Emma Rooney is a Director at KYND in Austin, Texas, USA. As part of the Certified Cyber Insurance Specialist (CCIS) course, she completed a complex assignment on the cyber cyber risk in the hospitality industry.
The hospitality industry spans a diverse range of businesses, covering everything from lodging to the highly competitive food and beverage sector. Travel and tourism entities, like airlines and travel agencies, integrate seamlessly with the industry to meet the all-encompassing needs of travelers. The event planning sector is adept at organizing various events, such as conferences, weddings, and conventions.
Why is there Cyber Risk in the Hospitality Industry?
Due to its highly digitalized and interconnected infrastructure and the wide range of services provided, the hospitality industry faces a unique set of cybersecurity challenges. Businesses operating in this sector typically hold a great deal of potentially sensitive data. Hotels and restaurants, for instance, store data such as credit card information, personal identities, travel plans, and health-related data. This wealth of valuable data makes them attractive targets for cybercriminals.
In addition, the industry relies on a mostly temporary and transient workforce, which makes it harder to establish robust cybersecurity awareness and training protocols.
Common Types of Cyber Attacks in the Hospitality Industry
Point of Sale (POS) attacks
POS systems, which handle credit card transactions, are commonly used in the hospitality industry. The high volume of daily transactions processed by hotels, restaurants, and bars therefore make this attack vector particularly appealing to malicious actors. In addition, the hospital industry often uses legacy POS systems that lack robust security features and are often left unpatched. The industry’s decentralized nature, with multiple Points of Sale across various locations, also increases the attack surface. Additionally, the physical accessibility of POS systems, such as portable devices at tables, provides an opportunity for tampering.
Social Engineering & Malware Attacks
The constant influx of seasonal staff and high employee turnover combined with a severe lack of cybersecurity awareness and training, makes employees in the hospitality sector particularly susceptible to phishing tactics.
Under this attack vector umbrella, a cyberattack group, known as DarkHotel, has exploited WiFi systems to engage in highly targeted malicious attacks. The group appears to use a combination of spear phishing, dangerous malware, and botnet automation designed to capture confidential data.
In DarkHotel attacks, cybercriminals target guests, especially business travelers, by setting up fake Wi-Fi networks that appear legitimate. They trick guests through phishing techniques, distribute malware to their devices, exploit vulnerabilities, and steal personal and sensitive customer information for financial gain.
The reliance on online reservation systems makes hotels and resorts susceptible to DDoS (Distributed Denial of Service) attacks that can render these systems inaccessible, resulting in revenue loss and negative guest experiences. Secondly, the industry’s dependence on uninterrupted internet connectivity makes it vulnerable to DDoS attacks targeting their network infrastructure, leading to network congestion and disruptions in critical guest services. For example, DDoS attacks can disrupt online reservations, payment systems, keycard access, and in-room entertainment. Lastly, the limited resources and Incident Response (IR) preparedness of smaller establishments often result in extended periods of service disruption.
Businesses in the hospitality industry collect a lot of sensitive data from guests, including personal information, credit card details, and booking information. If this information falls into the wrong hands due to a data breach, it will be very damaging to both the establishment’s reputation and its guests.
System failures also pose a huge threat, since the hospitality industry relies on a range of technology systems to manage their operations, including reservation systems, POS systems, and building automation systems. If any of these systems fail, it can cause significant disruptions to the hotel’s operations and result in lost revenue.
Employees can misuse technology in various ways, such as accessing confidential information they are not authorized to view or using the organization’s network for personal activities. This can compromise the security of the businesses’ systems and put sensitive data at risk.
Give Yourself The
Our CCIS certification is a mark of excellence that employers and recruiters want to see.
Third-Party Cyber Risk in the Hospitality Sector
Businesses in the hospitality industry often use third-party payment processors to handle credit card transactions. If a payment processor experiences a data breach, it can put the hospitality business’ guests at risk and damage the hotel’s reputation. They also typically use cloud service providers to store their data and applications. If a cloud service provider experiences a data breach or service outage, it can disrupt the organization’s operations and compromise sensitive data. Finally, the widespread use of third-party booking systems and digital devices such as keycards increases the number of access points that could potentially be exploited.
Implementing robust cybersecurity measures, conducting regular employee training, and establishing contingency plans are key to mitigating these risks. Mitigation strategies should also include thorough due diligence on all third-party entities, enforcement of contractual compliance with the hotel’s security and privacy policies, and consistent monitoring of their performance.
Cyber Risk in the Hospitality Sector Expected to Expand as Digitalization Increases
Leveraging digital technologies to enhance operational efficiency, customer satisfaction, and competitiveness. But, without effective cyber hygiene, growing use of technology will also expand the industry’s attack surface.
Mobile apps allow businesses to provide personalized services such as reservations and custom recommendations, while social media platforms such as Instagram and Facebook aid in marketing and customer engagement. IoT sensors provide personalized customer experiences in areas like room temperature and lighting adjustments. The usage of Artificial Intelligence (AI) also plays a pivotal role through chatbots which can handle customer inquiries and bookings, automated check-in processes, and personalized recommendations based on customers’ preferences and past behavior.
In the era of COVID-19, the industry has adopted new technologies like contactless check-ins via mobile apps to minimize physical contact. Smart room technology, including voice assistants and smart mirrors, elevate the guest experience. Virtual Reality (VR) provides immersive experiences. For example guests can use VR headsets to take virtual tours of the hotel or explore attractions nearby. Some hotels even use robots for tasks like room service, cleaning and concierge services.
Case Studies: Cyber Attacks in the Hospitality Industry
The hospitality industry has been a target of cyberattacks in recent years, with many high-profile incidents being reported. Some of the most notable cyber attacks that have occurred within the hospitality industry include:
- Marriott International (2018) – data breach that affected up to 500 million guests. The attack was believed to have been carried out by hackers affiliated with the Chinese government, and it exposed personal information such as names, addresses, and passport numbers.
- Chipotle (2017) – data breach that affected customers’ credit card information. Hackers were able to install malware on the restaurant chain’s Point of Sale systems, resulting in the theft of customer credit card data.
- British Airways (2018) – data breach that affected up to 380,000 customers. Hackers were able to steal personal and financial data, including names, addresses, and credit card information, by installing malicious code on the airline’s website and mobile app.
In conclusion, cyber attacks can affect all facets of the hospitality industry, emphasizing the need for robust cybersecurity measures to protect customer data. As technology increasingly drives efficient and personalized guest services, it also exposes hotels to risks like data breaches, system failures, and third-party threats. Mitigating these risks involves implementing strong cybersecurity defenses, training employees regularly, scrutinizing third-party vendors, and having contingency plans for security incidents. Proactively managing these risks helps businesses in the hospitality industry safeguard their reputation, preserve guest trust, and ensure a safe, enjoyable guest experience.
Want to read more about our CII-accredited Certified Cyber Insurance Specialist (CCIS) Course? Click here.
Cyber Insurance Academy?
We are the global standard for accredited cyber insurance certification, with +4,000 Members from +40 countries.