Tackling Security Threats in the Hotel Industry

February 19, 2020 2:12 pm Natasha Deeney

There has been a myriad of data breaches in the hotel industry. Marriott, Radisson Hotel Group, InterContinental, Four Seasons and Hilton Hotels are just some of the major corporations that have hit the headlines in recent years as a result of a data security attack.

Today, Marriott is often cited as one of the biggest data breaches to ever take place, resulting in a fine of more than $120 million. However, these basic security failings not only cause devastating financial losses, but they also cost organisations their reputation, jobs, investment and business. Last year, PwC’s Hotels Outlook report stated that the hospitality sector had the second-largest number of cyber security breaches after the retail sector.

Hospitality is a lucrative industry for cybercriminals because of the value and volume of personally identifiable information that these organisations hold. This, coupled with a large workforce, provides ample opportunities for intruders to infiltrate the reservation system or the in-house restaurant POS to capture critical customer data.

The industry has undergone a major shift in recent years, with many hotels becoming completely digitalised in a bid to gain competitive advantage and keep up with online travel agencies such as Expedia and Hotels.com. As a result, these organisations are now using the latest technologies such as reservation apps, payment processing systems and complex corporate networks, which increases the likelihood of an attack. At the same time, the cyber landscape continues to rapidly evolve and hoteliers face a number of common threats, including:

Phishing

The majority of all cyber-attacks can be traced back to a phishing email that tricks the victim into divulging their credentials or downloading malicious malware. Phishing remains the most popular social engineering attack due to its high success rate. A study conducted by Intel found that 97% of security experts fail at identifying phishing emails from genuine emails. Last year, a number of hotels and guest houses featured on Booking.com were targeted by phishing emails, resulting in users of the website being sent emails instructing them to provide payment details.

But it’s not just malicious emails that are used to trick people into clicking on links or divulging sensitive information. Another common tactic used by criminals involves the creation of fake websites to trick victims into entering sensitive information. The criminals will spend a lot of time making the site seem as credible as possible and making it appear almost indistinguishable from the real thing.

In fact, approximately 55 million online hotel bookings are affected by fraudulent websites and call centers posing as hotel websites, according to the American Hotel and Lodging Association.

Ransomware

In 2017,  Romantik Seehotel Jaegerwirt, a luxury Austrian hotel was hit by a ransomware attack that shut out guests and hotel employees from guestrooms until hotel management paid the demanded ransom – two Bitcoins, or about $1,800. After the attack made headlines, many hotels were forced to reconsider how to protect themselves from future cyber attacks.

Worryingly, ransomware is evolving into a new type of threat where cybercriminals are not just encrypting data but are also stealing it and threatening to release it on the internet. This exposes organisations to damaging public data breaches and the associated regulatory, financial and reputational implications.

In 2019, 205,280 organisations submitted files that had been hacked in a ransomware attack, a 41% increase from the year before, according to a recent report. When it comes to defending against ransomware in the hospitality industry, businesses need to always be prepared for a breach and have an incident response plan prepared to put in place.

DDoS

In recent years, hackers have been deploying new tactics and Distributed Denial of Service (DDoS) attacks have been growing in popularity. This type of attack is an attempt to make an online service unavailable by overwhelming it with huge volumes of traffic from multiple sources to cause great damage. This can include loss of data, loss of revenue, reputational damage, and a loss of customers.

The hospitality industry has become the favourite target of DDoS attacks because hotels use a wide array of devices, from TVs to reservation systems which are all managed by computers and can be used to disrupt other systems on the infrastructure. In 2017, Donald Trump’s chain of hotels came under a DDoS attack from hackers which led to the website being unavailable for 12 hours.

Vulnerable third party suppliers

Data breaches caused by third parties cost millions to large companies. According to a survey, almost half (44%) of firms have experienced a significant, business altering data breach caused by a vendor. With hotels using a multitude of suppliers, the hospitality sector offers vast opportunities for hackers to launch malicious attacks. Everything from point of sale to reservation systems, property management, human resources, and payroll are potential entry points.

This is where security standards, such as ISO 27001, have an important role. ISO 27001 guarantees that vendors are set to the highest standards via approved and documented processes, and are committed to the highest standard of information security.

With the hospitality industry increasingly prone to malicious cyber attacks, there are a number of ways organisations can combat cyber security threats:

  • Develop a culture of continuous cyber awareness training amongst staff, which adopts a variety of engaging methods to educate employees on their role in keeping their organisation safe and secure.
  • Restrict access to payment or personal data to only staff who require this information to do their job.
  • Use individual logins and access codes to systems.
  • Organisations should consider the use of a DDoS protection service that will detect abnormal traffic flows and redirect any DDoS traffic away from the network. Other security measures include securing network infrastructure through the use of a firewall, VPN, Anti-spam and other layers of DDoS defence techniques.
  • Ensure PCI compliance standards are in place. These standards provide a set of requirements designed to ensure that all companies that process, store or transmit credit card information maintain a secure environment.
  • Install and update antivirus software on all devices.
  • Never click on links or download attachments from unknown sources.
  • Do not use public Wi-Fi to conduct any business activities.
  • Ensure suppliers are vetted and access controls are carefully considered, as these are often points of weakness.
  • Never pay a ransom payment as there is no guarantee you will ever get your files back.

MetaCompliance has created extensive Cyber Security awareness solutions, including content specifically focused on the education sector to address the unique threats faced by students and staff. Get in touch with our Security Awareness Specialists for further information on how we can help transform Cyber Security training within your organisation.