7 min read

Hotel Cybersecurity: Threats, Examples and Best Practices

The risk of a cybersecurity incident is too great and too damaging to ignore. Just like you install fire detection systems in your hallways and guestrooms, you must implement access controls, systems, and protocols to keep your guest data – and your hotel’s reputation – safe.

Avatar

Jordan Hollander in Operations

Last updated October 24, 2024

image description

Keeping your hotel safe today requires more than security cameras and locks on the doors. Cyber attacks can happen to any organization, and hotels are no exception. Because hotels store a large amount of personal information and financial data, like guests’ credit card numbers, hotels are attractive targets for criminals looking to steal this information. And, unfortunately, these cyber criminals are often met with loose or nonexistent cybersecurity measures on hotel websites and in back offices. When a cyber attack occurs, it’s not only data that’s stolen; a hotel can tarnish its reputation, lose money, and ruin the guest experience in just moments. That’s why hotels are increasingly seeking to tighten up their cybersecurity practices and leveraging strategies like stricter access controls and security audits to prevent the likelihood of a breach. In this article, we’ll walk you through the threats facing hotels today, some real life examples of cyber attacks in the hotel industry, and the tactics you can implement to ensure your hotel isn’t the next target.

Common Cybersecurity Threats Facing Hotels

How do cybersecurity attacks happen? You might have seen (and prevented) one or two of the most common cybersecurity threats at your hotel already. Here are some of the most frequent ways criminals try to get into your hotel’s secure data:

  • Phishing attacks: These attacks start with a fraudulent email, text message, or phone call that tricks an employee into sharing sensitive information. For example, your hotel might receive an email that looks like it’s coming from an OTA, and the email instructs you to click a link to prevent your hotel’s listing from getting deactivated. An employee who isn’t aware of this type of attack might click on the link and inadvertently share financial information or personal data with the attacker.

  • Ransomware attacks: In this attack, a malicious piece of software locks your device until a ransom, usually a sum of money in cryptocurrency, is paid. This kind of attack can render software at a hotel useless – for days. In 2023 a ransomware attack hit MGM Resorts and took their systems offline for 60 hours, which meant their PMS was down, in addition to not being able to make keycards, collect payments, or manage parking.

 

  • Data breaches: Any theft of sensitive information, like credit card data and passport numbers, is considered a data breach. Hotels are big targets for data breaches because of how much of this data they handle. Marriott was the victim of a massive data breach in 2018 in which the personal information of over 500 million guests was exposed.

  • Insider threats: While many cyber attacks originate outside of the organizations that are attacked, it’s not uncommon to have an inside job occur. When employees have broad access to guest information, financial data, and passwords, it’s possible for data theft or a security leak to occur. Maintaining proper access control to systems and conducting regular employee training on security protocols will help minimize the risk of an insider threat.

Get the latest hotel tech tips, trends and insights delivered to your inbox once a month
You’ve been subscribed
Invalid email format
post_faces_combined Join 50,000+ executives from world’s leading hotel brands and get the latest insights delivered to your inbox once a month

Real-Life Examples of Cybersecurity Breaches in Hotels

As we mentioned above, cybersecurity attacks do happen at hotels, and with unfortunate frequency. You may have heard about two major cybersecurity incidents that made the news headlines in the last few years: the Marriott data breach and the ransomware attack at MGM.

Between 2014 and 2018 Marriott was hit by a cybersecurity attack that exposed personal information of up to 500 million past guests. The hackers got their hands on data like addresses, email addresses, phone numbers, and even passport numbers and credit card numbers. How did it happen? Marriott says the data was protected, but not encrypted, so as soon as the hackers broke into Marriott’s reservation system, they could easily steal the data. Marriott was fined nearly $24 million in penalties, and the incident has gone down in history as one of the biggest data breaches ever.

A different type of cybersecurity attack hit MGM in September 2023: a ransomware attack caused guest-facing and back-office systems to go down for a few days, causing an estimated revenue loss of $100 million. Guests reported issues with MGM’s keycards, slot machines, ATMs, parking systems, and more – and the incident was all over the news. It’s not clear if MGM paid a ransom to the attackers, but Caesars was hit by a similar attack right before MGM was, and Caesars paid about $15 million in ransom to the hackers in an agreement that they wouldn’t release the stolen data.

Best Practices for Cybersecurity in Hotels

No hotel wants to be the victim of a cybersecurity attack, so how can you prevent an incident from occurring? The good news is that there are a few simple best practices – some of which you can implement today – to keep your data secure and avoid becoming a target:

  • Implement strong access controls: In any system that houses sensitive information, you should configure role-based access so that only employees who truly need visibility into this data can access it. There’s no reason why every employee should be an administrator in every system. In addition, make multi-factor authentication a standard to add an extra layer of security.

  • Hold regular employee training sessions: In many cases, an employee mistakenly clicks on a fraudulent email because they weren’t aware of how to spot a phishing attempt. Make sure your employees can recognize phishing attempts and other cyber threats, and use these training sessions to keep them up-to-date on the latest cybersecurity protocols at your hotel. 

  • Secure guest WiFi networks: To keep your hotel’s sensitive data secure, you should have two separate WiFi networks on-site: one for guests and one for internal use. The internal network should be password-protected and off limits to anyone not part of your organization.

  • Encrypt your data: Avoid ending up like Marriott, in a situation where your data is at risk of being stolen because it’s not encrypted. Whether you’re sending or receiving sensitive data, or simply storing it, your payment systems and reservations database should be fully encrypted.

  • Conduct regular security audits: Work with a third-party cybersecurity vendor to assess your security risks and do penetration on a regular interval

  • Establish an incident response plan: Although it’s never fun to think about the worst-case scenario, it’s a good idea to formulate a plan for how you and your team would handle a cybersecurity breach. Think through how you would respond quickly to minimize the impact and keep your hotel operating throughout the incident.

Cybersecurity Tools and Technologies for Hotels

What tools and technologies will help you keep your data safe? At a minimum, your on-premise devices should have firewalls and antivirus software installed to prevent dangerous malware. Intrusion detection systems can also alert you if a malicious file is downloaded or an unauthorized user gains access to a device. When you’re sending or collecting guest data, it’s also a smart idea to use a tokenization system to encrypt the data, eliminating the possibility of a data breach during transit.

That said, emerging technologies like AI-driven cybersecurity tools and blockchain aim to add a greater level of security to many types of transactions. These may eliminate the need for passwords and other potentially vulnerable access keys.

How Hotels Can Protect Guest Data and Maintain Compliance

Given that hotels handle a lot of sensitive guest data, from email addresses to passport numbers, it’s crucial to not only protect this data but also stay compliant with local regulations. A few regulations are especially relevant to the hotel industry:

  • GDPR: The General Data Protection Regulation is a European Union regulation that sets standards on what companies can and cannot do with personal data. You may have noticed websites adding pop-ups asking for your consent to store cookies; this consent was an outcome of the recently implemented GDPR. Companies that have websites that serve European users must comply with GDPR or risk legal action.

  • CCPA: Modeled after GDPR, the California Consumer Privacy Act is a state statute that guarantees users know what data is being collected on them, how it’s used, where it’s stored, and how to delete it.

  • PCI DSS: Relating specifically to credit card data, the Payment Card Industry Data Security Standards outlines standards that businesses should follow when collecting payment information and storing it, in addition to an annual verification that they’re upholding with the recommended security practices.

Remaining in compliance with these regulations will keep your sensitive data safe and avoid the risk of legal penalties.

Future Trends in Hotel Cybersecurity

Now you know how to keep your hotel’s data and digital infrastructure safe today, but what can you expect with the rise of new technologies? A few technological advances will surely require close attention to security risks and data protection.

As hotels use more IoT (Internet of Things) devices, such as smart locks and smart speakers, there will be more devices to keep secured, making it even more important to have secure WiFi networks and appropriate access controls.

And the rise of biometric security measures, such as facial recognition and fingerprint scanning, will lead to even more sensitive personal identifying information that must be transmitted and stored securely. However, biometrics can help you better control access to your systems or physical spaces; a password can be easily shared, but a fingerprint cannot.

The shift toward digital guest experiences also leads to more complexity when it comes to preventing cybersecurity risks. Keyless entry to guestrooms, for example, has a lot of advantages, but it also opens up the risk of a hacker gaining unauthorized entry into a guestroom. Similarly, mobile check-in is faster and more convenient than standing in line at the front desk, but it means hotels must be more attentive to keeping guest data secure across many devices and systems.

Understanding cybersecurity is crucial for those in the hospitality industry because they handle vast amounts of sensitive data, making them prime targets for cyberattacks. Hoteliers must protect guest information like credit card details, passport numbers, and reservation system data from cybercriminals who use methods like phishing, ransomware, and malware. With hotel chains managing wi-fi networks and internet of things (IoT) devices, vulnerabilities can lead to data breaches or identity theft. The industry has faced incidents like DarkHotel and Marriott breaches, demonstrating the urgent need for robust cybersecurity measures. Phishing attacks and social engineering scams can compromise guest data, point-of-sale (POS) systems, and credit card information, affecting the overall guest experience. To combat these threats, hospitality businesses need regular updates, authentication protocols, and network security tools like firewalls to prevent unauthorized access. Cybersecurity training, webinars, and risk assessments can raise cybersecurity awareness, helping employees identify phishing emails, DDoS attacks, and potential scams. Adopting PCI compliance, strong information security practices, and data protection protocols is vital for securing customer information and ensuring trust in hotel cybersecurity efforts.

The risk of a cybersecurity incident is too great and too damaging to ignore. Just like you install fire detection systems in your hallways and guestrooms, you must implement access controls, systems, and protocols to keep your guest data – and your hotel’s reputation – safe. As cybersecurity best practices are constantly changing, it’s important to stay up-to-date on the latest strategies to avoid becoming the target of a breach.

Author image
Jordan Hollander
Jordan is the co-founder of Hotel Tech Report, the hotel industry's app store where millions of professionals discover tech tools to transform their businesses. He was previously on the Global Partnerships team at Starwood Hotels & Resorts. Prior to his work with SPG, Jordan was Director of Business Development at MWT Hospitality and an equity analyst at Wells Capital Management. Jordan received his MBA from Northwestern’s Kellogg School of Management where he was a Zell Global Entrepreneurship Scholar and a Pritzker Group Venture Fellow.