“People trust us to allow them to sleep safely and securely. There’s a longstanding tradition of an innkeeper, that we fulfill that commitment to them. Has it extended naturally, with the same diligence, to the digital environment? Not always.” — John Burns, President of Hospitality Technology Consulting.
Last November’s news that the private information of approximately 500 million Marriott International guests had been leaked was a sobering reminder of the catastrophic security vulnerabilities that exist in the hospitality industry.
Cyber attacks on hotels are particularly prevalent because of the vast amount of personal data stored, with PwC’s Hotels Outlook Report 2018–2022 indicating that the hospitality industry suffers from the second highest number of data breaches across all sectors.
But is the massive amount of personal data the sole reason that hackers frequently attempt to compromise hotel cybersecurity, or does this reality also illustrate a lack of comprehensive solutions in the hospitality industry to prevent such attacks?
The (In)Security of Acquisitions
In September 2016, Marriott International acquired the Starwood hotel chain. The November 2018 hack has been traced back to the room reservation network of Marriott’s Starwood branch with the revelation of continued unauthorized access to the database since 2014. Therefore, it’s now clear that Marriott International unwittingly purchased an ongoing data breach along with the Starwood customer information that the company was seeking. Even though the Starwood data compromise began before the acquisition, the damage to Marriott’s reputation upon its discovery is undeniable.
What’s the lesson here?
All of us in the hospitality industry must comprehensively scrutinize every aspect of other companies prior to the acquisition, including data handling and cybersecurity processes. And the same goes for all technology brought on board, such as new applications and systems. Due to rapid tech advancements, effective security measures require constant and consistent attention if we’re to stay on top of the game and one step ahead of malicious hackers who attempt to compromise the security of our data storage.
Digital Compliance and Security Maintenance
The modern hotel relies on data storage and tech systems for virtually every aspect of operations. While the benefits of advanced technological solutions are incredible, these products open up the hospitality industry to the extraordinary potential for the exposure of cybersecurity vulnerabilities.
Any mistakes in the setup or management of a company’s systems can lead to disastrous cyber attacks, including the leak of massive amounts of highly confidential guest data through even just one breach. Unfortunately, while some hoteliers may believe that their systems can arrive in a guaranteed state of security, the reality is a far different story. For example, a flaw as simple as a weak admin password can result in an entry point for hackers, as can insecure remote access or software that isn’t completely up-to-date with the newest security patches. Therefore, the onus remains on the hotel brand to maintain its systems with the utmost care and attention to every detail to avoid malware infection, ransomware installations, and other highly destructive security breaches.
Distributed Denial of Service (DDoS) attacks can leave a brand devastated, as this level of network compromise shuts down an entire hotel chain’s website by overwhelming it with traffic sources. From sprinklers to closed-circuit TVs, the sheer number of devices in a hotel that are controlled by computers is staggering. And each of these systems can be maliciously used to send pulses to other systems within a hotel’s technological infrastructure, leading to a complete shutdown of operations.
Is every hotel PCI compliant? Unfortunately — and I write this with a bit of shock — some hotel brands still fail to meet full compliance to the set of standards that are intended to ensure that all companies that accept, process, store or transmit credit card information maintain an environment that is protected from compromise. The lack of comprehensive security measures may also extend to gaps in following the conventional procedures to destroy data once it’s used, furthering the potential for credit card information to be accessed by hackers.
As you can see, the hotel industry is falling short of meeting the expectations for overarching security of its systems, leading to catastrophic exposures such as the recently uncovered Marriott situation. But before we throw our hands up in the air, let’s remember that effective security measures can be applied to every aspect of a hotel’s technological systems to keep them safe from those with malicious intent. To succeed, brands require strong leadership and exceptional technical expertise with a full commitment to doing everything that it takes to stay on top of the latest security standards and procedures. Consistent penetration (“pen”) testing and consultation with technical experts will ensure that a hotel’s systems are always up-to-date and utilizing the best protection that’s available at all times.
Our guests deserve a good night’s sleep, and so do we. Let’s all tighten up our security belts so we can rest with ease, knowing that our widespread attention to detail will keep our systems secure and leave the hackers as the only restless ones.
By Andrew Sanders,VP, Travel & Hospitality North America at DataArt
What’s the Number One Concern Keeping Hotel Group CIOs Up at Night? was originally published in Hacker Noon on Medium, where people are continuing the conversation by highlighting and responding to this story.