With pandemic restrictions lifting worldwide, the hospitality industry is beginning to thrive again. However, with this rise comes increased security threats as malicious actors look for vulnerable systems in hospitality to exploit and steal valuable customer data. Hotels are a popular target for these hackers, as the Marriott Hotels chain unfortunately found out when a massive data breach compromised up to 339 million guests . The attack began in 2014 within a subsidiary, Starwood Hotels, but was only detected in 2018, exposing sensitive information such as customer names, phone numbers, passport numbers, loyalty program numbers, VIP status, and email addresses for years. Marriott paid the price for this breach in 2020 when it had to settle a fine of £18.4 million ($24 million), not to mention the reputational harm it caused.
If you’re a player in the hospitality industry, you need to be aware of significant security threats that could disrupt your business. Read on to find out what challenges you have to face and how to address them.
Why Hospitality Is a Target for Hackers
Before diving into threats, it’s essential to understand why attackers are targeting you in the first place. PwC’s Hotel Outlook Report 2018-2022 claims that hospitality ranks second behind retail in terms of cybersecurity attacks . Establishments such as hotels are lucrative to exploit for numerous reasons, such as:
- Large footprint Hotel chains can have a national and international presence, and it only takes one security flaw or vulnerability in a region to break into the main network.
- Loyalty programs Consider all the information a customer shares within a hotel’s loyalty program—birthdays, names, family details, etc. A hacker can steal this data and use it to guess user names and passwords, then utilise that info to perform credential stuffing attacks on other sites. They could even spend loyalty points fraudulently, and guests may not even notice.
- Sensitive data People share a lot of data with businesses in the hospitality sector, including their government ID, shopping habits, personal preferences, passport details, payment information, and travel destinations. This adds up to a huge security risk, especially since companies tend to store this data long-term.
- Large volume of transactions Guests regularly check in and out of hotels, spending untold amounts of money. If an attacker gets hold of this information, they could use it to target high spenders.
- High turnover The hospitality business is known for its high turnover rate, so many employees may not be well-trained in the best practices for cyber security. This could expose your hotel to potential attacks and make it difficult for the IT team to keep track of permissions.
- Multiple endpoints Hotels contain various technologies, including Wi-Fi networks, air conditioning systems, and electronic door locks. These can serve as entryways for hackers to get a foot in the door and wreak havoc. Wi-Fi networks are especially vulnerable since they are usually open to the public and feature minimal security measures.
- Third-party vendors Many businesses rely on external vendors for services, such as payments, property management, and payroll. Hackers can attack these third-party companies to gain access to your hotel.
Security Threats to Watch Out For in Hospitality
Cyberattacks are becoming increasingly sophisticated, so you will have to be vigilant to stay one step ahead of attackers. Here’s a list of the biggest concerns facing the hospitality industry today:
Cases of ransomware are rampant across industries, and hospitality is no exception. A malicious actor can slip malware into your system through vulnerabilities or spam emails to encrypt essential data, thus locking you out of the system. They can target anything from systems that handle door unlocking and new room keys to property management systems (PMS) and customer relationship systems (CRM) that run crucial databases. To resume operations, hackers will ask you to pay a ransom, usually in bitcoin. However, paying the ransom comes with risks since the attackers may not hold up their end of the bargain.
As mentioned previously, workers who are not aware of security risks can expose themselves to attacks, with one of the most common being phishing attacks. Hackers can seek out employees on social media and pick up valuable details, sometimes even making fake profiles so they can send friend requests. Another entry point could be a spear phishing attack where the hacker calls your hotel to make a reservation and asks for an email address. The unsuspecting employee making the reservation will open the email and any malicious attachments, thereby creating an entry point for the attacker. There are also sophisticated spear phishing spyware like DarkHotel that attack guests through your Wi-Fi network.
Point of Sale (POS) Attacks
The hospitality industry has numerous points of sale, such as counters at the front desk, spas, and restaurants. Weak passwords and other potential vulnerabilities could provide a way in for hackers keen on stealing payment details such as credit card data. External vendors usually manage POS, so attackers can target flaws within their network to access yours. Hotels store credit card details to charge guests for services throughout their stay, and this database could be valuable to hackers.
Distributed denial-of-service (DDoS) attacks are becoming increasingly common across the hospitality sector given the number of possible attack vectors available. Hackers typically use botnets of compromised networks to crash systems with traffic, making them impossible for employees and customers to use. This can disrupt anything from CCTV cameras to payment processing. You will likely be asked to pay a certain amount to get operations running again.
Public Wi-Fi systems have always been a security threat, but they become even riskier to use within a hotel, where so much sensitive personal information is stored. The main issue arises from the fact that they feature a low level of security, although even secured networks pose a risk. A hacker can set up a rogue access point (AP) that allows them remote access to your network without administrator permissions. Once inside, they can install malware to infect laptops and phones on the network and steal sensitive data.
Another method to gain entry is through a technique called evil twin AP. Here, the attacker clones the real AP using information such as channel number, MAC address, and SSID name. Guests and workers mistake the fake AP for the real one and use it for their activities, exposing all their data in the process.
Steps to Protect Hospitality Against Security Threats
Now that you are aware of the security threats your hospitality business faces, it’s time to implement some measures to safeguard it, starting with:
- Constant vigilance Marriott took years to identify the infection within its system and suffered the consequences. Regular monitoring for malware, unauthorised access, and vulnerabilities is essential to prevent this from happening to your business too.
- Make a plan Rather than wait for a cyber attack, you should be proactive and formulate an incident response plan for any scenario. Cutting down response time is key to mitigating damages and could save your finances and reputation.
- Secure your PMS The US National Institute of Standards and Technology (NIST) has published a detailed guide to protecting your PMS, covering measures such as moving target defence, role-based authentication, tokenisation of credit card data, and zero trust architecture.
- Educate your employees Hotels usually maintain stringent safety measures for physical security, which must extend to online security as well. It is vital to train staff on the latest cyber security threats like phishing attempts through emails, how to spot a fraudulent link, etc. This must be an ongoing process since threats evolve over time. Keep an eye on former employees since they might be privy to protected data.
- Monitor third parties Ensure that external vendors meet a compliance standard to do business with you. This will address any gaps in their system that could affect your security.
- Boost your security Always update to the latest version of your device or software as it can contain essential patches to protect your system from emerging threats. Install robust antivirus and anti-malware software. Avoid simple passwords and set up multi-factor authentication.
- Protect your POS The Payment Card Industry Security Standards Council (PCI SSC) recommend using PCI-Validated Point-to-Point Encryption (P2PE) to stop POS attacks. It prevents credit card data from being stored as simple text, instead encrypting it the moment a customer swipes their card.
- Safeguard your Wi-Fi Wireless Intrusion Prevention Systems (WIPS) can help detect attacks against your Wi-Fi. You can also separate guest and business Wi-Fi networks to limit exposure in case of an attack.
- Maintain regular backups Backups serve as a fail-safe in case the worst happens. For instance, if you are being threatened with ransomware, you can rely on your backup to restore functionality instead of paying the ransom amount.
Shield Your Business with ThreatScan
The hospitality industry has complex cyber security needs, requiring a multi-layered security solution that addresses all potential threats. ThreatScan is a SaaS-based vulnerability management and penetration testing platform that goes deep into your system to scan for vulnerabilities, scrutinise risks, and help perform manual pentests. You’ll get an instant threat score to see how your application and network are faring in terms of security, along with an overall organisation score and risk posture. There’s even an easy-to-understand dashboard to manage vulnerabilities, view the status of your pentest, and much more.
If you’re new to this process or feel lost, our AI-based chatbot, Diana, will help you in real-time to submit, download, and reapply for tests. The AI-based chatbot will help you answer any questions related to cyber security or about the product. We are also available 24/7 to support you through the pentest journey. You’ll receive all ThreatScan notifications through email, Jira, and Slack integration, allowing you to take action quickly and communicate effectively with your team on your preferred platform.
To start protecting your business, you can contact us here.