“Hotels present a rich target for cybercriminals in today’s connected world,” warned Ray Kafity, vice president, Middle East, Turkey and Africa at data security specialists Attivo Networks.
Data information released by hotels backs Kafity’s statement. In November 2017, it was revealed that the company behind Hilton Hotels is paying a $700,000 fine in the United States after mishandling two separate credit card data breaches.
The attacks were in 2014 and 2015, when more than 363,000 accounts were put at risk.
Hyatt also experienced a credit card data breach at its hotels for the second time in recent years in October 2017, when the company revealed that there had been a breach of its payment systems that exposed customer data from 41 hotels in 11 different countries throughout the globe. The stolen data belonged to customers who used credit cards at any of the affected hotels between March 18 and July 2, 2017.
Additionally, in February this year, Intercontinental Hotel Group — which includes brands such as Crowne Plaza, Holiday Inn, Candlewood Suites, and Kimpton Hotels and Resorts — admitted to a data breach that was first discovered in late December 2016. While IHG said the breach only took place in 12 IHG-managed properties, it later released a statement admitting the breach affected more hotels than they thought.
IHG said the malware was “designed to access payment card data from cards used onsite at front desks” at properties between September 29, 2016, and December 29, 2016.
Kafity explained to Hotelier Middle East that hospitality has become an increasingly attractive industry for cybersecurity threats. These attacks focus heavily on the hospitality organisation’s Point-of-Sale (POS) systems, which remain one of the most difficult things to protect, based on historic vulnerabilities at the device end-points, the inability to apply additional security measures such as encryption to transaction data, and the increased use of the TOR network (host for the Darknet and online black markets) to easily facilitate the sale of stolen information.
“Network security and data privacy problems have been in the new this year, following which hoteliers have reached their tipping point and have no other choice but to tackle cyber risks and ensure their reputation amongst customers remains intact. In light of this, many have given cybersecurity the footing and priority it deserves across the board,” added Kafity.
According to Accorhotels chief digital officer Maud Bailly, IT and data protection and personalisation is the key. “We have just hired a data protection chief officer. In my team, we have IT, ecommerce, client and customers, sales and distribution and data. Talking about personalisation, it’s also a matter of respect for the customer,” Bailly added.
Bailly emphasised that AccorHotels has a very strong, dedicated IT security team. “They are working every day, 24 hours a day — of course we are facing attacks and risks every day, and the thing is, so far we are quite good because we are paying attention to each kind of risk which could affect our business,” she added.
A recent study from Ponemon Institute, a research centre dedicated to privacy, data protection and information security policy, found that the average total cost of a data breach to hotels is US $4 million. The study also reported that the cost for each lost or stolen record containing sensitive and confidential information increased from an average of $154 to $158.
While the guest experience is being enhanced by IoT technology — in checking in and unlocking rooms via mobile phones, for example — it has also provided greater ‘attack surfaces’ for cyber criminals.
Many IoT devices are not designed or maintained with security as a priority, however, which brings with it a host of potential issues.
According to a recent study by IBM Security and the Ponemon Institute, 80% of organisations do not routinely test their IoT apps for security vulnerabilities.
Steps are now increasingly being taken to protect hotel guests from data theft, in light of the growing trend of cybercrime in this sector.
According to Mohammad Amin Hasbini, senior security researcher, global research and analysis team (GReAT), Kaspersky Lab Middle East, Turkey and Africa, hotels have a duty to protect the data of their guests.
Carrying out a risk assessment of where the security gaps and possible cyber-attacks can come from, has become essential.
“One relatively inexpensive system that hotels can use to keep credit card information safe is ‘tokenisation’, which replaces sensitive data while it’s being transmitted with a ‘token’. This can be done at POS and will go a long way to protecting customers’ payment information,” Hasbini added.
Hotels can also protect guest data by transmitting information through firewalls or VPNs, meaning that sensitive data is re-routed through safe and secure servers and protected behind firewalls for added security.
According to Dukes Dubai general manager Tristan de la Porte du Theil, hackers are becoming more and more sophisticated in how they are attacking systems, which means hotels must be increasingly vigilant and regularly audit all aspects of their security systems in order to identify any vulnerabilities. He commented: “Some hotels are investing in biometric technology, using fingerprints or facial scans to restrict access to data, but fundamental to the entire process is staff training. At Dukes Dubai, an account and password are required to access any system, password needs to be changed in a certain period. Accounts can only be created if approved by HOD, HRM, and DoF. Whenever an associate leaves, her/his account is immediately disabled or deleted. We have different levels of security on our network and we also have a running system that protects company data.”
Loss of customer data, financial ramifications to their company, and the resulting loss of reputation in a major breach are avoidable for hotels, according to Kafity.
“If hotels take the right measures for attack prevention, detection, and response, they can avoid a data breach. Efficient detection for advanced threats is no longer optional and should be viewed as a critical control in any organisation’s security stack in order to derail attackers early and efficiently,” he noted.
However, Hasbini also emphasised that it is imperative for hotels to share best practices to protect the interest of their customers. This includes actions such as never storing credit card information in the hotel’s systems, which thwarts cyber criminals’ attempts at stealing information in the event that they gain access to the hotel’s systems.