Cybersecurity for Hotels: Is there a real threat?
When it opens its doors to guests, the hospitality industry welcomes them into a safe physical environment. Unfortunately, it often fails to guarantee the same degree of safety and security to its clientele in the online realm, by neglecting to invest proper means in protecting them from Cyberattacks. The consequences can be, as we’ll see, dire — not just for the customers themselves but for the hotels as well — since putting the former at the mercy of malicious individuals that use your facility as a hunting ground will eventually affect their loyalty to you.
There has been an increasing amount of data breaches in the hotel industry in the past 4 years. Major players such as the Hilton Hotels, Marriott, InterContinental, Radisson Hotel Group as well as Four Seasons have hit the headlines because of data security attacks to their data centers.
The threat is not limited to remote attacks — each login into the free hotel wi-fi or charge made at the spa, gift shop, bar or restaurant during the course of your guest’s stay is another opportunity for a hotel cyberattack such as phishing, hacktivism, malware, and identity theft, to name a few.
Veneta Eftychis (Senior Manager, PwC Hospitality Industry) explains that
“ over the years hackers have been infiltrating hotel networks and have infected hotel-owned computers and guest computers with the aim of stealing personal and confidential information. Hotel networks have been attacked using mathematical techniques and crypto-analytical offensive capabilities.[…] This is usually done by hackers waiting for guests to check-in and log on to the hotel Wi-Fi by usually submitting their room number and surname, the unsuspecting guest downloads this hotel ‘welcome package’ only to infect his or her machine with spying software.[…] Once on a network, the backdoor may be used further to download more advanced tools such as an advanced key logger. Downloaded software may also look for Twitter, Facebook, and Google login credentials, as well as other private information. The impact of a cyber attack can be far-reaching and devastating ”.
We are mentioning attacks and security breaches, but what are the different kinds of techniques commonly used? Phishing attacks, Ransomware, DDoS attacks on the hotel network, Remote hacking through third-party vendors/point of sale malware, DarkHotel hacking, Customer data/ card track data, and identity theft are the most commonly used and are each coming with their own intrusive malicious intent and repercussions. We will look into them.
At the same time, it is important to keep in mind what are the consequences: firstly, there’s a financial impact when any form of computer security breach occurs. Costs can include forensic computer investigations to verify the breach and identify whose information has been exposed. Other costs include credit or identity protection services for affected individuals and the cost of crisis management and PR specialists hired to assist mitigate the potential fallout from such an event.
Secondly, a cybersecurity breach may as well impact a company’s long term performance; recent breaches seem to have influenced customer loyalty, which has the potential to impact profitability and share value for an extended period of time.
Thirdly, it is important to keep in mind that under GDPR regulation an institution owes its clients full disclosure in case of a cybersecurity breach, meaning that not only their good name and reputation are on the line, but the establishment might be subject to substantial fines as well! In fact, attacks are drawing increased scrutiny from government regulators worldwide, who want to make sure directors and officers are taking the necessary steps to forestall breaches.
In a report Bob Braun, senior member of JMBM’s Global Hospitality Group® and Co-Chair of the Firm’s Cybersecurity & Privacy Group, explores the impact of 2018 breach on the Marriott Hotel:
[…] On August 5, 2019, Marriott International announced that it had taken a $126 million charge in the second quarter, primarily as a result of the data breach it announced in 2018. Coincidentally, on July 9, 2019, The United Kingdom’s Information Commissioner’s Office (ICO), which enforces the General Data Protection Regulation in the UK, announced that it intends to impose a fine of £99,200,396 ($123,705,870) on Marriott for last year’s data breach.
The hackers stole a breathtaking array of sensitive data:
- 383 million guest records
- 18.5 million encrypted passport numbers
- 5.25 million unencrypted passport numbers
- 9.1 million encrypted payment card numbers
- 385,000 card numbers that were still valid at the time of the breach
Marriott is just one of the many hotel companies that have been subject to data breaches. Virtually every major hotel company, and many minor ones, have announced data breaches in the past few years, and there are likely many more that either chose not to announce a breach, or that were unaware that they were hacked. […]
Security breaches carry a risk even for hotel Executives and Board Members, who risk their position if they fail to appreciate the extent of the threat and take proper countermeasures: a study by the Ponemon Institute exposed that a company’s stock price drops an average of 5 percent immediately after a breach is disclosed. The study further found that companies lose an average of $3.92 million in revenue and a significant portion of their customers after a cybersecurity breach occurs. Therefore, while Executives and Board Members don’t have to be involved nor understand all the ins and outs of cybersecurity and they don’t need to be cyber experts nor keep track of the latest cyber technologies, they must be aware and understand the magnitude of cyber risk today — demanding their companies to be proactive about it by hiring or bringing in experts in order to take care of this increasing problem.
But why is the hospitality Industry such an attractive target for Cyberattacks?
The hospitality industry — and hotels in particular — represents a lucrative target for hackers’ cyberattacks because of the high number of credit card transactions involved: those transactions contain valuable customer data, whose protection is not being bound by strict regulations such as, for example, the ones that cover banks when handling an equal amount of sensitive information. This, combined with a large and often untrained workforce, provides ample opportunities for malicious individuals to infiltrate the reservation system or the in-house restaurant POS to capture critical customer data.
After understanding the devastating outcome of not taking the necessary steps to protect your business and clientele, let’s look into which are the most common cybersecurity threats you need to be prepared for.
1. Phishing attacks
Phishing refers to an attacker masquerading as a trusted entity who dupes a victim into opening an email, instant message, or text message which will subsequently install malware.
For individuals, such an attack can have devastating results, including unauthorized purchases, the stealing of funds, or identity theft. A quick online search will expose to you the devastating effects a single data breach had over the lives of individuals, leaving them often homeless or at best filing for personal bankruptcy.
An organization succumbing to such attacks typically sustains severe financial losses in addition to a negative impact on its market share, reputation, and consumer trust.
2. Ransomware
Ransomware is an extortion technique, in which the hacker hijacks personal information or entire systems and then demands the victim to pay a ransom in cryptocurrency to have it restored. The purpose of this attack is to gain financially from those who pay the demanded figure to free their data/systems.
As an example, hotels victims of this crime have reported paying more than $17,000 to be able to let guests into their rooms — the hacker(s) had simply gotten access to their electronic keys generator system and locked it down.
3. DDoS attacks on the hotel network
Hotels are particularly vulnerable to Distributed Denial of Service, or DDoS, attacks, where an entire hotel chain’s website is incapacitated by being overwhelmed with traffic.
This technique of flooding hackable systems such as a camera system or a booking website is one of the most popular ways for hijackers to keep institutions hostage to the hacker’s demands.
Hotel cybersecurity should always include processes to mitigate any compromised systems should they go down in a DDoS attack.
- The DDoS attacks in Q1 2020 Report released by Kaspersky is very revealing on this matter:” […] Contrary to our forecast in the last report, in Q1 2020 we observed a significant increase in both the quantity and quality of DDoS attacks. The number of attacks doubled against the previous reporting period, and by 80% against Q1 2019. The attacks also became longer: we observed a clear rise in both the average and maximum duration. The first quarter of every year sees a certain spike in DDoS activity, but we did not expect this kind of surge.
- In 2018, The Economic Times published an article relating the extent of this issue in the hospitality industry in particular: “[…] The use of bots to abuse stolen credentials continues to be a major risk for Internet-driven businesses, but data from this report reveals that the hospitality industry experiences many more credential abuse attacks than other sectors[…]”
- In 2017, Trump Hotels website was under DDoS attack by hackers
- The Cybercrime magazine, dedicated in 2017 a listing of DDoS attacks for that year, acknowledging its disrupting impact on business.
4. Remote hacking through third-party vendors/point of sale malware
With hotels contracting and employing a multitude of suppliers, the hospitality sector offers vast opportunities for hackers to launch malicious attacks using weaknesses along the supply chain as an entry point.
One of the largest data breaches in history was conducted through a third-party vendor: hackers managed to steal data about 70 million credit cards by gaining access to a leading retailer’s network through the credentials of one of its contractors.
In 2017 the Hyatt Hotel Chain was for the second time hit by a credit card data-stealing malware resulting in very bad press and unmeasurable damage for its guests from 41 different hotels of its chain. The investigation found that the data breach could be traced back to the “insertion of malicious software code from a third party onto certain hotel IT systems.”
5. DarkHotel hacking
This is a relatively new technique, which sees criminals use hotels’ Wi-Fi to target business guests.
The attacks use forged digital certificates, convincing victims that downloading specific software is safe. Criminals simply upload malicious code to the hotel server, and can then target specific guests.
Articles are relating the horror of exclusive guests in 5 stars hotels who have fallen victim to such invasion of privacy and misuse of their personal data for financial gain by hackers.
6. Customer data/card track data and identity theft
Protecting the identity and information of a customer is paramount to the success of any business, and hotels are no exception.
Magnetic strips are the way into a multitude of personal information, stored in a credit card which is used anywhere from booking the hotel online, at the front desk, at the spa, restaurant… It contains information about the cardholder’s account — such as their full name, credit card number, the card’s expiration date, and more. The sensitivity of this information is obvious.
Magnetic strips are present also in a guest’s room key — which contains personal information as well.
A very commonly reported type of breach hoteliers talk about involves hacking efforts surrounding guest information. Network security / Cybersecurity is therefore paramount in this area.
Conclusions
With the hospitality industry increasingly being targeted by malicious cyberattacks, these organizations have to be ready to defend themselves from cybersecurity threats; one sure way is to team up with experts in the protection field.
Improvising yourself as cybersecurity experts could potentially harm your business and your guests in an irreversible way.
Consult with cybersecurity experts in the hospitality field to guarantee the safety of your reputation, revenue stream and executive positions — not to mention your guests’ right to privacy and financial security.
