“Hotels present a rich target for cybercriminals in today’s connected world,” warned Ray Kafity, vice president, Middle East, Turkey and Africa at data security specialists Attivo Networks.
Data information released by hotels backs Kafity’s statement. In November 2017, it was revealed that the company behind Hilton Hotels is paying a $700,000 fine in the United States after mishandling two separate credit card data breaches.
The attacks were in 2014 and 2015, when more than 363,000 accounts were put at risk.
Hyatt also experienced a credit card data breach at its hotels for the second time in recent years in October 2017, when the company revealed that there had been a breach of its payment systems that exposed customer data from 41 hotels in 11 different countries throughout the globe. The stolen data belonged to customers who used credit cards at any of the affected hotels between March 18 and July 2, 2017.
Additionally, in February this year, Intercontinental Hotel Group — which includes brands such as Crowne Plaza, Holiday Inn, Candlewood Suites, and Kimpton Hotels and Resorts — admitted to a data breach that was first discovered in late December 2016. While IHG said the breach only took place in 12 IHG-managed properties, it later released a statement admitting the breach affected more hotels than they thought.
IHG said the malware was “designed to access payment card data from cards used onsite at front desks” at properties between September 29, 2016, and December 29, 2016.
Kafity explained to Hotelier Middle East that hospitality has become an increasingly attractive industry for cybersecurity threats. These attacks focus heavily on the hospitality organisation’s Point-of-Sale (POS) systems, which remain one of the most difficult things to protect, based on historic vulnerabilities at the device end-points, the inability to apply additional security measures such as encryption to transaction data, and the increased use of the TOR network (host for the Darknet and online black markets) to easily facilitate the sale of stolen information.
“Network security and data privacy problems have been in the new this year, following which hoteliers have reached their tipping point and have no other choice but to tackle cyber risks and ensure their reputation amongst customers remains intact. In light of this, many have given cybersecurity the footing and priority it deserves across the board,” added Kafity.
According to Accorhotels chief digital officer Maud Bailly, IT and data protection and personalisation is the key. “We have just hired a data protection chief officer. In my team, we have IT, ecommerce, client and customers, sales and distribution and data. Talking about personalisation, it’s also a matter of respect for the customer,” Bailly added.
Bailly emphasised that AccorHotels has a very strong, dedicated IT security team. “They are working every day, 24 hours a day — of course we are facing attacks and risks every day, and the thing is, so far we are quite good because we are paying attention to each kind of risk which could affect our business,” she added.
A recent study from Ponemon Institute, a research centre dedicated to privacy, data protection and information security policy, found that the average total cost of a data breach to hotels is US $4 million. The study also reported that the cost for each lost or stolen record containing sensitive and confidential information increased from an average of $154 to $158.
While the guest experience is being enhanced by IoT technology — in checking in and unlocking rooms via mobile phones, for example — it has also provided greater ‘attack surfaces’ for cyber criminals.
Many IoT devices are not designed or maintained with security as a priority, however, which brings with it a host of potential issues.
According to a recent study by IBM Security and the Ponemon Institute, 80% of organisations do not routinely test their IoT apps for security vulnerabilities.