One need look no further than the Marriott hotel data breach that resulted in Marriott data of up to 339 million guests being compromised in a cyber-attack.

With UK’s data privacy watchdog, the Information Commissioner’s Office (ICO) fining the Marriott hotels group £18.4m in 2020, the stakes are high from a financial point of view as well as from a customer trustworthiness standpoint.

It is important to appreciate that there is no ‘silver bullet’ or ‘one size fits all’ solution when it comes to preventing hotel data breaches.

But even if your worst nightmare becomes a reality, every hotelier should know  what steps to take after a cyber attack…

In this article, we will unpack all there is to know about hotel data breaches, and then ascertain the best way for you and your hotel to put appropriate measures in place to ensure that an online attack won’t leave you and your business with egg on your face as you deal with the erosion of your customers’ trust.

What are hotel data breaches?

Simply put, a hotel data breach is when the sensitive information of a hotel’s guests becomes compromised and ends up outside of the security system that the hotel has in place.

Increasingly, this happens due to concerted hacking attempts that target the treasure trove that is a database filled with passport numbers, home addresses, credit card details, phone numbers, and other valuable data.

It can also occur by accident due to a software malfunction or said personal information being uploaded to the wrong cloud-based server.

Human error can play a part, and this is why all senior staff in the hotel industry needs to stay abreast of how to prevent hotel data breaches by educating themselves on employing better data security measures.

As soon as this hotel data is released, you have a breach.

Hackers can put the various pieces of the puzzle together quite easily by posing as a colleague and phoning or visiting reception, and enquiring about a guest’s whereabouts.

Then, just by working with a name and credit card details, they can go on an unauthorized online spending spree.

Long-term brand damage, litigation, and costly fines for non-compliance are some of the consequences you’ll be facing as you figure out how best to contain your breach incident.

 Besides having your staff trained about cyber security, it’s imperative that you have an organized network and software system that will protect you from the get-go.

Increase in hotel data breaches

The list is long of the growing number of hotel data breaches, from point-of-sale attacks at over 70 Starwood hotels in 2015, to the 2018 Marriott hotel data breach that we mentioned earlier.

All the big names are there: Trump Hotels, Hilton, Hyatt Regency, Hard Rock Hotel & Casino Las Vegas, Radisson Hotel Group, MGM Resorts International, and Choice Hotels International… these are just some of the big-name companies that have announced a data breach of email addresses in recent years.

Over 500 million guests of Marriott are said to have been affected by their data breach.

As cyber hackers sharpen their tools on the more elaborate booking systems of international hotel chains that contain a larger number of customers’ information, the impending reality is that smaller hotel chains and boutique resorts are increasingly likely to fall victim to phishing, malware, and the cyber-attacks of voracious hackers.

Who these hackers are, remains unclear.

The US government has gone so far as to say that they suspect that the attack on Marriott’s Starwood hotel chain was part of a data-mining exercise carried out by the Chinese government to root out American spies.

Poor data security make hotels soft targets

Regarding Marriott, they are the biggest hotel provider for US military and government personnel – so a case can be made that the bigger hotel chains are part of an international information war with its own seedy underbelly.

We have witnessed how general data protection and the breach of personal information have become a hot topic in the past two decades, ever since 9/11 and the passing of the Patriot Act in 2001.

Of more pressing concern for smaller resorts and boutique hotels is the fact that security needs to be maintained and strengthened on three fronts, namely ‘the cloud’, the internal corporate network, and the Point Of Sale (POS) system.

Each of these interfaces could easily be hacked if your business is not vigilant. Cloud software is still in its infancy when it comes to installing layers of security.

Internal messaging over e-mail and communication channels such as WhatsApp is easy to infiltrate.

And of course, a POS system is the coalface that we’ve mentioned already, where hotel staff is looking to put on a smile when dealing with the customer – not second-guessing whether or not they are a fraudster.

Types of hotel security breaches

In the same way, as you’d lock up your hotel guests’ jewels in the hotel safe, you need to keep your customers’ data safe.

As soon as you appreciate its value, you can get your head around the systems that you will need to put in place from a technological and staffing point of view to protect this valuable asset.

Knowing what’s out there as a viable threat is a great place to start:

Denial of Service (DoS) attacks

The intention here is to oversaturate your work computer or website, rendering it incapable of carrying out any further requests.

In the hospitality industry, this often involves crashing a hotel’s website through the use of botnet software so that the site cannot accept any new bookings.

By flooding the target website, network, or machine with traffic, the information overload will cause your IT system to crash.

This will result in extended ‘front of house’ downtime for your customer who relies on the expedience and functionality of your system to plan their travels.

Hotel Malware

Short for ‘malicious software’, malware comes in all shapes and sizes.

If you’ve had a computer that has been connected to the internet, then the chances are that you’ve heard about viruses, ransomware, spyware, and Trojan horses.

The usual rules for protecting against malware regarding anti-virus software and software updates apply.

With hotels though, the vulnerability lies in the hotel WiFi or ‘internet hotspot’ whereby a guest might unwittingly download what they perceive to be an internet token or hospital passcode, only for it to sit on their laptop for months before announcing itself as malware and becoming active.

‘DarkHotel’ is a cyber-attack group known for targeting business executives in this manner.

Hotel ransomware will lock and encrypt your personal files, forcing you to pay the ransom in bitcoin if you wish to retrieve your personal information.

Eavesdropping Attack

This form of cyber-attack is also commonly carried out over a network and can involve anything from a smartphone or printer that is temporarily connected to the company network.

Guests might let their guard down and click on an official-looking website while they are trying to access your hotel WiFi, and a nearby, remote machine can piggyback on their login and gain access to the company system.

Hotel WiFi networks provide the opportunity for a guest to reply to emails, make online payments, and transfer files all under the auspices of being able to let their hair down while they do this.

So the onus is on hotel management to ensure that the WiFi network is fully secure, and to explain to the guests exactly how they should go about logging into their network.

The strategic precision and sophistication with which eavesdropping hacker software can prey on the precise moment of opportunity that the trusting guest takes to conduct their business at your hotel are alarming, to say the least.

The downloaded software needs access to just one connected device and it can then roam around your hotel network’s entire root system.

From there it can distribute malware to other devices on the network, while simultaneously copying and updating files so that it doesn’t even leave a digital trace.

It’s now open season on the database of guest reservation details, as well as arrival and departure information – not to mention their credit card numbers.

Phishing and Spam

When it comes to phishing and spam, the vulnerability lies mostly in human error. Sensitive data is obtained when someone poses as representing a legitimate institution.

They rely on the gullibility of the gatekeeper (for example, a hotel receptionist) to divulge that information.

Spam emails will use a ‘spray and pray’ tactic that can sometimes work if a hotel manager is fooled by the fake company letterhead, or a staff member blithely opens an attachment that seems official.

‘Pop-up phishing’ is ever more common. In this case, a browser window will alert you to a virus that has been detected on your computer.

The attacker will gain entry into your system (defined by cybersecurity experts as a ‘beachhead’) with something as seemingly innocuous as a file that you or your staff happen to have double-clicked on. Once ‘ashore’, they will start scanning your ports.

They are looking for host-naming conventions, ways to crack your company passwords, and a POS machine or server that the hackers can then control remotely.

This allows them time to extract credit card data (also known as RAM-scraping or memory scraping) without getting detected. And voila! Bad news, you now have a hotel data breach on your hands.

How To Protect Against a Hotel Data Breach

It’s now time to roll up your sleeves as a hotel manager or hospitality business owner and figure out what you can do to protect yourself against a hotel data breach at your work address.

Educate yourself on data security

Educate yourself. Educate your staff. Educate your hotel guests.

Your hotel’s reputation is at stake, after all.

Especially when it comes to phishing attempts that prey on goodwill, you and your staff mustn’t be bending over too far backward to accommodate a guest when it’s actually part of an elaborate scam.

Likewise, your well-traveled hotel guest will expect a certain level of  IT security and best practices when it comes to providing them with login credentials and asking for payment.

The more you read up on best industry practices, the more likely you are to remain vigilant, allowing you and your colleagues to spot a scam coming.

Back up your hotel data

Keep your anti-virus software up to date, and back up your customers’ personal information to a server that is separate from the one handling your day-to-day business affairs.

In the same way, as you would give your hotel kitchen, carpets, and rooms a ‘deep clean’ once a month, make backing up your data to your cloud or remote server a regularly scheduled monthly event.

Destroy all paper copies of receipts, invoices, and travel arrangements that have served their purpose.

If valuable data needs to be retained for tax purposes, store it off-site.

Enhance password and network security

It’s important that your passwords are varied and unique, and that they change regularly (ideally when you back up your data).

Password generators are making life easier for us to not have to think of a combination of the name of our first pet, our mother’s maiden name, and the address where we grew up as answers to security questions for each and every email account that needs its own protection!

You can isolate the network that your guests use for their WiFi from that which is in use by the staff.

Setting up an appropriate firewall will restrict the type of person that would easily be able to gain access to your corporate network.

By compartmentalizing your networks you are also doing damage limitation should a data breach occur on one of the networks.

Find out how Sbit can help

Keep up to date with the  hospitality industry’s best practices by partnering with Sbit as your preferred security choice.

We make sure that you and your staff have a high level of digital awareness that ensures that cybercriminals will have their work cut out trying to outsmart you.

We offer a free ‘network detective scan’ to assess any weaknesses in your hotel’s IT network.

From there we have a great, easy-to-use online platform that will ensure that your hotel staff is the strongest link in your chain of hospitality.

In the event that you are already dealing with a server crash or ransomware, we have the technical skills to get your systems up and running again within one hour, thanks to our much-heralded ‘back-up and discovery’ solution, powered by Datto SIRIS 4.

We can assist with data backup setups and creating the right firewall so that you don’t get locked out of your own system.

We are highly adept at providing the right camera surveillance solution for your hotel plan so that the right products and systems work together without intruding on your guests’ privacy or hindering the functionality of your staff.

By being proactive it is easier to become that little more security conscious.

With Sbit, you’re supported all the way.