Are hotels facing a cybersecurity crisis?
Guests provide a wealth of sensitive guest to hotels making them an enticing target for cybercriminals. Recent high-profile data breaches have showcased just how ever the biggest names in the industry are not immune to hacking, but what are hoteliers doing to ensure that guest information is as secure as possible? And what further action can be taken? Alex Love finds out.
otels are under attack from increasingly sophisticated hackers, intent on stealing sensitive data, such as guests’ credit card information and identification documents.
In the last decade, there have been around 30 data breaches for high-profile chains including Marriott, Hilton, Hyatt, IHG and even Trump Hotel Collection. Consequently, hundreds of millions of customers have had personal details stolen and billing information compromised.
There is a belief among cybersecurity professionals that hotels are either not doing enough to combat this growing threat or using inadequate solutions.
“The challenge with hotel chains in general is that they tend to be looking at running things as low-cost as possible,” says Joseph Carson, cybersecurity expert and chief security scientist at Thycotic.
“At the same time, I don't think that they see the value of the data that they are actually collecting and processing. And that ultimately becomes the major issue.When you don't see the value yourself, but attackers do, then they'll take advantage of your failure to protect it.”
Cyber criminals are continuously seeking opportunities to exploit. Not only can a data breach harm a hotel brand’s reputation, but owners will also be hit with hefty penalties from authorities. The EU’s GDPR law has imposed tighter rules on how companies treat customer data and how long they can hold onto it, with considerable fines imposed on those found in breach of regulations.
“Hotels hold millions of pieces of data, which can have a great value on the dark markets. Therefore, when hotels are not properly protected, criminal hackers will continually exploit wherever possible in order to extract whatever they can,” explains Jake Moore, cybersecurity specialist for ESET.
Reacting to a data breach
If a hotel is unfortunate enough to suffer a data breach, the business must carry out a comprehensive review of its data storage and cybersecurity infrastructure.
“Following a breach, hotels must make sure they have a complete index of all the data they have. They must also ensure they have complete visibility of where it resides, who has access to it and what is of value,” says Matt Lock, technical director at Varonis. “Once these basic steps are complete, any system that provisions the data – a server, an app or anything that gives users access – is given the right level of security focus to ensure tasks such as patching and re-certifications of IT admin access are conducted periodically.
Hotels must expect to be the target of repeated breach attempts.
“Even with these precautions, and regardless of the protection measures taken, hotels must expect to be the target of repeated breach attempts. Hotels must also develop a strategy that protects their reputation if they are breached again. They need to know exactly what went wrong the first time and be ready to demonstrate a cohesive plan for dealing with the next one.”
In June, 497 vulnerabilities were discovered on websites owned by Marriott during a wider investigation by Which? and cybersecurity experts 6point6. Furthermore, 96 of these were considered high risk and 18 were deemed critical. The investigation used legal online tools that are available to anyone, suggesting that hackers using more advanced methods could find an even greater number of vulnerabilities.
Responding to the Which? investigation, a spokesman for Marriott said: “At this stage, there is no reason to believe that the findings impact Marriott's customer systems or data.”
Marriott has had a series of unfortunate events regarding cybersecurity. In 2018, as many as 339 million customers had personal information stolen after hackers attacked the database of its Starwood brand. Then in March this year, the chain announced a data breach affecting the personal details of 5.2 million customers.
“The activity that we reported in March 2020 did not involve an attack on or breach of Marriott’s network or systems. Rather, it involved the unauthorised use of a Marriott application using login credentials issued previously to two employees at a franchised hotel who were intended to have access to the application,” a Marriott spokesperson confirms.
“Following Marriott’s identification of this activity, it confirmed that the login credentials were disabled, immediately began an investigation, implemented heightened monitoring and arranged resources to inform and assist guests. Marriott also notified relevant authorities and is supporting their investigations. It has also implemented a series of additional security controls and protections over the past few months to further mitigate the risk of the activity recurring."
In March this year, Marriott announced a data breach affecting the personal details of 5.2 million customers.
They continue: “Marriott has a long-standing commitment to providing excellent service to our guests, which includes respecting their concerns about privacy and protecting the personal data that they entrust to us. The company has a comprehensive information security programme, which relies on a multi-layered approach to protecting information and assets through various integrated technologies, processes and company policies.
“Marriott has embedded oversight and governance of its security and privacy programmes at the highest levels of its business and continues to enhance its security posture to adapt to a dynamic risk landscape.”
In 2014 and 2015, Hilton was attacked by cyber criminals using malware to steal customers’ credit card details. The chain was fined $700,000.
“The safety and security of our Hilton Honors members’ and guests’ information is of paramount importance. Hilton is strongly committed to protecting personal information, and we regularly review and update our systems using industry best practices,” states a Hilton spokesperson.
IHG and Hyatt were also contacted about their data breaches and asked how they have increased protections since, but did not respond.
Cybersecurity improvements for hotels
Fortunately for hotels, cybersecurity systems can be strengthened with the right expertise; although ‘off-the-shelf’ solutions are not recommended as they may not always meet the specific security needs. Instead, it is considered best to call in the specialists.
Joseph Carson proposes that hotels adopt a similar approach to fire safety checks. This would involve an independent, accredited expert inspecting the hotel’s cybersecurity infrastructure and data protection measures, identifying weaknesses and making recommendations, he explains. Then carry out future inspections to make sure measures have been implemented.
Hotels must understand this importance of these threats and future-proof their networks.
“It's also a balance between not just technology, but also people and process. You want to make sure that your people are trained and ready, and they know how to use the tools that are there. What use is having 2,000 fire extinguishers sitting there without having expertise to know how to actually operate them? And this ultimately is the same for security,” says Joseph Carson. “And then you want to make sure that with auditability you are taking the right measures. So somebody can come around and audit and make sure that what you said you're doing is actually really happening.”
Meanwhile, Moore suggests hotels hire a cybersecurity specialist to simulate a cyberattack and learn of any weak spots.
“Hotels must understand the importance of these threats and future-proof their networks. The best way to mitigate inevitable attacks is to carry out a simulation attack from a penetration-testing third party who will highlight all the vulnerabilities and shine a spotlight on what areas require attention,” adds Moore. “Many directors fail to see the importance of their own security and often favour saving money rather than patching what is currently necessary. The problem is, the unavoidable ransoms and fines far outweigh any prudent protection payments.”