Sometimes, the biggest threats are the ones we can’t see. Surely, this sentiment rang true over the last year, as the COVID-19 virus swept across the nation, ushering in widespread fear and regulatory change in its wake. But now, as hospitality prepares for a long-awaited period of recovery, we must direct our attention to another unseen threat – data breaches. As our industry continues to adopt self-service technology to digitize the guest experience, guest data protection must be top of mind for every hotelier.

User privacy is, after all, the primary barrier to the widespread adoption of applications and software that enhance personalization and convenience across common touch-points. Within hospitality, specifically, countless major hotel brands have fallen victim to cybercrime; in 2020, two of the top five most significant data breaches made public occurred at hotel chains.

The time for enhanced cybersecurity is now – especially as we prepare for the new world of hospitality.
Navigating the Landscape of Advanced Technology

Guests today demand a personalized, high-touch experience but, in the wake of the COVID-19 pandemic, hotels must facilitate a traditional hospitality experience via non-traditional mediums. With the adoption of increasingly advanced technology, hotels realize an opportunity to manage their property better and provide enhanced guest service – even from afar. However, the introduction of new interconnected, guest-centric technology can also introduce new threats to hotel security, specifically, guest privacy. Let’s consider the following statistics:
  • According to a recent study by IBM and the Ponemon Institute, data breaches have an average cost of nearly $4 million globally.
  • Both British Airways and Marriott have all received fines of over $12M for GDPR violations relating to personal data.
  • In October of 2020, the U.K. government announced it would fine Marriott $24 million for GDPR violations related to a breach that was discovered in 2018.
  • The worldwide information security market is forecast to reach $170.4 billion in 2022.
  • 68% of business leaders feel their cybersecurity risks are increasing.
  • Only 5% of companies’ folders are adequately protected.

On the user side, guests are increasingly concerned with the privacy and protection of their data and transparency in how their data is being used. A recent Salesforce report shows that customers have limited trust in how companies handle their data, and 59% believe their personal information is vulnerable to a security breach.

Moreover, 81% of consumers will reportedly stop engaging with a brand after a breach, and 48% indicate they have already switched companies or providers because of their data policies or data sharing practices. In this way, protecting guest data represents a critical piece of the guest experience. In 2021 and beyond, failure to proactively mitigate emerging I.T. threats has the potential to ruin a hotel brand’s reputation.

Proactively Identify IT Threats

In the world of hospitality, phishing is an on-going security concern. In the summer of 2019, researchers at 360 Security Center discovered attack emails sent to financial personnel working at various hotels throughout North America. These emails informed recipients that their organizations had not paid for certain services and instructed these individuals to open the attached document. The threat allowed the sender to perform malicious actions on an infected computer, such as simulating mouse and keyboard clicks and downloading and running executables.

Since the start of the pandemic, cyber-attacks are up by as much as 131%. Like the 2019 attack, these security breaches typically involve transferring sensitive information (including passwords and financial information) over email. To mitigate the risk of phishing attacks, hoteliers are implored to consider the use of advanced email security, which helps to block unwanted mail and malware by identifying threats (such as Whaling or Business Email Compromise) in real time.

Point of Sale (POS) systems represent another long-standing vulnerability in the hotel technology ecosystem.  If any POS device on the hotel property is not properly secured, attackers can use malware or other attack vectors to steal clear-text credit card numbers and other guest data. Moreover, as more hotels transition to centrally connected reservation systems, we realize that the potential for guest data exposure increases beyond a single booking system. To this effect, data encryption is an integral component of any cybersecurity program, ensuring that guest data is unintelligible to anyone who doesn’t have the right digital key.

Finally, we must also consider the risk(s) posed by third-party vendors. As hotels’ digital ecosystems expand to accommodate new platforms and functionality, hoteliers must proactively assess each vendor’s security risks. Even hotels with sophisticated cybersecurity standards can find themselves at risk without a comprehensive third-party risk management framework in place. In August of 2019, for example, two researchers speaking at the Black Hat USA conference in Las Vegas announced they had broken into a room at a high-end hotel by using wireless sniffing tools to hack into its hotel mobile key app. While this is just one example, the security risks associated with third-party apps remain omnipresent so hoteliers must seek out security management solutions that assess current and prospective vendors’ security posture and allow for better visibility between hotels and vendors.

The writing is on the wall. If you aren’t prioritizing data security, you aren’t prioritizing your guest, and if you aren’t prioritizing your guest, you aren’t fulfilling your promise as a hospitality leader. As the hospitality industry looks to the post-pandemic future, guest safety and security – both online and offline – should be the paramount focus of all industry leaders.