Data breach threats in hospitality

Cybercrime has become a serious problem for many industries, and hospitality is no exception. Akamai, a cybersecurity and cloud service company, detected more than 100 billion credential stuffing attacks in July 2018 - June 2020, 63 billion of which targeted travel, retail, and hospitality.

Each successful assault by hackers has its price. According to the 2020 report by IBM, a data breach in hospitality costs around $1.72 mln. That’s why investments in cybersecurity for hotels are money well spent.

Large hotel chains often create their own mobile apps, booking systems, and so on. However, they do not always pay attention to the security of such software. For instance, guests’ credit card details and other personal data may be stored in unprotected databases on the hotel’s servers. As a result, this information becomes easy prey for hackers”, says Oleksii Glib, CEO at Acropolium.

This article deals with the question of why hospitality is especially vulnerable to data breaches. You will learn about the main threats and how to avoid them. Aside from specific technical and organizational tips, there is some strategic advice to pay attention to on a larger scale. Read on and find out how to make your company more secure!

Why does hotel cybersecurity matter?

The hospitality industry is the focus of cybercriminals’ attention for several different reasons. Firstly, it is a lucrative target. As IntSights cybersecurity company specifies in its report, those businesses:

  • Collect a lot of highly sensitive and versatile customer data. Motivated by the desire to provide personalized experiences by using AI and ML, hospitality businesses accumulate more and more information. For instance, hotels may ask guests about credit card information, passport details, travel itineraries, personal preferences, etc.

  • Encourage repeat visits by the use of loyalty programs. Loyalty point balances are under such scrutiny as credit card statements. That’s why hacking these accounts may go unnoticed for some time, which attracts criminals. Aside from stealing accumulated points, the latter may also get more personal information (full names, birthdates) and, as a result, crack more passwords and credentials.

  • Manage a lot of financial operations. Some guests may be executives and other wealthy individuals, which are prime targets for hackers. Tapping into that stream of sensitive data may provide ample opportunities for fraudulent purchases and phishing attacks.

Secondly, cyber security issues in the hospitality industry tend to be quite serious. For instance, hackers can breach one regional hotel and access the entire chain’s network. Each of those hotels provides many potential entry points for criminals: alarms, electronic door locks, Wi-Fi, climate control systems, numerous Internet of Things (IoT) devices, etc.

Besides, hotels employ a lot of workers who may lack security awareness. High turnover poses challenges to managing permissions for different staff members. At the same time, one mistake by an unsuspecting employee can jeopardize the whole international chain.

On top of it, hospitality businesses may try to build their own data management systems without adequate attention to security. With undefined security responsibilities and exposure to third parties (property management, online travel agencies, maintenance, and so on), it creates a significant vulnerability to data breaches in the hotel industry.

The consequences of cybersecurity failure may be catastrophic. The most obvious is a blow to brand reputation. Customers aren’t likely to trust the company, which didn’t manage to keep the personal data of their guests safe. Moreover, there are legal and financial penalties. For instance, one of the most prominent hotel data breaches at Starwood hotels which began in 2014, exposed 339 mln guest records. In 2020, the UK Information Commissioner’s Office (ICO) fined Marriott International, the owner of Starwood, $24 mln.

In the realm of hospitality, cybersecurity cannot be treated as an afterthought, nor should it be viewed as an optional investment; rather, it’s the cost of doing business in any data and tech-driven landscape. More importantly, the costs and reputation damage associated with security lapses of varying scale are, unequivocally, more costly to a hospitality brand than proactively investing in security solutions and programs before an incident”, says Jeff Venza, Chairman and CEO at Venza.

Possible Digital Security Threats in the Hospitality

Illustration for blockchain-based voting system  like a great solution

As the previous chapter suggests, the hospitality industry has some vulnerabilities, which cybercriminals can exploit. There are several strategies they may employ. Let’s have a look at them and possible ways to enhance cybersecurity for the hospitality industry.

Point of sale (POS) attacks

These attacks, aiming for direct access to customers’ credit cards, are the most common ones in the sector. Financial institutions improve the security of credit cards. However, POS systems may be a weak link. Hotels may have POSs (terminals at restaurants, parking, etc.) offering many entry points for hackers. Insecure remote access or weak password at any of them is a way in for a cybercriminal.

Usually, POS security at hotels is the responsibility of third-party vendors. However, in case of a data breach, the hospitality company will have a hard time explaining that to angry customers and the media. That’s why choosing a diligent cybersecurity partner is of prime importance.

To protect against this threat, the company should:

  • Comply with PCI standards across all networks, routers, and servers.
  • Use end-to-end encryption, antiviruses, two-factor authentication on POS systems. By encrypting the cardholder’s data, a hotel can prevent hackers from easily accessing it in case of a network breach.
  • Hire a reputable data security provider.
  • Monitor possible thefts of POS devices, regularly accounting for all of them.

Malware and ransomware

Malware or “malicious software” infiltrates networks or individual computers, deleting files, stealing information, or installing unwanted software. Viruses, spyware, and so-called “trojan horses” fall into that category.

Ransome infects the computer, encrypting available data. A hacker holds the data “hostage,” demanding money for allowing victims to control valuable information.

The computer or network can be infected when users install software, visit an infected website, click email attachments, pop-up windows, or links. They can be manipulated into doing the latter with the help of the above-mentioned phishing attacks.

To protect against malware or ransomware, the hospitality company should:

  • Keep browsers and anti-malware software up-to-date.
  • Back up your data regularly.
  • Educate staff about avoiding security breaches in the hotel industry:
    • Check flash drives for viruses before using them
    • Be careful with clicking on links and adverts
    • Don’t give software from unknown or unreliable sources administrative permissions

Phishing attacks

Phishing emails are designed to look like ones from a trustworthy sender. In those emails, the hackers try to lure recipients into sharing sensitive information, such as passwords or credit card details. Phishing attacks can be divided into spear-phishing and whaling. Whaling has multiple targets, while spear-phishing is aimed at individuals.

For instance, an attack may include a combination of a spear-phishing phone call and an email. The criminal calls the hotel to act as a dissatisfied ransomware customer. The “customer” offers to share more details about the case via email. An employee opens a follow-up email and is likely to activate a malicious file. Thus, the hacker gets entry into the hotel network.

To protect against phishing attacks, try the following steps:

  • Install and update software, detecting phishing emails
  • Train employees to spot phishing emails (suspicious email addresses, poor grammar, spelling, typos, etc.)

Wi-Fi network hacks

A fast Wi-Fi network is a must-have for a modern hotel. Alas, public Wi-Fi systems can be insecure in many cases due to the human factor (improper configuration, etc.). Besides, it may not be feasible to alert all the staff and guests about security threats.

Hackers may try to install a rogue access point (AP), a wireless AP in a secure network, without an administrator’s authorization. Sometimes it can be added by a careless employee. As a result, criminals can hack the network from inside the hotel or even from a nearby car.

Another threat to data security in the hospitality industry is an evil twin AP, a fraudulent copy of a legitimate Wi-Fi AP. Hackers get close to the hotel and try to obtain AP information (MAC Address, SSID name, and Channel number). With this information, they can create a similar-looking AP. The “evil twin” is hard to tell apart from the original part of the network. The hotel’s employees and guests inadvertently connect to the wrong AP.

An Evil Twin attack

As a result, criminals can hack into guests’ laptops or smartphones. They can hijack personal data, passwords and infect the devices with malware. Besides, if a hotel’s database with information about guests isn’t adequately secured, they can be retrieved by hackers too.

You can protect guests and employees from Wi-Fi network attacks by:

  • Using wireless intrusion prevention systems (WIPS), which can look for unauthorized access points by monitoring the radio spectrum
  • Encouraging guests to use virtual private networks VPNs, which provide an additional security layer

DDoS (Denial-of-Service) attacks

A DDoS attack is an attempt to disrupt the functioning of a server or network by overloading it with internet traffic. Hackers use botnets of compromised networks to generate a powerful torrent of traffic. DDoS is quite popular among cybercriminals. According to Kaspersky, cybersecurity and anti-virus provider, in January 2021, DDoS activity exceeded 1,800 attacks per day.

One of the schemes of a DDoS attack. Hacker try to consume all available bandwidth between the victim and Internet

Hotels rely on many devices managed by computers: heating, ventilation, and air conditioning systems, sprinklers, closed-circuit television systems, and more. Those devices can be used to send pulses to elements of infrastructure, bringing the whole system down. DDoS attacks can disable a hotel’s online billing systems, ticket booking, or official website.

To protect yourself against DDoS attacks:

  • Employ anti-DDoS services to detect and deal with suspicious spikes in network traffic.
  • Make sure firewalls and routers have the latest security patches and can reject “malicious” traffic.

DarkHotel hacking

DarkHotel is a relatively new form of spear phishing. Hackers get travel plans of their targets (usually C-level business executives and other VIPs). They get access to a hotel’s Wi-Fi to upload malicious code on a server. Victims receive an invitation to download it as some benign update or program. If they do, the hacker gets access to information on their device.

Protection against DarkHotel hacking includes:

  • Encouraging guests, especially VIPs, to protect their Internet traffic with a virtual private network (VPN)
  • Warning guests about the dangers of clicking pop-ups messages if they use local public Wi-Fi. They will be better off downloading software from the vendor’s website.

Hotel cybersecurity best practices

Illustration for cybersecurity concept. Big data protection.

Data breach threats in hospitality are numerous and can be costly. To minimize them, you should devise the right cybersecurity strategy for your business. While doing that, keep in mind these important principles:

  • Educate your staff about cybersecurity threats. No matter how much you invest in technology, one careless employee may be enough to let the hackers in. Most data breaches can be linked to an employee of the affected organization or a person associated with it.

    Therefore, training is important not only for customer service but also for cybersecurity. Tell employees about common tactics of hackers, explain what they should do or avoid doing to protect themselves, their employer, and their guests. Teach them to be vigilant.

    Cybersecurity is everyone’s responsibility, whether you are C-level, management, accounting, housekeeping, maintenance, or reception, it does not matter. Everyone needs to be made aware of the hotel’s individual cybersecurity policies, attitude, and culturesays Rob van der Heijden, Global Chief Security Officer at protel.

  • Build your digital infrastructure using reliable third-party software and help from reputable service providers. Hotel chains tend to create custom systems, managing credit card payments, processing customer data, etc. However, not all of them employ experienced developers with all the necessary skills. The result is poor cybersecurity.

  • Employing software providers and SaaS platforms (for instance, a property management system, PMS) means more expenses. Still, using their help to secure your critical operations is worth the money. Those investments are far smaller than the fines you will have to pay in case of a data breach. Such providers employ teams of professionals who take security very seriously and will keep hackers at bay.

  • Store as little personal data as you can. Collecting large volumes of data, despite its upsides, makes you more vulnerable to cyberattacks. Knowing the name of your guest’s pet, for instance, may not be of prime importance for your business. However, in the wrong hands, this information may result in compromised passwords.

    If you absolutely need to accumulate some data, look for storage services. A secure third-party server requiring multiple checks to access the information may be a great option. Another way is to use software, storing sensitive data on your customers’ device and accessing it only when required.

  • Design a plan on how to deal with a data breach. Despite your best efforts, criminals might still attack your business. A fast and efficient response can help to mitigate damage to a brand’s finances and reputation.

Why Choose Acropolium as a Secure Software Provider?

Boost Your Cybersecurity with Acropolium

Alas, a data breach in hospitality isn’t something extraordinary. Hotels are hubs for the personal data of many people and numerous financial operations, which lures cybercriminals. Custom digital systems with little security features, personnel with low cybersecurity awareness, and numerous “entry points” for hackers multiply the risks of data breaches.

However, hospitality companies can mitigate those risks. To boost cybersecurity for the HoReCa industry, one needs to keep software up-to-date, paying special attention to POS’s. Even more important is training your staff to see and avoid cybersecurity threats. Limiting the amount of personal information you store about guests may protect them in case of a data breach. Also, you should look for trustworthy software providers or SaaS platforms to use for your critical operations.

If you need a secure digital infrastructure for a hospitality business, contact Acropolium. We have been working with clients from the HoReCa sector for more than 12 years. Our team delivered 45 custom solutions and provided consulting services for more than 70 projects. Acropolium’s IT solutions spectrum ranges from POS software to delivery apps. Work with us to get efficient and secure digital instruments for your business!