Authors: Max Pragnell John Farley
The sensitive data hotels capture as a fundamental part of business is vast. Hotels collect consumers' identification (including passports), credit card information, addresses and — in cases involving spas, as an example — protected health information. Hospitality companies also retain employee data, trade secrets and suppliers' bank information.1 This data makes hotels a valuable target for cybercriminals.
Ponemon and IBM Security's 2022 global case study report2 revealed that $2.94 million was the average total cost of a data breach in the hospitality industry from 2021 to 2022. The associated costs from a breach come from several sources including lost business, reputational damage, legal costs, forensic activities, crisis management, regulatory response and customer notification — to name a few.
Recent examples of cyber attacks on the hospitality industry
Hotels and resorts have suffered from a variety of cyberattacks, but the most effective have been low-level social engineering and phishing campaigns. One cybercrime group known as TA5583 has been targeting hospitality companies in Latin America with malicious links and attachments. Their method includes luring reservation emails directed toward hotel and travel company employees.
According to IBM Security's report,2 83% of global organizations suffer more than one data breach. In September 2022, a hack of a well-known UK-based multinational hospitality company led to a two-day outage to their online booking system.4 The same group also suffered from a ransomware attack at one of its Turkish locations the previous month, although no connection necessarily exists between the two breaches. The same multinational hospitality company settled a class-action lawsuit in 2019 for a malware breach that affected several of its hotels, restaurants and bars.
Hotel-specific cybersecurity challenges
A major challenge for hospitality in the cyberspace is allowing consumers to have a single access point to roam freely across a property. Third parties often manage restaurants, shops or spas within a hotel,1 which means systems need to be interconnected and data needs to be shared. This typically involves a property management system (PMS) but it's not bulletproof. It requires strong cybersecurity measures and strict data compliance. Payment Card Industry Data Security Standard (PCI-DSS), multi-factor authentication (MFA), endpoint detection and response (EDR), and Data Protection Act compliance are safeguards required in different scenarios.
Hospitality companies face a further challenge when buying and selling properties. The buyer may face difficulties integrating new property management systems, payment terminals or overall cybersecurity strategies. Meanwhile the seller needs to ensure no residual data can come back to hurt them.1
Popular types of cyber attacks
Phishing. Hackers send emails that seem to come from a trusted source to get hotel employees to open malware-laden attachments or click malicious links. In hospitality, time is money, so employees are often not well trained in cybersecurity. However, there are collections of templates commonly used by phishers and specific clues that an email may be dangerous. These templates can be used as training materials to educate staff about this threat.
Ransomware. Hotels are prime targets for ransomware attacks, and many have outdated security for point-of-sale systems. Small chains have been slow to beef up security measures, reasoning that they are not on the radar — a misconception. The industry is stepping up security and education to combat this growing problem.
Point-of-sale and payment card attacks. These attacks pose the biggest threat to the hospitality industry as a whole. Many are directed against vendors, who present an opportunistic weak link. Causes range from easy-to-hack passwords and insecure remote access to dated software and improper configuration.
Denial of service (DoS) attack. Typically, hackers flood systems with so much bogus traffic that servers become overwhelmed and can't operate.
DarkHotel hacking. DarkHotel5 is a cybercrime group that targets high-value individuals — a practice called spearphishing — often through hotel Wi-Fi. Common targets include hotel guests who are CEOs and other top-level company executives. Once cybercriminals gain access, they can spy and steal confidential information.
Customer data and identity theft. One of the biggest risks to hotel security and reputation is the hacking of customer credit card data. As such, network security upgrades and employee training are essential.
Critical steps hotels need to take to improve cybersecurity
Taking a proactive approach to cyber risk is critical for organizations of all sizes. Partnering with a specialist in cyber risk can help you secure coverage, while also strengthening your organization's digital armor. Here are some important areas of focus:
- Employee training
- Email hygiene
- Multi-factor authentication (MFA) and virtual private networks (VPN)
- Patch management
- Access controls
- Detection and duplication
- Breach response planning
For more detailed information on this list, see our Cyber Security Controls Checklist. This report reviews the most important questions cyber insurance underwriters are asking and provides remediation advice you can put into practice to position your organization in the most positive light when requesting cyber coverage.
A consultation with Gallagher could reveal new methods to manage your risk to cyber events. Risk transfer is only a piece of the puzzle, and our holistic approach could better prepare you for an inevitable cyber attack. Contact us to discuss your coverage gaps and cybersecurity posture, and why it's important to engage with cyber insurance today.
