The Growing Importance of Cybersecurity in the Hospitality Industry

The impacts of a data breach or payment card fraud, for example, are far-reaching, damaging, and costly. It’s not only your pocket that takes a hit but also your reputation.

To compete in a yet again booming hospitality industry, businesses must deliver excellent customer experiences. One of the ways modern hospitality businesses achieve this is by collecting and analyzing sensitive customer data.

However, collecting, processing, and storing large amounts of customer data makes the hospitality business attractive to cybercriminals. Hotel chains, for example, typically store sensitive information about each guest.

Personal data frequently processed by hospitality industry computer systems includes:

• Names of hotel guests
• Street addresses
• Email addresses
• Phone numbers
• Credit card data
• Dates of birth

Cybercriminals can sell guest information on the dark web, hold it for ransom via ransomware, or use the data to commit further crimes, including phishing attacks and identity theft. Also, with stolen personal data, cybercriminals can develop and distribute fake confirmations, updates on non-existent loyalty programs, and bogus transfer requests, intending to trick guests into sharing more data or performing financial transactions.

Following are the top vulnerabilities of the hospitality industry.

•  Card Readers / Point of Sale (POS) Systems

POS systems provide convenient payment throughout the hospitality industry but also increase the potential risk of data breaches. POS devices not only process transactions but can also manage inventory and orders. Furthermore, cybercriminals launch attacks against business systems using POS applications as the entry point.

One area of weakness is when organizations use POS systems with unsecured wifi. It’s relatively easy for a hacker to gain unauthorized access to a device or the entire network this way. Doing so would allow cybercriminals to access customer information, such as payment card information, which could let them make fraudulent transactions.

•  Using the default passwords that come with devices like these makes organizations more vulnerable to cyber attacks, particularly considering that each device can typically connect to other POS devices on the network. It only takes one with a problem to increase the risk to the whole organization.

Hotel Wi-Fi

Hotels typically offer hotel Wi-Fi to guests to provide convenience and enhance the customer experience. However, if the Wi-Fi network is unsecured, cybercriminals can access hotel guests’ phones or the hotel network, which could compromise servers containing personally identifiable information (PII).

Hotel Wi-Fi also invites connections from unknown, unvetted client devices, introducing the risk of malware infection via this attack vector.

Internet of Things (IoT) Devices

Hospitality organizations, particularly in the hotel industry, are increasing their use of Internet of Things (IoT) innovations to improve customer experience and deliver efficiencies.

Examples of such innovations are:

• Interactive screens where guests can receive personalized greetings, weather, and local information
• LED lighting that responds to natural daylight
• Locks using facial recognition to enter buildings and rooms
• Smart thermostats to reduce energy costs

Even though many IoT applications are related to security enhancements, hoteliers and others in the hospitality industry must not implement IoT solutions without understanding their inherent vulnerabilities.

Every IoT device increases an organization’s attack surface by providing another endpoint that cybercriminals could exploit. Unvetted IoT technology can increase organizational risk in numerous ways, including the following:

• Added organizational complexity
• More entry points
• The use of unsecured wireless technology
• Potential onboard malware

Outdated onboard security

Unchanged default security settings

Hotel Websites

Customers expect modern businesses to maintain a presence online. Hotels typically provide up-to-date information and take bookings online to compete in the hospitality marketplace.

However, hotel websites are a potential vulnerability. Cybercriminals may target poorly secured websites to access the organization’s network, steal customer data, or cause business disruption.

How To Prevent Data Breaches in the Hospitality Industry

Maintain PCI DSS Compliance

PCI compliance is critical in the world of cybersecurity. There are many tasks that go into becoming and staying compliant, including:

•  Replace paper/PDF authorization forms with a digital solution
•  Create an internal data security policy
•  Create a cyber incident response plan
•  Perform risk assessments
•  Implement a security awareness program

Physical Security Measures

Physical security measures play an important role in preventing data breaches in your hotel. This is so that cybercriminals cannot just walk into secured areas and steal information.It’s essential to protect all of your devices and systems that store and transmit sensitive information. You can do this by:

•  Limiting physical access to certain areas
•  Securing all devices with cable locks, security plates, or secure cabinets
•  Installing security cameras: Security cameras in the areas where sensitive information is stored or processed (such as your front or back offices) can deter attackers and give you evidence should a breach occur

Backups

All organizations should back up mission-critical data. It’s better to have backups and not need them than to need them and not have them.

An organization can restore business functionality via backups if a ransomware attack encrypts essential files. Using cloud-based providers for data backup means that this data can be stored offsite and on a different network, keeping it safe from attack and accessible from any location. If the business needs to relocate to remediate a cyber threat, it can restore its systems using cloud backups.

Event Logs

Event logging keeps track of who uses a network at any given time. When it’s time to analyze unusual network behavior or identify the attack vectors of a cyber attack, event logs provide cybersecurity professionals and digital forensics experts with valuable information.

Event logs help organizations respond more quickly to cyber incidents by helping the incident response team or cybersecurity experts identify, contain, and mitigate a breach.

Anti-Malware

Antimalware is an essential layer of defense against cyber attacks. Ensuring that antimalware databases are as up-to-date as possible is critical, so regular maintenance is essential.

Firewalls

Firewalls monitor and filter everything attempting to enter a network and all transmissions that attempt to leave it according to the organization’s network security policies. Along with malware, it is an essential component of network security.

Cyber Insurance

Cyber insurance, typically excluded from general liability insurance, covers a business’s liability in the context of a data breach involving the compromise of sensitive data. Financial assistance to cover the cost of data breach remediation, regulatory penalties, and lawsuits can help a business recover.

Examples of Cyber Attacks in the Hospitality Industry

In January 2023, user data of Hilton Hotels was put on sale on a dark web forum. A forum user under the alias IntelBroker has offered a database of 3.7 million records, belonging to the Hilton Hotels Honors program. The Hotel Group and independent analysts have verified that the tranche the details of only about 500,000 Honors accounts.

Contact us for more information about cybersecurity in the Hospitality Industry!