Cybersecurity in the Hospitality Industry: Challenges and Solutions

Download Now

Hospitality is a broad field encompassing service organizations that provide lodging, food and beverages, travel and tourism, and entertainment and recreation. Since the COVID-19 pandemic hit the hospitality industry hard, it’s made significant steps toward recovery.

Hospitality businesses must remain vigilant to continue this recovery amid an evolving cyber threat landscape. With cybersecurity threats increasing in frequency and sophistication, every business in the hospitality industry must take steps to protect data with robust information security policies and procedures.

A data breach can destroy a hospitality business through loss of reputation, business disruption, the cost of remediation after a cyber attack, regulatory costs, and lawsuits. A cyber attack can lock guests out of their rooms, forcing them to make reservations elsewhere.

This post looks at how the hospitality industry is affected by cybersecurity threats and the steps hospitality businesses can take to prevent cyber attacks and be more resilient if one does occur.

Find out how UpGuard helps secure the hospitality industry >

Why is the Hospitality Industry Targeted by Cybercrime?

To compete in a yet again booming hospitality industry, businesses must deliver excellent customer experiences. One of the ways modern hospitality businesses achieve this is by collecting and analyzing sensitive customer data.

The hospitality industry can create customized experiences for individuals and groups using customer data. Hotels and restaurants can use data to optimize their offerings according to their target market, season, and location.

However, collecting, processing, and storing large amounts of customer data makes the hospitality business attractive to cybercriminals. Data processed by the hospitality sector tends to include large amounts of sensitive data. Hotel chains, for example, typically store sensitive information about each guest.

Personal data frequently processed by hospitality industry computer systems includes:

  • Names of hotel guests
  • Street addresses
  • Email addresses
  • Phone numbers
  • Credit card data
  • Dates of birth

Cybercriminals can sell guest information on the dark web, hold it for ransom via ransomware, or use the data to commit further crimes, including phishing attacks and identity theft.

Cybercriminals can use stolen data to create realistic communications with unsuspecting customers. With stolen personal data, cybercriminals can develop and distribute fake confirmations, updates on non-existent loyalty programs, and bogus transfer requests, intending to trick guests into sharing more data or performing financial transactions.

The industry also faces cyber threats from state-sponsored cyber espionage groups, such as the DarkHotel hacking group, a persistent cyberattack group that engages in highly targeted attacks, typically against C-level executives.

The name DarkHotel references their modus operandi of tracking targets’ travel plans and launching attacks via hotel wifi. They perform massive surveillance activity and use botnets to launch Distributed Denial of Service (DDoS) attacks.

Following are the top vulnerabilities of the hospitality industry.

Card Readers / Point of Sale (POS) Systems

POS systems provide convenient payment throughout the hospitality industry but also increase the potential risk of data breaches. POS devices not only process transactions but can also manage inventory and orders. Furthermore, cybercriminals launch attacks against business systems using POS applications as the entry point.

One area of weakness is when organizations use POS systems with unsecured wifi. It’s relatively easy for a hacker to gain unauthorized access to a device or the entire network this way. Doing so would allow cybercriminals to access customer information, such as payment card information, which could let them make fraudulent transactions.

The devices should have security settings, but POS systems can also have inherent software vulnerabilities that could facilitate a data breach.

Using the default passwords that come with devices like these makes organizations more vulnerable to cyber attacks, particularly considering that each device can typically connect to other POS devices on the network. It only takes one with a problem to increase the risk to the whole organization.

Sometimes, cybercriminals use malware that targets POS systems directly. Malicious software on these endpoints can help cybercriminals collect payment information from devices before the data is encrypted. Cybercriminals may also use tiny physical devices called skimmers to collect payment information.

Hotel Wi-Fi

Hotels typically offer hotel Wi-Fi to guests to provide convenience and enhance the customer experience. However, if the Wi-Fi network is unsecured, cybercriminals can access hotel guests’ phones or the hotel network, which could compromise servers containing personally identifiable information (PII).

Hotel Wi-Fi also invites connections from unknown, unvetted client devices, introducing the risk of malware infection via this attack vector.

Internet of Things (IoT) Devices

Hospitality organizations, particularly in the hotel industry, are increasing their use of Internet of Things (IoT) innovations to improve customer experience and deliver efficiencies.

Examples of such innovations are:

  • Interactive screens where guests can receive personalized greetings, weather, and local information
  • LED lighting that responds to natural daylight
  • Locks using facial recognition to enter buildings and rooms
  • Smart thermostats to reduce energy costs

Even though many IoT applications are related to security enhancements, hoteliers and others in the hospitality industry must not implement IoT solutions without understanding their inherent vulnerabilities.

Every IoT device increases an organization’s attack surface by providing another endpoint that cybercriminals could exploit. Unvetted IoT technology can increase organizational risk in numerous ways, including the following:

  • Added organizational complexity
  • More entry points
  • The use of unsecured wireless technology
  • Potential onboard malware
  • Outdated onboard security
  • Unchanged default security settings

Hotel Websites

Customers expect modern businesses to maintain a presence online. Hotels typically provide up-to-date information and take bookings online to compete in the hospitality marketplace.

However, hotel websites are a potential vulnerability. Cybercriminals may target poorly secured websites to access the organization’s network, steal customer data, or cause business disruption.

In addition, DDoS attacks, in which a bad actor uses malware-infected computers to overload a server with requests, can render a hotel website inaccessible to customers. This could severely damage a business's reputation and revenue when timed to coincide with peak times in a day or even peak days of the season.

Examples of Cyber Attacks in the Hospitality Industry

Here are some examples of cyber attacks and data breaches in the hospitality sector in recent years. Some of the biggest cyber attacks in the hospitality industry include attacks against Starwood and Marriott, Hilton, and Wyndham hotels. It’s worth considering these attacks because they illustrate the potential impact of data breaches in the hospitality sector and the benefits of being prepared for cyber threats.

InterContinental Hotel Group

Recent cyber attacks in the hospitality industry include the attack on InterContinental Hotel Group (IHG), impacting its Regent, Crown Plaza, and Holiday Inn hotels in 2022. The breach started with the compromise of Starwood’s data and spread to the IHG group, which comprises over 6,000 hotels in over 100 countries. Compromised data included customers’ names and addresses.

Starwood and Marriott Data Breaches

Marriot has faced multiple data breaches over the years. It announced the compromise of one of its reservation systems in November 2018. The breach, discovered in September of that year, affected as many as 500 million hotel guest records, including credit card information and passport numbers.

Having spotted the threat via internal security systems, Marriott determined that its Starwood brand’s reservation systems had been compromised in 2014 — before Marriott acquired Starwood. Investigators discovered a trojan, probably installed after someone clicked a link in a phishing email, and a tool used to find combinations of usernames and passwords in system memory.

Later, Wall Street Journal reported that Starwood employers had typically found it difficult to secure their reservation system. This difficulty was exacerbated by the laying off information technology and security personnel when Marriott acquired Starwood in 2016.

Starwood’s malware went undiscovered for four years, which goes some way to explaining why remediating these data breaches is estimated to have cost Marriot more than $500 million. In July 2019, the UK’s Information Commissioner’s Office (ICO) fined the firm more than $120 million for GDPR violations and its failure to do due diligence on Starwood’s IT infrastructure. Furthermore, the firm is likely to have suffered billions in lost revenue.

Hilton Data Breaches

In January 2023, having initially denied being hacked, Hilton admitted that a cyber attack had impacted about half a million reservation records. Hackers claimed to have stolen a database from 2017 and that they had access to names, IDs, reservation data, and tier data regarding guests enrolled in the Hilton Hotel Honors program.

This comes after Hilton was fined $700,000 for two data breaches in 2015, compromising the credit card and other information of 350,000 customers. The fine reflected the fact that investigators discovered malware that targeted credit cards at the end of 2014, but Hilton neither warned its customers nor rectified the vulnerability until 2015.

The source of the attack was malware found in point-of-sale systems at various Hilton hotel restaurants and shops, including Hampton Inn and Suites, Embassy Suites, and Waldorf Astoria. Affected data included cardholder names, security codes, and card expiration dates.

Wyndham Hotels

While it’s not the most recent breach, Wyndham is often cited because it exemplifies how a relatively small data breach can have a massive impact on a business.

Striking three times between 2008 and 2010, cyber attackers compromised about 619,000 customer records, including credit card information. The data breach led to customers losing more than $1.6 million to fraud.

Despite relatively little data being stolen compared to some of the world’s biggest data breaches, the cost of working with regulators may have been just as high as if more data had been compromised.

Wyndham — operator of Days Inn, Super 8 motels, and Ramada — fought with regulators, making it a lengthy investigation. They spent five months gathering information and submitting responses to regulatory demands. There were also seven in-person meetings with the Head of Security. The arduous and no doubt costly investigation period was followed by lawsuits from regulators and private plaintiffs.

The hotel enterprise hired an independent cybersecurity firm to review its security upgrades following the investigation. According to Wyndham, the firm spent over $5 million in legal and vendor fees remediating the data breaches.

However, the real cost of this and other cyber attacks in the hospitality sector must include:

  • Drops in stock price
  • Terminations resulting from negligence
  • Lost revenue
  • Government investigations
  • Regulatory fines
  • Lawsuits
  • Loss of reputation

Reducing the Risks of Cyber Attacks in the Hospitality Sector

Organizations in the hospitality industry can improve their security posture by focusing on preventing cyber attacks and mitigating data breaches should they occur.

As seen in the cases of significant hotels punished by regulators and lawsuits after mishandling data breaches, it is more cost-effective and morally sound to invest in preventative security measures than to rely on responding after an attack has occurred.

Given the current cyber threat landscape, organizations should prioritize prevention while ensuring that sound policies and procedures are in place to limit the cost and damage of successful cyber attacks.

Furthermore, the hospitality sector must appreciate that the cyber threat landscape is constantly evolving. Implementing best cybersecurity practices and continuous monitoring, assessment, and adaptation are essential.

Cybercriminals are constantly updating their techniques and tools, so any targeted industry must be at least equally flexible, alert, and willing to adapt.

How the Hospitality Industry Can Prevent Cyber Attacks

Here are some steps that hospitality businesses can take to minimize the impact and risk of cyber attacks:

Risk Assessments

Businesses wishing to develop or enhance their cybersecurity strategies, policies, and systems should start with risk assessments.

Businesses will have different cybersecurity priorities according to their sizes, locations, cybersecurity maturity, and other factors. It’s essential to start with information-gathering about the cyber threat landscape and the firm’s security posture to make accurate decisions about reducing cyber risks.

Cybersecurity risk assessments need to be performed regularly. Whatever the result of a risk assessment, the cyber threat landscape requires vigilant monitoring so that organizations can stay protected.

Follow Cybersecurity Frameworks

Using a cybersecurity framework can help a business in the hospitality industry develop a robust cybersecurity system to protect the organization, its staff, business partners, and customers.

Businesses frequently use NIST CSF to help establish their cybersecurity policies and procedures as it is comprehensive and adaptable. NIST Special Publication 1800-27 also contains specific guidelines for securing property management systems (PMS) that can help hospitality organizations improve their cybersecurity.

Cybersecurity Training for Staff

Most data breaches involve human error, whether an employee clicks on a phishing link. They either don’t recognize a potential scam or accidentally share their access credentials with a colleague because they didn’t realize this would be a cybersecurity risk.

While how the staff interacts with the system can be a vulnerability, cybersecurity training can make an organization’s staff a strong line of defense.

The first step to improving cybersecurity through staff training is to increase cybersecurity awareness. All staff must understand why cybersecurity is important, how people impact the firm’s security, and what they can do to enhance cybersecurity.

Training on cybersecurity best practices should vary according to the risk exposure of different personnel. All relevant personnel must be trained to use POS systems securely since this area of the hospitality industry is particularly vulnerable to cyber threats.

General cybersecurity training might include the following:

  • Logging out of devices before walking away from workstations
  • Using and updating strong passwords
  • Keeping access credentials private
  • How to respond to phishing emails and who to report them to
  • Reporting suspicious activity

Development of a Cybersecurity Culture

Developing a cybersecurity culture takes training further and can deliver long-lasting, enhanced information security for participating organizations.

A cybersecurity culture begins at the C-suite level and trickles down. Someone appointed to lead culture change can then use various methods and resources to share information security messages throughout the organization.

In an organization with a mature cybersecurity culture, information security is a primary topic in meetings at all levels, with incentives and rewards, penalties, ongoing training, drills, and initiatives designed to express the importance of cybersecurity throughout the company.

Continuous Monitoring

Cybercriminals don’t schedule cyber attacks when it’s convenient. Organizations require continuous monitoring to spot threats as soon as they occur. With continuous monitoring, businesses are more likely to identify anomalies and unusual patterns that signify a potential data breach.

Updating Software and Hardware

Hardware and software must be kept up to date to remediate vulnerabilities. Regular software updates will ensure known vulnerabilities are patched as soon as possible.

Threat Intelligence

The hospitality industry can benefit from threat intelligence to ensure that businesses stay updated with the latest hacker activities and cyber risk trends. When the industry is targeted by professional cyber attack groups, such as DarkHotel hackers, investing in threat intelligence to counter targeted spyware, malware, and spear phishing activities is essential.

Access Control

Limiting access to sensitive data to only those who need it is an excellent strategy for protecting data. It reduces the channels through which cyberattackers might achieve unauthorized access and exfiltrate data.

Access control also helps firms identify the source of an attack and contain it since access control limits how it could have occurred.

End-to-End Encryption for POS systems

POS systems are a significant target for cyber attackers since they often have vulnerabilities that can help them access the device, connected devices, and the network itself. Encryption can help solve this problem by making transmitted data unreadable without the decryption key.

Encryption does not solve problems with vulnerabilities on physical devices, such as the possibility of someone hiding skimming hardware on a POS device, but it reduces the chance of the more likely attack, which is via the wireless network.

Strong Passwords

Password maintenance remains one of companies' best ways to improve their information security. A strong password is difficult for a cybercriminal to guess or crack with the help of AI. This means using combinations of alphanumeric characters, symbols, and numbers. A mix of capitalization and lowercase letters makes passwords more difficult to crack, as does using non-dictionary words.

Data Limitation

Data can’t be compromised if it does not exist. By collecting and retaining as little data as possible, an organization can significantly lower the impact of a data breach. Therefore, organizations should destroy data securely as soon as it is no longer needed.

Testing Cybersecurity

Cybersecurity is not a one-off activity. Since cybercriminals are working hard to find new ways to exploit systems and steal data, highly targeted industries like hospitality need to maintain their cybersecurity systems.

This means regularly testing the effectiveness of their technology and assessing it in the context of the evolving cyber threat landscape. Many organizations solicit help from external cybersecurity experts to audit their cybersecurity systems.

Supply Chain Risk Assessment

Businesses increasingly realize that their attack surface extends to their suppliers (third-party risk) and those who supply their suppliers (fourth-party risk). Identifying, assessing, and monitoring the entire supply chain can be challenging.

Each part of the supply chain carries inherent risk, which entails significant risk to all businesses that rely on others for manufacturing, products, and services. Assessing the supply chain and collaborating to mitigate or remediate risks is a good move for the whole industry.

Hospitality businesses can reduce the risk of data breaches by vetting third-party vendors and limiting the use of third-party apps, such as those for hotel management or online bookings.

How Hospitality Businesses Can Respond to Data Breaches

In most cases, avoiding a data breach is far cheaper than repairing one. However, data breaches are an increasingly common part of life in the hospitality industry, and an organization must have a plan for how it will respond. A prompt and effective response can save a business from significant financial losses, loss of reputation, or even failure.

Incident Response Team

If a cyber attack takes place, someone needs to lead the response. With an established incident response team, a business knows the stakeholders' roles, responsibilities, and contact details that will lead the mitigation effort.

Leading the team might be someone in a Chief Information Officer (CIO) or Chief Information Security Officer (CISO) role. The important thing is that staff knows which decision-makers are responsible for cybersecurity and where to go if something looks suspicious.

The response team should comprise executives and managers from multiple important parts of the organization to ensure a company-wide response. These stakeholders might include:

  • Chief Information Security Officer (CISO
  • Head of IT Security

A firm’s response to a cyber attack is critical. For example, while Wyndham Hotels faced significant penalties due to its aggressive stance and lack of self-reporting after the data breaches, the responsiveness of its board and its numerous meetings about the breaches went in its favor in court.

Incident Response Plan

An incident response plan documents a business's steps following a security incident. The document should include responses to various incidents as identified during risk assessments.

The document typically begins with the incident response team's roles, responsibilities, and contact details — the people leading the response. Each set of guidelines needs to be written with enough clarity and detail that anyone in the organization can follow the plan.

An incident response plan is vital because firms with incident response plans have significantly lower costs after a data breach. With a plan, a business can react more quickly and effectively to:

  • Identify the problem
  • Contain the breach
  • Notify regulators, staff, and franchises
  • Inform business partners
  • Make an announcement to the press and customers, where required
  • Work with local, state, or federal authorities to limit the cyber threat

Backups

All organizations should back up mission-critical data. It’s better to have backups and not need them than to need them and not have them.

An organization can restore business functionality via backups if a ransomware attack encrypts essential files. Using cloud-based providers for data backup means that this data can be stored offsite and on a different network, keeping it safe from attack and accessible from any location. If the business needs to relocate to remediate a cyber threat, it can restore its systems using cloud backups.

Event Logs

Event logging keeps track of who uses a network at any given time. When it’s time to analyze unusual network behavior or identify the attack vectors of a cyber attack, event logs provide cybersecurity professionals and digital forensics experts with valuable information.

Event logs help organizations respond more quickly to cyber incidents by helping the incident response team or cybersecurity experts identify, contain, and mitigate a breach.

Anti-Malware

Antimalware is an essential layer of defense against cyber attacks. Ensuring that antimalware databases are as up-to-date as possible is critical, so regular maintenance is essential.

Firewalls

Firewalls monitor and filter everything attempting to enter a network and all transmissions that attempt to leave it according to the organization’s network security policies. Along with malware, it is an essential component of network security.

Cyber Insurance

Cyber insurance, typically excluded from general liability insurance, covers a business’s liability in the context of a data breach involving the compromise of sensitive data. Financial assistance to cover the cost of data breach remediation, regulatory penalties, and lawsuits can help a business recover.

A hospitality business can attract lower premiums from cyber insurers by improving its security posture and lowering risk. The activities in this post's data breach prevention section can help an organization reduce cyber insurance premiums.

Ready to see
UpGuard in action?

Ready to save time and streamline your trust management process?