Digital transformation has created opportunities for hackers to break into hotel systems. App-based reservation systems, high-speed Wi-Fi and keyless door entries enhance guest experiences, but they also create new vulnerabilities.
While hotel security once meant locking doors, monitoring security cameras and patrolling the premises, in the digital era, it also includes protecting data.
“Consumers are demanding personalization, and hotels have to deliver personalized service in order to be competitive,” said Richie Karaburun, clinical assistant professor and director of the Hospitality Innovation Hub Incubator at NYU’s Tisch Center of Hospitality. “But that means you’re going to need much better security data protection.”
Every type of hotel is at risk, according to Karaburan. Small hotels may not have the resources or expertise to prioritize data protection, while independent boutique hotels can be targeted because they handle personal and financial information for “rich and famous” guests, Karaburan said. Large hotel chains — with millions of guest records — are also particularly alluring.
Several notable breaches underscore the importance of data protection in the hospitality industry. Travel management company CWT paid $4.5 million in ransom in 2020, Reuters reported. Marriott experienced three publicly acknowledged data breaches in a span of four years, including a 2018 breach that impacted 500 million guests, a March 2020 breach that exposed account details of as many as 5.2 million guests and a 2022 incident in which an unnamed threat actor claimed to have stolen 20 gigabytes of sensitive data.
As hotels continue to adopt digital solutions, they create new potential attack points to entice bad actors, which are only growing more sophisticated. For hospitality leaders, cybersecurity is more critical than ever in 2023.
What hotels have to lose
Cyberattacks not only impact a hotel’s bottom line but also its reputation.
"Because of the high costs of mitigation and the risks breaches pose to brand reputation, cybersecurity is top of mind for every hotel CEO," said Mike Blake, chief technology officer of the American Hotel & Lodging Association.
The global average total cost of a data breach in 2022 across all industries was $4.35 million, including factors such as lost business, detection and escalation, notification and post-breach response, according to IBM.
Hotels can be hit with direct costs such as ransom fees, chargebacks from credit card companies and fines. One U.K. regulator imposed a $23.8 million fine on Marriott for a 2018 breach.
There are also indirect costs, such as losing customers when booking systems go down and decreased brand loyalty if a breach affects customers' trust.
Making data protection a priority
According to Blake, hotels are brushing up on best practices for data protection. “Cybersecurity has been a longtime top priority for hoteliers, and that will remain true for the foreseeable future,” he said. “In recent years, hotels have been making large annual cybersecurity investments and improvements.”
CEOs said cyber risk was the second-biggest risk to their business next to the pandemic in 2021, according to PwC's 24th Annual Global CEO Survey.
In 2019, Hyatt Hotels launched a public bug bounty program with HackerOne, which invited ethical hackers to test Hyatt websites and mobile apps for potential vulnerabilities. Hyatt Chief Information Security Officer Benjamin Vaughn said the hotel company has paid more than $723,000 in bounties since the program launched.
“A critical part of caring for our guests is our focus on ensuring their data and privacy remain secure and safe at all stages of their journey with Hyatt,” said Vaughn. By partnering with HackerOne, “we are able to harness the collective knowledge of the global security research community to protect guest, customer and colleague data,” he said.
Implementing standard best practices for security, such as those outlined by the Cybersecurity and Infrastructure Security Agency including data encryption and multifactor authentication, also helps protect hotels’ systems from attacks.
Another component of hotel cybersecurity is the human element. Hotels can improve their security by providing ongoing training, such as the program developed by CISA, to staff on how to avoid phishing attacks, for example.
The biggest piece of advice Karaburun offers hotel leaders is to conduct security assessments at least once a year. Large hotels with dedicated cybersecurity teams can often conduct these assessments themselves, but small hotels may lack the resources. In that case, Karaburun suggests hiring cybersecurity consultants who specialize in hospitality systems such as reservation systems and point-of-sale software.
“Many hotels hire consultants for their profitability,” he said. “If you do not have a budget for a cybersecurity team, hire a consultant and have a tune-up every year.”