Why Hospitality Is the Second Most Vulnerable Industry

The World Travel & Tourism Council predicts that travel-related GDP will grow an average of 5.8% annually between 2022 and 2032. While this is good news for the hospitality industry, but an increase in online bookings and web traffic also makes it an even more enticing target for hackers. In fact, the industry has long attracted hackers with PwC’s Hotels Outlook Report 2018-2022 naming hospitality as the second-most-attacked industry. Even more interesting is the number of high-profile breaches that have targeted hotels and hotel chains large and small.

Perhaps most widely publicized were the attacks on Marriott in 2014, 2020, and 2022, the last of which resulted in the capture of 20 gigabytes of sensitive data, including guests’ credit card information. Hyatt also made headlines when its payment systems were breached in 2017 and information was stolen from 41 hotels around the world. In 2019, an MGM Resorts breach impacted more than 142 million hotel guests. One year later, the reservation system at the Ritz was breached and scammers used phone spoofing to contact customers and request confirmation of credit card information for declined reservations.

However, it’s not just the big-name hotel chains that have been breached in recent years. Roughly 43% of cyber attacks across all industries target small businesses. The Allison Inn & Spa in Oregon was hit with a ransomware attack in 2022 where attackers stole employees’ and guests’ personal information and posted it on the public internet in demand for a ransom. Meanwhile, Asian booking service RedDoorz experienced a leak of 5.9 million records after bad actors found the AWS access key through the company’s Android app.

As attacks become more frequent, they’re also becoming more advanced with the use of AI and machine learning. They’ve also become quite expensive. On average, breaches cost companies $4.35 million. That expense includes ransoms paid, remediation, legal fees, and lost business — something that should scare CEOs and board members more than anything. The Aon Global Risk Management survey claims that some companies see a 25% drop in market value in the year following an attack, and PCI Pal data showed that 62% of Americans claimed they would stop buying from a brand for several months following an attack.

Considering how important reputation is in the hospitality industry, companies must do everything in their power to avoid a breach. But where to begin? The answer starts with understanding what puts these companies at risk in the first place.

What puts the hospitality industry at risk?

There are several reasons why the hospitality industry is targeted — some are fairly obvious, others less so. Topping the list is the massive amount of data stored by most hotels, airlines, and other companies in the hospitality industry.

• Vast amount of PII: When it comes to personally identifiable information (PII), hackers hit the jackpot with hotels and other businesses in the hospitality industry. Most hotels collect and store names, addresses, email addresses, credit card information, passport numbers, Social Security numbers, and National Insurance numbers of employees and guests. Often, hotels will store this information on a long-term basis, leaving customers at risk well after their stay.

• Hotel Wi-Fi is easy to access: There is an emerging trend among hackers called DarkHotel that involves bad actors using a hotel’s WiFi to target its business guests or politicians (hypothetically carrying company credit cards and sensitive information). Once an attacker has added malicious code to a hotel server and a guest logs onto the hotel’s unprotected Wi-Fi, the hacker can access and steal information from the guests’ personal devices.

• Hotel’s increasingly high-tech offerings: The hotel and airline industries are incredibly competitive, and customers are demanding higher-tech amenities beyond just a business lounge or in-flight movie. After the pandemic, contactless check-in and payment options via an app on a phone or a kiosk became the norm – integrating personal devices as part of the travel experience. While this was more convenient for customers, it created more risk for hotels and airlines.

• Shift workers and employee turnover: Generally speaking, it’s bad security practice to create many shared privileged accounts, but hospitality is a 24/7 industry. Consequently, shift workers having shared privileged accounts that manage sensitive information often seems like a necessity. The risk here is exacerbated by the fact that the hotel industry also experiences a 73.8% turnover rate. So, even if hotel management conducts annual cybersecurity awareness training for employees, they might not catch every employee using their systems. This creates a risk if compromised accounts lead to elevated access which, in turn, would allow insider threats to become more common.

• Significant number of third-party partners: Not all data breaches start with the hotel. Many attackers enter the hotel’s system via a third-party application or system, of which, there are many. Anything from the system used to open hotel room doors, to security cameras, to the sprinkler management system can be attacked by a bad actor. The most common targets, however, are the point-of-sale systems. This system is not only vulnerable, but it also houses most of the information attackers value. Hotel chains and airlines also need to be cautious with third-party booking sites. Scraper bots scour these sites to steal personal information or sell low-cost tickets for a profit. Meanwhile, denial of inventory attacks use hoarder bots to deplete a third-party travel site’s inventory and then sell everything for a significantly marked-up price.

• Loyalty programs: While PII and credit card information are often the targets of malicious acts, loyalty programs also offer an interesting opportunity for bad actors. In fact, loyalty program fraud grew by 89% in 2021. Because customers aren’t frequently checking their point values, attackers have a large window of opportunity to steal a person’s membership points or frequent flyer miles and sell them for a nice profit. 

Though these factors make businesses in the hospitality industry particularly vulnerable, the attack methods used by bad actors aren’t unique. Hackers are running phishing and social engineering scams, they’re infecting systems with ransomware, and they’re running distributed denial-of-service (DDoS) attacks among other schemes. The good news is that hoteliers and businesses in the hospitality industry can use the same tried-and-true defense tactics to protect their businesses as those used by other industries.

How hotels can strengthen their security posture

To protect themselves against a breach, hotels, airlines, and other businesses in the hospitality industry first need to acknowledge that an attack is not just possible, it’s likely. It’s not a matter of if, but of when. With that in mind, here are a few steps businesses can take to improve their security posture.

• Conduct risk assessments: It’s advised to conduct a risk assessment at least once a year to ensure the appropriate defenses are in place and any gaps a bad actor can exploit are closed. Annual risk assessments are also often a requirement for cyber insurance, which is step number two.

• Buy cyber insurance: Despite rising premiums, cyber insurance is a vital component of a cybersecurity plan. Since 60% of businesses never recover from a cyberattack, insurance minimizes the extensive costs associated with a breach, curbing a company’s chances of going out of business should a breach occur.

• Build an incident response plan: Although businesses don’t want to imagine the worst, they need to be prepared for it to happen. An incident response plan lays out what needs to be done in the event of a breach and details who is responsible for each task.

• Establish a zero-trust architecture: The zero-trust principle essentially states that no user or device is automatically trusted and therefore needs to be verified. Authentication and authorization of both the user and the device are necessary in order to access a company’s network, software, or applications. IT managers should also be cautious about who is given access to privileged accounts. While many shift workers need to access booking systems that house credit card information, logins should be tracked carefully, and individual users should only have access to the specific systems and data they need to do their job.

• Enable multi-factor authentication: When it comes to authentication for any and all accounts related to the business, two-factor or multi-factor authentication is a necessity for both customers and employees. This is a simple way to protect against many account takeover attacks.

• Assemble a security tech stack: Businesses large and small need to invest in the cybersecurity basics, including email protection, endpoint protection, endpoint detection and response, and privilege account abuse detection. When choosing a partner or vendor for any purpose — security related or not — it’s essential to do due diligence to ensure the prospective organization prioritizes cybersecurity. One vendor with a weak security posture could be an open window that invites an attack on your organization.

• Host regular cybersecurity training: Most security breaches are a result of human error, so even the best technology won’t completely protect a business. Cybersecurity training should be hosted regularly and cover common scams, email best practices, internet and social media usage, remote access, password protection, and more.

Unless you have a robust in-house cybersecurity team, you’ll need to outsource at least some of your security efforts to an outside vendor. You need a partner who can provide 24/7 monitoring and response services. In an ideal world, that partner would also provide the necessary tools and technology to secure your organization. 

While it’s rare to find such a partner, SolCyber is up to the challenge. Our Foundational Coverage ensures small to mid-sized businesses have everything they need and nothing they don’t. (We can also get you up and running in days.) 

Ready to become cyber resilient? Reach out to SolCyber, the experts in cybersecurity to see how we can help.

Follow us on these social platforms!

LinkedIn: https://www.linkedin.com/company/solcyber

Twitter: https://x.com/SolCyberMSS

Facebook: https://www.facebook.com/solcybermssp

Instagram: https://www.instagram.com/solcyber_mssp/