While hospitality companies have fewer transactions than retail organisations — and thus have data on fewer customers to steal — they collect substantially more valuable and varied personal data for each of their guests. Hotels — especially high-end hotels — collect substantial personal information on their guests to give them a more personalised stay. In addition, hotels often share partnerships with other local companies that their guests may frequent (from restaurants to local entertainment options), giving hotels even more expansive profiles on each guest in their database.
In short, hotels collect and store much more information on each of their guest than simply their name and credit card information. This rich personal data is invaluable to cybercriminals. They can use this data to better impersonate each breached customer, leading to additional identity theft and social engineering attacks against each individuals’ company. By enabling further attacks, breaching a hotel provides cybercriminals much more value than breaching a company in almost any other industry.
However, there is one other reason why hospitality companies are being breached so often. Simply put, they are relatively easy to breach for a few key structural reasons.
Hotels have transformed into complex, widely interconnected digital environments. Hospitality companies are competing to see who can give their customers the most innovative digital experience. Nearly every hotel now offers their guests dedicated mobile apps, and new digital partnerships with sponsors, travel companies, and other related hospitality and entertainment companies.
But even before hotels began to attempt to excel at digital innovation, the core functionality and structure of most hospitality companies makes them particularly vulnerable to cyber-attacks. Hotels run a massive number of endpoints and remote connections. HVAC controls, wifi systems, alarms, and electronic doors are all common digital features in modern hotels, and each provides cybercriminals with entry points into a hotel’s network. In every hospitality company, each individual regional hotel is directly connected to the company’s entire national (or global) network— which means only one small regional hotel needs to be breached to compromise the entire company.
A hospitality company’s vulnerability to a single point of failure is a massive weakness. Only one employee at one hotel needs to make one mistake to create a global crisis. And these failure points are likely. Hotel computer systems are in constant use from countless terminals. Most of the employees who interface with computers at hotels are not IT employees, nor are they trained to act sensitively to cybersecurity concerns. Many hotels utilise legacy systems, and even modern systems are rarely patched, updated, and protected.
And here’s the really bad news: even if a hotel runs their own networks perfectly, they cannot control one of their many external vendors. And most recent large-scale hotel breaches were not caused by any specific mistake made by the hotel—they were caused by cybercriminals breaching the hotel’s Point of Sale (POS) system.
When you consider the value of data hotels collect, and their high level of vulnerability to breaches, it’s no surprise that the hospitality industry is under siege. But despite these challenges, hospitality companies can take specific actions to quickly secure themselves.
If a hospitality company wants to secure themselves, they have to take a very specific first step: they have to accept that they will be breached. There are too many factors out of their control. Too many locations and digital entry points. Too many systems in constant use by individuals with too little training. Too many external vendors providing critical partnerships and functionality.
Hospitality companies still need to modernise their infrastructure, train their staff, and hold their partners accountable. But they also need to take proactive measures to ensure their inevitable upcoming breaches will not put them in the news due to their slow response, lost revenue, and damaged reputation. From our experience as a cybersecurity provider, the only way to prevent damage in today’s digital environments is to shift focus away from perimeter defence, and onto taking every measure possible to detect and respond to successful attacks as quickly as they occur!
(Paladion Networks is a Global IT security service provider and a specialised partner for information risk management providing end-to-end services and solutions in Asia, the US, and the Middle East. Paladion is rated as the largest pure-play Information Risk Management partner in Asia. For over 15 years, Paladion has been actively managing information risks for over 700 clients across the world.)
The views expressed within this column are the opinion of the author, and may not necessarily be endorsed by the publication.