⚠ We would appreciate if you would disable your ad blocker when visiting our site! ⚠

How Secure is Your Hotel

Order a reprint of this story
Close (X)
ORDER A REPRINT

To reprint an article or any part of an article from Hospitality Upgrade please email geneva@hospitalityupgrade.com. Fee is $250 per reprint. One-time reprint. Fee may be waived under certain circumstances.

SEND EMAIL

March 01, 2013
Hotel Security
Jeremy Rock - Jrock@rockitgroup.com

Lessons learned from an electronic door locking breach and why we really need to take this seriously.


It’s just a lock. How often have we heard this from hotel management and ownership? This may have been true in the past, but the recent security breach from one of the largest electronic door locking companies this past July highlighted that times have changed. This is largely attributable to the electronic age and that criminals are far more sophisticated. Where the previous generation's criminal simply applied brute force, the new criminal is armed with technology and does not even need to be onsite to breach a network or gain access to applications. Looking at it differently, the industry moved from the old manual key locks to enhance guest security and now finds that in some cases it may be more secure if we went back to these antiquated systems. Today's criminal probably does not know how to breach the old style locks.

There have been numerous articles written about the recent Onity electronic door locking breach, and in most instances the tone of the article portrayed both Onity and the industry in a less than favorable light. While there is no denying that many of the comments were potentially justified, there was little or no mention of the positive contributions that many of the hotels and other industry participants have made to address the situation.

There are many accounts of hotels immediately beefing up their security efforts and taking the necessary remediation efforts to shore up their systems while fixes were either being generated or distributed. There were also quite a number who elected to make the necessary capital infusion to replace or update their systems in their entirety. However, rather than attracting attention to the fact that these remediation efforts were being conducted, many of the entities have only made this information known when asked. While the negative press has brought the necessary attention to the issue, what appears to be lacking is the concerted effort to bring all the industry parties together to combat the issue and provide effective solutions to the problems.

The industry faced a similar situation with credit card fraud and compromises, and until a concerted effort was made by the industry to combat the issue through education and a focus on PCI compliance, the number of breaches continued to rise. Once hotels and companies were educated on the potential steps that they could take to secure their networks and remove credit card data from their systems, the industry saw a remarkable improvement in the number of breaches year over year. The same type of effort needs to be initiated with the locking system issue. While credit card data breaches and PCI compliance issues took a toll on properties and the industry in general, it didn’t have the instant negative impact that the locking system issue has generated. What is different is that we potentially have the guest’s or general public’s physical safety at stake.

Background
The now infamous disclosure of the security flaws found in one of the largest electronic door locking system provider’s locks last July caught many hoteliers by surprise. The disclosure of the flaws and the apparent ease of how to breach the locks became an immediate media sensation, cumulating with an exposé on NBC’s Today show. The industry’s response to the problem was slow and measured, and in many cases it appeared that we were simply sticking our heads in the proverbial sand. The general public viewed the industry’s tempered response as a sign that it simply did not care about the safety and security of the guests and that we were simply out to take their money. Subsequent to that, when two hotels in Texas were breached, the public’s fears were confirmed and it appeared that the industry was ill prepared to deal with the problem.

The first thing that struck me about the problem was the way we found out about the breach. Cody Brocious, a hacker and senior security consultant with Accuvant LABS, was speaking at the annual Black Hat information security conference in Las Vegas, a conference frequented by security experts and hackers alike, and chose the opportunity to publicize the deficiency in the Onity door locking system. A further complication was the fact that the locks could be breached by what amounted to a inexpensive homemade device costing about $50. This meant that it did not require a sophisticated hacker to breach the system and that many would-be criminals could develop a device to breach this particular brand of hotel door locks. The disclosure went viral and was picked up by many online publications and social media outlets. Articles started appearing online and there was genuine concern of what this could mean to the traveling public if the issue was not addressed immediately. It should be noted that this is not the first time Cody Brocious has targeted the Onity locking system. In 2010, he successfully demonstrated how he could duplicate the magnetic swipe key card using a metro subway card.

Unfortunately, it appeared that the industry and the manufacturer did not respond to the story in an effective and timely manner, and so the story grew. It seemed as if the public relations strategy was to not say anything at all in the hopes that the hype on the story would blow over and that the issue could be resolved over time. This unfortunately didn’t transpire and eventually the issue gained the public’s ire.

Some Lessons Learned from the Initial Response 
As is in most cases, there are always two sides to a story. Subsequent investigation of what transpired revealed that while there are many cases where the ball was dropped, there were also many cases where the response to the problem was almost immediate, and while the fixes might not have been completely effective, many hotels did respond with effective security plans highlighting the fact that the industry does care about its guests. However, quite a bit of criticism continues about how the hospitality industry as a whole has responded to this particular breach.

Communications and Public Relations
When the issue was first realized, the communication between the lock manufacturer and its hotels was reportedly slow and measured. If there is one thing we learned from credit card breaches it is that timing is key. This situation was different in that it was initially an individual company that had to respond and not the industry per se. That said, the communication between all of the entities involved was apparently poor, with many hotels indicating that they were not made aware of the issue or how to address it.

Another thing that has been learned over the years is that taking the approach of sticking your head in the sand and hoping things will blow over does not work with today’s highly connected world. We’ve seen with the adoption of social media, Internet chat sites, blogs, TV and other press that the public will make you pay for any perceived hiding of information or shying away from a negative situation. Not only was there limited information on the issue at the time that the story broke, but it is still continuing today with a number of solution providers and hotels still not wanting to comment on this situation.

Fallout from the Breach
While most of the public response to the breach has been via the media, hotels and resorts are now starting to feel the impact of the issue at the property level. Meeting planners are now requesting that the hotels disclose information on the locking systems in place, and in some cases are eliminating hotels from competing in group RFPs if they have locks from certain manufacturers. Karin Faircloth with Millennium Technology Group, a subsidiary of Rosen Hotels and Resorts, cited a case when during a group tour of one of the Rosen Hotel properties, the meeting planners where actually looking at the locks. The property subsequently was informed that the locks needed to be replaced by the time the groups arrived at the hotel or they would not book the group.  
 
Responsibility
If there is a glaring question that is still being debated it’s the question of who is responsible for the cost of the remediation of the problem. (The overall liability issue will be addressed later in the article.) Onity for its part has indicated that it is providing mechanical remediation plugs and screws free of charge to its customers. However there have been reports from hotels that they were initially charged for the materials, and that in all of these cases they were responsible for the labor involved in installation of these devices.

What is Different About Locking Systems and What Makes Them so Unique?
The recent breaches have also brought to the forefront a system that has up until now really avoided the spotlight in a hotel. What is different about a locking system to other systems within a hotel and how have things changed over the recent years?

1 The way it is selected.
At an average cost of $200 to $300 (and upwards) per door just for the lock, one can see how this can be considered as one of the primary system expenditures for the guestroom.

New hotel builds. Electronic door locking systems have traditionally been selected during the construction phase of the hotel. The reason for this is that the doors need to be ordered and prepped for the particular door locks well in advance of the opening of the hotel. Especially for new builds, many times the decision on which system and lock are chosen is made by the owner/developer and design/construction team. Most of the time the operational personnel who typically use the system (such as front desk, housekeeping, engineering, security and IT) are only brought on board closer to the opening of the hotel. As such, the input from these departments is not factored into the overall locking system selection process.

Renovations or retrofit projects. The other way that door locking systems are usually installed is during a time of a refresh or room upgrade. Due to the cost of the system it is usually incorporated as part of an overall renovation. Again the design team usually has a heavy hand on the overall decision making, and in most cases aesthetics and cost usually win over functionality and proposed security. However, there is the potential for operational, security and IT input into the overall decision making if the ownership group involves the property itself in the project.

2 Purchasing decisions.
There are a number of decisions that typically affect the selection of an electronic door locking system, some of which include:

How long does the ownership intend to own the asset?
A major factor involved in the decision of which locking system to purchase is often influenced by how long the owner intends to keep the property. If they intend to sell the property in the next few years, they may opt to install a less expensive system. If they intend to keep the hotel for the long term, they may be convinced to install a quality system that will last for a long time.

Longevity of the System. When the question is typically posed as to which system has longevity in a hotel, some people may be inclined to point to the PBX, or in some cases the POS system. However traditionally the guestroom electronic door locking system is the system that is replaced the least often. As such, until this recent breach, most hoteliers were not that concerned about having to replace the door locks, so long as they physically worked. That is changing and hotels need to be concerned about the upgradability of the lock in terms of its networkability and security protocols for integration to other systems.

Level of Security Encryption. One concern to be factored into the selection of locking systems is the level of encryption that the lock has as part of its security features. Given the length of time hotels are keeping the locks, the hotel needs to be able to update the level of encryption on the locks and system. As was pointed out to me on a number of occasions in recent conversations, one should approach this the same way you update your antivirus software. The level of security needs to be updated regularly to ensure that the latest techniques and protocols are in operation. Given the physical security aspects that are at risk, IT personnel need to be vigilant in ensuring that these systems are equipped with the latest firmware and security encryption available in the marketplace. This should be factored into the overall decision making on the locking system of choice.

Integration to Other Systems. In the past, the primary concern was the interface to the PMS. However, locking systems can also be linked to energy management and room automation systems, among others. As such, their ability to integrate, and in some cases share networks, can be reasons for the selection of a particular system.

Networkable Solutions. In the past, online systems typically meant having to hardwire the locks to the server. These days most locking system providers offer networkable solutions either through their own proprietary wireless solutions or they are able to integrate into other wireless networks. While this has increased the features and functionality offered with the systems, it has also increased the susceptibility to possible security breaches and caused IT departments to focus on securing the networks and access to these systems. The primary concern being that if the locks can be breached, will this allow access to the hotels secure networks.

Code Requirements. Door locks should meet the fire rating code requirements. In most instances the doors need to be fire rated and the locks may impact the rating to the door. If the locks contain plastic components, the question arises as to whether they are susceptible to melting as a result of the heat and will this affect the ability of a person to open the door and potentially escape a fire. While this has not appeared to have been an issue up until this point in time and most of the locks appear to be code compliant, it may be worthwhile looking into this issue if the hotel is contemplating the replacement of the system.

3 The changing role of the engineering department.
Most of the traditional locking systems were controlled by the engineering department. They serviced the locks, replaced the batteries, and in some cases interrogated the locks when required. They were able to do this as the locks were primarily stand-alone devices and had limited interaction with other systems. This has all changed. Today’s RFID networkable locking systems interact with most key operational departments and are primarily the responsibility of the IT departments. The result is that the system has become much more than just a locking system, and due to the fact that it typically resides on the hotel’s administrative data network, it means that the system needs to adhere to the same security protocols and requirements as the rest of the applications. For this reason, many locking manufacturers request that the security team, as well as the IT and engineering departments, be involved in the selection process. The question then arises as to whether the hotels are equipped to address the change in roles, given that many hotels no longer have dedicated IT staff onsite to assist with the support of the network and system.

What has the Industry Done about the Problem?
The PCI compliance issue taught us that, as an industry, we are better off if we band together and fight the problem as an industry by sharing information, solutions and experiences rather than hoarding the information and trying to solve things individually. It was only when companies starting opening up about their breaches and sharing their experiences on how they secured their networks and data that we started to see a reduction in the number of breaches. We are not out of the woods on the issue, but we are certainly more aware of how to combat the problem than we were before. Perception is everything and a negative perception of the industry will hurt everyone if it is perceived that it’s not safe to travel.

Current Hacking Efforts
In doing research for this article, one of the most disturbing things that I discovered was the level of online efforts underway to help potential criminals manufacture devices to hack hotel electronic door locks. Probably the most offensive post that I found was that of a PEN tester from a well-known data security company that is involved with the industry. The security consultant can be seen posting detailed pictures, wiring diagrams and instructions on how to manufacture the homemade devices that can fit into the standard Sharpie marker case to look like a felt tipped marker. In addition, there are posts from the would-be hackers asking for additional instructions and an actual video so that they can see exactly how this is put together. It even goes so far as to ask if the device can be made even smaller. The posts further elaborate how they are buying used Onity locks on eBay and from other sources so that they can test their devices and ensure that they work. While we cannot be sure that anyone has actually been successful in making the device or using it, one cannot help but wonder how it is that we have a data security expert with one of the data security companies helping potential criminals learn how to make a device to breach hotel locks. The point is that this is what we are up against and we need to develop security methods to address the problem and move ahead of it.

RFID vs. Magnetic Card Swipe
Most locking companies are moving to RFID solutions as they tend to offer better operational functionality than the more traditional magnetic swipe cards. This is not to say that the mag swipe cards are not good systems, but the biggest complaint is usually associated with guest service where the cards become demagnetized. That said, many people have raised concerns that RFID technology is not secure and that the encryption protocols are static, allowing for the cards or tags to be duplicated as guests come into close proximity with a potential hacker’s cloning device. This was highlighted by one HITEC session last year where speaker Josh Klein detailed a number of creative ways in which he has been able to duplicate RFID access cards. Proponents of RFID are quick to point out that there are various encryption levels of RFID, and as such, hotels are encouraged to deploy systems that take advantage of these higher encryption levels, and depending on the system, include read/write functionality, which usually offers a higher encryption level.  Additionally, hotels are advised to review their technologies on a regular basis to ensure that the encryption levels are improved as newer technology becomes available.

Disney recently disclosed that it is even moving to a new RFID-based system MyMagic+ that will drastically change the way that it conducts business and markets its parks.

Near-field Communications (NFC)
The drive to deploy NFC devices is also focusing attention to the security of this technology and how it will be used in the future. NFC is typically dependent on the mobile operator or provider, and given that there are a number of providers worldwide, this could present a challenge to RFID door locking manufacturers to ensure that they are compatible with each solution. In addition, the standards are changing, meaning that existing RFID solutions will probably need to be upgraded to take advantage of the technology in the future.

Training
As the awareness of the locking system breach is coming to the forefront, locking companies are reporting an increase in the amount of additional supplemental system training that is being requested to address both staff and guest-related usage of their systems. Vingcard Elsafe released a statement that said, “We are starting to see more requests for information and in some cases retraining. Our onsite training and overall support mechanisms have always been focused on the proper use of the system, including the security features.”

Onsite System Reviews
Given that many of the locking systems have been installed for extensive periods of time, hotels are starting to require system reviews to ensure that their systems' firmware and applications are up to date and on the latest revisions. Additionally, some are requesting outside reviews from security companies to ascertain risk as part of an overall system and property security initiative.

Salto Systems indicated that it notifies customers when it has software upgrades to keep the systems at peak performance.

OpenWays
There has been quite a bit of discussion on the potential use of OpenWays’ LOCKFIX to address the Onity lock security issue. OpenWays specializes in mobile-based access management and security solutions. Its products target the use of mobile devices and audible encrypted sound to allow guests and staff the ability to use their smartphones to access their guestroom door locks. The solution purports a relatively inexpensive method of providing an effective way to secure the existing Onity HT Series Lock. The OpenWays equipment is attached to the door lock, providing a way for the lock to be controlled wirelessly and allowing staff to communicate with the lock via a mobile device. This in turn means that the external PP communications port can be disconnected and the lock is therefore not susceptible to being breached via this exposed method.

OpenWays has offered to provide free licensing for LOCKFIX to address the Onity lock problem, which would allow hotels to interrogate the locks. The components which reportedly cost about $55 per lock to install would still need to be accounted for as part of the security upgrade. The company also offers an upgrade pathway to its mobile staff and guest key solutions, which do require the purchase of additional licensing. OpenWays has proposed a security solution for Docomo Intertouch.

Critics of the solution point out that it typically requires effective cellular wireless coverage in the area of the locks to facilitate communication via a mobile device and the installation can be time consuming and fairly costly. Additional concerns point to the fact that the hotel now has two companies involved in the overall support and ongoing upgrades to the locking system.

The Issue of Liability
The approach that many hotels and lock manufacturers have taken appears to be primarily driven by the potential liability and risk. This is understandable given the situation and the potential responsibility that they may have to potential breaches. We reached out to various parties for comments on the situation and received limited responses, which under the circumstance is understandable. However, as previously mentioned there are lessons to be learned as a result of the early credit card breaches and PCI compliance efforts that have been underway these past few years. Initially when the breaches began, most effected hotels and companies were reluctant to share information on the incidents or how they resolved them. Most were concerned about the loss of potential business and that guests would not want to stay at the hotels for fear of having their credit card information and potential personnel data compromised. That changed when the industry got together and started to share information. What was disclosed helped formulate key approaches to addressing the problem and the information was dispersed through industry organizations like HFTP and HTNG, and the net result has been a dramatic reduction of the problem.

The industry is not out of the woods on the data security issue, and given the ongoing nature of the problem, never will be. But the point is that the industry collaborated on the issues and solutions were found, and for the most part, the public seems to be pleased that the data security issue continues to be addressed across the board.

This same kind of collaboration must occur with the locking system issue. The personal safety of the guests are at risk, and for this reason the industry needs to step outside of its comfort zone and really tackle this problem head on before we have a more serious incident. We realize that criminals now have easy access to online information that teaches them how to make inexpensive devices to break into hotel rooms. There needs to be a concerted effort from all parties to collaborate on the issue and come up with effective and affordable solutions to the problem. This effort not only needs to focus on new technology solutions, but there also needs to be a concerted effort to combat the challenges through effective training and education at the property level and throughout the industry. Additionally, this effort needs to focus not only on the hotels, but there also needs to be an effective communication program to reach out to the traveling public to assure the guests that the hotels are safe.

We should never lose sight of the fact that guest safety and security should always be the most important priority for hotels.

Jeremy Rock is the president of RockIT Group, a  technology consulting firm specializing in new development and refurbishment projects. He can be reached at Jrock@rockitgroup.com.

©2013 Hospitality Upgrade
This work may not be reprinted, redistributed or repurposed without written consent.
For permission requests, call 678.802.5302 or email info@hospitalityupgrade.com.

 

Dueling it out.
 
Rosen Hotels and Resorts
When the security issue first was reported, it caught the attention of Rosen Hotels and Resorts in Orlando, Fla. Rosen Hotels has over 7,000 rooms and knew that it had to be proactive in its resolution of the problem.

Given the impact of the initial media reports and the subsequent negative press on the industry responses, the company knew that it had to move quickly.  The company had received notification from several meeting planners that it had to guarantee the replacement of the current door locks prior to the arrival of their groups if Rosen was to secure the business.

Once Rosen made the determination that it needed to replace its locking systems, the company engaged Karen Faircloth with the Millennium Technology Group (a subsidiary of Rosen Hotels and Resorts) to head up the overall project management and RFP process. The company took the unique approach of involving all aspects and personnel of the hotels and resorts. Its was realized that in order to get the entire organization behind the initiative, the company needed to involve all departments in the decision making. Additionally, Rosen realized that each area of its operations had unique requirements and demands for the system. Therefore, the best people to conduct the overall due diligence on the products would be the operational personnel themselves.

Every department attended meetings with the potential solution providers. Representatives from the front desk, engineering, sales, housekeeping, IT and even the general manager were asked to participate in the meetings, and effectively all aspects of the systems were evaluated from the ground up, regarding operational needs and requirements. Each department was asked to validate the solution providers’ references. The staff had a vested interest in how the product actually worked and would also know the correct questions to ask from a functionality standpoint. The front desk staff contacted the front desk staff of the other hotels, engineering contacted other engineering departments, IT contacted IT, and so on. The reference checks were compiled together and distributed to all of the Rosen staff.

Additionally, Rosen pulled the Dun and Bradstreet reports on each company to establish if they were financially stable and what the outlook was for the long-term support of the products. Rosen also examined the companies’ insurance coverage and what coverage they had to sustain large claims.

 The final selection process came down to a shoot-out. Rosen hired a certified master locksmith with experience in the hospitality industry, but who was not affiliated with any of the companies. Rosen installed the test locks then asked the locksmith to break into locks and automatic deadbolts. The locksmith also reviewed how the locks were manufactured and was asked to comment on their components and quality. Finally the locksmith was asked to put the locks back together to see how long it would take and what was involved. The test proved to be extremely informative.

The hotels' staff voted on the system that they would prefer to see installed at their properties. The voting came back overwhelmingly in favor of one solution. Faircloth confirmed that Rosen has just completed the installation of its first hotel which went smoothly, and that the company is on track to meet the necessary installation deadlines. Along the way, Rosen discovered features and functionality in the newer system that will allow the company to become more efficient and provide better controls and services to both its guests and staff.

 

Security
TIPS

In the wake of the recent electronic door locking breach, many hotels have implemented a proactive security program to enforce operational security protocols and educate guests on key security basics. While these security procedures may not address the direct issues affecting the electronic door locks, they represent a proactive approach to overall guest security and ensuring the safety of the traveling public.

Use of Deadbolts Doors are easier to kick in than outwards. Most hotel room doors open into the room. This is usually due to code requirements that prevent a door opening out into the hallway. As such, it’s important to remember to deadbolt the doors, and where possible, install and have guests use a serviceable security latch. While it may not stop someone who is trying to break into a room, it will delay them and potentially provide enough time for a guest to call for help.

Educate and Train Staff on Security Practices Many hotels have reduced or eliminated the number of security staff due to budget constraints. As such, it’s important to train all staff to maintain a presence throughout the property. Security and ensuring guest’s safety should be the responsibility of all staff members. Criminals do not like to work in active areas and a strong staff presence particularly in guestroom hallways and other quiet areas of the property will limit the potential for theft.

Check the Security of the Adjoining Doors Both staff and guests should be encouraged to check that the dead-bolts for adjoining doors are secured. While the adjoining doors may not be used, frequently the locks are not adequately secured on one of the doors, resulting in potential entry from the other room.

Monitor Security Cameras Many hotels that do not have full-time security staff do not monitor the CCTV cameras consistently.  In these instances, monitors should be placed in administrative areas, such as the front office, where staff can be trained to scan and keep a look out for suspicious activity.

Upgrade the Security Camera System Many camera systems are outdated and do not provide effective visibility of the property, especially the key areas of safety such as the entrance and exit access locations to guestroom areas. Properties should evaluate existing systems to determine if they should be either upgraded or replaced.

Proactively Review Security Protocols Undertake regular evaluations of the security protocols for systems including but not limited t network access, password rotation, staff access levels and application updates and revisions. It is recommended when practical to have outside security specialists evaluate systems and run scans and penetration tests to gain an understanding of potential areas of weakness.
 
 
 
 

What Did the Vendors Say?

Response from the Electronic Locking Vendors

In an effort to obtain input on the subject we asked a number of the well-known electronic door locking system providers for feedback on the issue. Some declined to comment, and, for the most part, the responses we received were somewhat limited due to the sensitive nature of the subject.

Onity
The company provided the following statement: “Onity places the highest priority on the safety and security provided by its products. We will continue to support and augment our customers’ security strategies. Immediately following a hacker’s public presentation of illegal methods of breaking into hotel rooms, Onity engineers developed both mechanical and technical solutions, which have been tested and validated by two independent security firms. These solutions began shipping to customers worldwide in August 2012, (and to date we have) shipped 4 million solutions to hotels worldwide.”

That said, there have been a number of criticisms regarding Onity’s purported fixes, which in many cases consisted of mechanical caps and security screws that block the physical access to the lock ports that hackers have used to illegally break into hotel rooms. Criticisms include the plugs and screws can be circumvented by hackers, but in some cases can prevent hotel staff from interrogating the lock; additionally the plugs can create a short in the batteries that power the lock; and many of the HT24 and HT28 locks use control boards that cannot be upgraded and have to be replaced.

VingCard Elsafe
VingCard Elsafe offered the following insight: “There is no question that the exposure of a security flaw in a specific brand of hotel door locks has created a crisis for the industry, due to the widespread use of these locks around the world. It has also created an unwelcomed expense and risk for hoteliers, as they grapple with various fixes that have been offered by the manufacturer and other third-party suppliers. In addition, due to mass media coverage of the situation, hoteliers are now faced with reassuring their guests that they are indeed secure in their guestrooms.

“On a more positive note, it has also forced increased awareness of hotel security, which will ultimately lead to better security. Since the most reliable fix for affected properties is to upgrade their locking systems by replacing them entirely, ultimately, hotels and their guests come out ahead by benefitting from the most up-to-date and advanced security systems.”

Kaba
When asked about the enhancements that the company was looking to implement to stay ahead of hackers, the company responded: “Kaba constantly evaluates current security technology and implements continuous improvements to its products and generates best practices for clients and in-house development.”

Salto Systems
Salto provided the following: Electronic door locking systems should no longer be a hardware spec product, but instead should be considered as a security access control system. Hotel owners, management companies, IT, engineering and security departments should be reviewing and specifying the locking systems that go onto the doors of their hotels. Salto said it can see what has happened in the industry because locks became a commodity based on the lowest price where the focus was not on a security system. “Most of the hotels that Salto has been installed in have chosen our products because of their superior secure access control features and the commercial grade quality and reliability of our locks.”
 
 
 

Great Wolf Resorts
Great Wolf Resorts is the largest chain of indoor water parks in the world. Each of the waterparks is part of a larger resort, which also features specialty restaurants, arcades, spas, fitness rooms and children’s activity areas. The company focuses on providing a safe environment for traveling families with children, and it pays particular attention to the security at each resort. The resorts use an RFID wallet-on-your-wrist program at many of its properties to allow guests to use wrist band as a room key and to charge for goods and services purchased around the resort. Because Great Wolf Resorts has used this system for some time we contacted them to discuss how the recent security issue has affected the company.  

CIO Rajiv Castellino said, “The issue has not affected our operations. We have a proactive approach to security at our properties. As such once the issue was raised we immediately followed up on the potential concerns and ensured that all of our properties had the latest security features installed on the locks. Most of our door locks are newer RFID locks that were not affected.”

Given the nature of the guests and families that come to Great Wolf resorts, security and safety has always been a priority. Castellino said, “Our security, IT and other departments, such as housekeeping, focus on being proactive and alert to possible threats that could affect the safety of guests. From an IT perspective, each resort has an IT manager onsite who directs and controls the security of the systems, applications and even physical access to each of the distribution frames where sensitive equipment is housed.”

Castellino said that his team is constantly evaluating other emerging technologies such as near-field communications (NFC) and is cautiously optimistic about its potential and also about using mobile solutions. They might introduce an NFC solution in the future but not without rigorous testing to ensure that the solution meets Great Wolf Resorts' security standards.

According to Castellino, the industry needs to take the issue of security and breach incidents seriously and collaborate on ways to address the problem on an industry level. By sharing experiences and educating about possible solutions, the industry can be successful combating the problem.

Articles By The Same Author



want to read more articles like this?

want to read more articles like this?

Sign up to receive our twice-a-month Watercooler and Siegel Sez Newsletters and never miss another article or news story.