation (GDPR), Marriott was subsequently fined £18.4mn by the UK data regulator, acting on behalf of the EU — much less than the £99mn penalty originally threatened.
Marriott — which says in its privacy statement that it collects 15 different types of data throughout a guest’s stay, from email addresses to passport information and preferred languages — has since “redoubled” its efforts “to detect and respond to threats”, according to Arno Van Der Walt, its chief information security officer.
The company sped up planned investment into data security and improved technology, such as software that detects suspicious cyber behaviour in real time, Van Der Walt adds.
Yet hotels can be vulnerable to a range of cyber attacks, from ransomware to more specific intrusions, such as DarkHotel, a type of hack that targets high-level business guests through a hotel’s WiFi network.
Luxury hotels are a particularly tantalising pool for criminals. In August 2020, scammers hacked into London’s Ritz hotel’s restaurant reservation system in an effort to convince guests to pass over their valuable payment details.
“The volume of data that [hotels] have is legend, therefore their data retention procedures need to be really up to scratch,” stresses Fedelma Good, co-lead of PwC’s data protection practice.
As cloud computing services have expanded, hotels have pushed more data storage towards external holders such as Amazon Web Services or Oracle — a move that at least means systems are being overseen by software experts, executives say.
Many hoteliers additionally employ third-party agencies to manage credit card details and keep different forms of data separate: “At the press of a button, I can tell what time [a guest] checked in, what time he left, what time he had lunch,” says Sean McKeown, company secretary of Irish hotel group Dalata. “I have CCTV, but it’s not all in one place.”
However, staying safe does not come cheap for already cash-strapped hotels. Gadsby says running just one penetration test to find vulnerabilities in computer systems can cost up to $25,000.
Training staff is crucial. Several hotel executives point out that it is when staff are handling customer details that information is most likely to slip out.
“You wouldn’t dream of appointing an executive head chef who didn’t understand hygiene, so why would I appoint a head of marketing who didn’t have an acute understanding of data protection?” asks McKeown. He says Dalata has spent tens of thousands on upgrading information security systems and training employees.
GDPR has forced companies to adopt much higher standards when it comes to data protection. But Good points out that, for hotel groups with large cross-border footprints, making sure they comply with regulations in every jurisdiction is “a real challenge”.
Magnuson believes hotels should simply demand less data and not monetise it in vast loyalty programmes, as the big global chains do. Hilton, for example, raised $1bn during the pandemic just by selling advance loyalty points to its credit card partner American Express.
“They talk about their millions of rewards owners and number of associated points and those are specifically valued assets,” Magnuson observes.
And with guests demanding an increasingly personalised and individually-tailored service, particularly from the well-known hotel brands, data is likely to remain a precious commodity in need of protection.
As Marriott expands online services — from phone notifications about when your room is ready, to using your mobile to unlock your door — Van Der Welt says the company remains “laser focused” on the increasingly complex cyber environment: “This is a race that doesn’t really have a finish line, hacks remain a threat.”