How to Prevent Malware Attacks and Promote Cybersecurity at Your Hotel
By Hotel Tech Report
Last updated January 26, 2022
7 min read
Do you have a spare $1.6 million lying around? That’s the average amount that security experts now estimate a business needs to recover from a cyberattack containing malware.
Hotels are easy targets for hackers. Cybersecurity is not something many hotels feel confident in. "Last year, the two biggest global reports on data breaches, Trustwave’s Global Security Report and Verizon’s Data Breach Investigation Report, both show hospitality continuing to struggle in this area. Verizon, meanwhile, reports that accommodation, food and lodging made up for nearly 54% of their caseload,” says Bob Russo, GM of the PCI Security Standards Council.”
Each time a hotel’s guest records get breached, the property is burdened with financial strain and faces broken trust with guests. As a hotelier, you don’t need to be an expert in cybersecurity, but you absolutely need to understand the basics to protect your business and your guests. Here are some ways to tackle cybersecurity at your hotel and minimize your risk as much as possible.
Why Hotels are Attractive Targets for Hackers
Hotels are easy – and profitable – targets for hackers. Hotels make attractive targets for two reasons: first, cybersecurity at many properties is lax. “Only about 25% of all U.S. businesses, including hotel operators, are fully compliant with current data security best practices. That means that three out of four are not and are potential disasters waiting to happen,” says Russo.
Secondly, hotels process lots of transactions and store tons of guest data. A hacker can simultaneously target a property’s point-of-sale and property management system to capture payment card information as well as personal data, like passport numbers and email addresses. Malware can move between POS and PMS systems at different properties under the same brand, affecting guests in locations around the world with no one the wiser. Likewise, there are many access points a hacker can target in a single property. “In February, it was reported that of the 21 most high-profile hotel company data breaches that have occurred since 2010, 20 of them were a result of malware affecting POS systems in a hotel restaurant, bar, and retail outlet,” says Mark Voortman, Ph.D., head of the information technology program at the Pittsburgh-based Rowland School of Business.
A small, 100-room hotel with a 50-seat restaurant still processes hundreds of unique payments each day. Those unique payments are virtually defenseless; few hotels have the necessary security protocols, infrastructure, and training in place to make sure any interested parties are dissuaded from stealing guest information.
What is Malware? Key Cybersecurity Concepts Defined
Understanding the key concepts of cybersecurity is half the battle. Here are some common terms you will encounter while improving security at your hotel:
Phishing: phishing occurs when scammers send you an email, text, or even call you to try to trick you into revealing personal information they can then use to access your bank details or credit cards. A phishing email might look like a message from your bank warning you that it will shut down your account unless you verify your personal information.
Encryption: Encryption is a security procedure that involves scrambling data so that only parties authorized to read it can understand the information. The process takes readable data and alters it so that it appears random. The party that receives encrypted information needs a key to unscramble data and turn it into readable plaintext.
VPN: VPN stands for “virtual private network.” A VPN will mask your IP address and keep your internet activity largely untraceable. It’s a great tool for making sure your internet connection is secure and private.
Malware: malware is shorthand for “malicious software.” Malware is designed to gain access to your computer; spyware, ransomware, viruses, and Trojan horses are all different types of malware.
Penetration test: penetration testing is a procedure where a cybersecurity expert tries to identify weak points in a computer system. The expert simulates a malware or hacking attack to find any vulnerabilities that bad actors could take advantage of.
APT (Advanced Persistent Threat): an APT is the worst kind of attack, in which a bad actor uses “continuous, clandestine, and sophisticated hacking techniques to gain access to a system and remain inside for a prolonged period of time, with potentially destructive consequences.”
Antivirus: a program designed to detect and destroy computer viruses on an operating system
Anti-malware: Similar to antivirus software but where antivirus focuses on older/known threats, anti-malware typically focuses on newer unknown threats. Malware protection focuses on identifying unknown threats before they turn into full on mature viruses. Malware removal is typically more difficult than antivirus since there are more unknowns.
Rootkit: A rootkit is a clandestine computer program designed by cybercriminals to provide continued privileged access to a computer while actively hiding its presence.
Keylogger: A keylogger, sometimes called a keystroke logger or system monitor, is a type of surveillance technology used to monitor and record each keystroke typed on a specific computer's keyboard. Keylogger software is also available for use on mobile devices, such as Apple's iPhone and Android devices. Keyloggers are a legitimate software that can be used for good but are often used as a scam to steal sensitive information like credit card numbers and passwords.
Botnet: a network of private infected computers containing malicious code and controlled as a group without the owners' knowledge, e.g., to send spam messages.
Using a VPN and encryption, as well as performing regular penetration testing can keep your network secure against malware and APTs. You should also ensure that your hotel's IT team regularly checks on property computers for keystroke loggers and that your staff doesn't open strange email attachments. These are the bare minimum security protocols you must practice regularly to avoid disasters like these high-profile hacks in the hotel industry.
High-Profile Malware Attacks in the Hotel Industry
Research from Symantec, a cybersecurity firm, found that more than 65% of hotels are routinely leaking booking reference codes through third-party sites. Why is this important? Because the information shared through these codes would allow a bad actor to login to a reservation, view personal details, and even cancel a booking altogether. When this happens, your guest information is vulnerable and you risk destroying the guest relationship.
Symantec’s research showed hotels of all sizes are at risk. Major hacks have occurred at HEI Hotels & Resort, Starwood/Marriott and more. Here are just a few high-profile events:
HEI Hotels & Resorts
In 2016, a data breach impacted 20 US hotels operated by HEI Hotels & Resorts. The attack exposed the payment card data from tens of thousands of food and drink transactions. Malware was discovered on the hotels’ payment systems used to process card information at on-site restaurants, bars, spas, lobby shops, and other facilities. Experts determined that hackers likely stope customer names, account numbers, card expiration dates, and verification codes.
In January 2019, Starwood/Marriott discovered that a data breach had exposed the personal information of guests who had stayed at their properties since 2014. Guest data was stolen for around 500 million people – including encrypted passport numbers and credit or debit card numbers. The New York Times reported that hackers may have been working with China’s Ministry of State Treasury, as an attack of this scale is remarkable.
Omni Hotels & Resorts
Omni was also attacked in 2016 in a malware breach that affected 50,000 customers. Debit and credit card information from 49 of the chain's 60 locations was stolen: including credit and debit card numbers, cardholder names, security codes, and expiration dates.
At 41 of Hyatt’s hotels, hackers gained unauthorized access to payment card information in the second attack since 2015. Of the second attack, one security expert noted, “It’s possible the steps taken by the Hyatt group back in December 2015 are still being deployed throughout the organization, especially if those systems are dispersed around the globe and not connected by a common network. When choosing your systems management toolset, you need to implement the solution which is secured using 2048bit certificates and two-factor authentication but also works regardless of where the endpoints are located.”
Sabre processes reservations for roughly 100,000 hotels and more than 70 airlines worldwide. The company was targeted in 2017 by bad actors who stole credentials for the Sabre Hospitality Solutions’ SynXis Central Reservations system. Those credentials provided access to customer data, including payment card information and reservation details – customers’ names, email addresses, phone numbers, and addresses.
These high-profile attacks grab headlines, but there are hundreds of smaller attacks that happen at hotels each month. Even recently, a massive hack, like the one at Fontainbleu in Miami, has gone unnoticed by the mainstream media. Sources reported that Fontainbleu faced a ransomware attack to their credit card system, forcing the hotel to either compromise guest data by continuing to accept card payments or to ask guests to pay in cash. Guests waited up to five hours for rooms while the front desk tried to mitigate the situation – a scene one person described as “chaos.” “The line was out the door into the lobby,” one executive told Variety Magazine. For a five-star hotel such as the Fontainebleau, an incident like this is absolutely brand destroying.
How to Protect Your Hotel Malware Attacks & Cyber Threats
What’s the best way to make sure your data stays safe and no guests are left stranded? First and foremost, take extra care in selecting a point-of-sale system and credit card processor. “Agreements with those entities should be vetted and, if possible, modified to add protection and minimum data handling standards for the outside vendor. Compliance with the Payment Card Industry Data Security Standard (PCI-DSS) not only helps to ensure that data security software, hardware, and practices are safer, but also helps to protect against fines and penalties when a breach occurs,” writes one expert.
An enterprise-grade provider, like Oracle Hospitality, can secure the vulnerable link between your PMS and POS. Oracle OPERA is a cloud-based property management system that integrates with the Micros point-of-sale system, as well as a suite of other applications. Oracle offers sophisticated security protocols, such as Cloud Security Monitoring Analytics for monitoring the platform both on-site and in the cloud. Oracle tools also include:
Cloud Compliance Control (OMC CC) for checking the configurations against company requirements or external regulations;
Cloud Access Security Broker (Oracle CASB) to discover shadow IT in the cloud and monitor corporate requirements regarding the use and configuration of Oracle and 3rd party cloud services such as AWS, Salesforce, Azure, Box etc.;
Identity Cloud Service (Oracle IDCS) for providing a user management and authentication system for on-premises or cloud services.
These security protocols monitor what’s going on in your internal network as well as any external attacks. Working with Oracle gives you multilayer security, data protection, secure transactions, and compliance with payment and data privacy standards. But, as evidenced in the Sabre attack, sometimes even these measures aren’t enough. With the right credentials, anyone can get past your security system.
The right technology is only half the equation; over the years, security experts have also identified employees as part of the problem. Hotels must train their staff to handle personal information security, comply with privacy policies, and change user access credentials regularly. This industry has high turnover, which is part of the reason why employees don’t always maintain security standards. Your property should regularly host info-sec seminars to make sure all new employees are trained and veterans stay up-to-date with the latest threats.
Even with a great PMS/POS system and the right training, it’s important to perform routine penetration testing and risk assessments. There’s no straightforward answer as to how often you should pen test your network, but experts warn once a year probably isn’t frequently enough. Beyond training your staff, keeping your security software up to date, and investing in a platform like Oracle OPERA that's invested in cyber security, you can encourage your guests to use a VPN and to log out of their WiFi when not using it.