The hotel industry is also vulnerable to cyber attacks, as evidenced by an attack targeting MGM Resorts Hotels in February 2020, and reported by ZDNet. As a result of the attack, the personal details of more than 10.6 million users who stayed at these hotels have been published on a hacking forum this week. These included the personal details (reportedly, names, home addresses, telephone numbers, emails, date of birth and passport numbers) of celebrities, tech CEOs, reporters, government officials, and employees at some of the world’s largest tech companies, in addition to regular tourists and travelers. Needless to say, the attack also tarnished the hotels’ prestige and reputation.
One of the largest attacks against a hotel chain was perpetrated against Marriott Hotels, which was required to pay a fine of £14.8 million by the UK’s Information Commissioner’s Office (ICO).
The data breach may have affected up to 339 million guests – of which 7 million were in the UK –
and is suspected to have potentially compromised their names, contact information and passport details. The attack began in 2014, targeting the Starwood Hotel group which Marriott acquired in 2016, and continued until 2018, when the breach was detected.
ACID provides advance alerts, followed up with detailed notifications of additional information as it becomes available, allowing to avoid or mitigate the effect of attacks aimed at data theft, and protect the organizations’ reputation.
Is there a genuine need for cybersecurity in the hospitality industry?
Yes, the need for hotel cyber security is real.
The Financial Times reported in 2022 that hotels and hospitality businesses are now the third most cyber-targeted industry. Hotels store enormous amounts of customer data, including names, addresses, passport details, credit card information and more. This is a treasure trove for cybercriminals, who can commit ransomware attacks after stealing this data and encrypting it.
Hotels suffering from ransomware attacks must make the difficult choice of either paying hefty ransom payments, or risk disruption to their operation and potentially disastrous harm to their reputation and loss of business.
The vulnerability of hotels is explained by the fact that computer systems have replaced many of the face-to-face services provided by hotel staff to guests. Staff shortages have led to even more widespread use of computerized services. Additionally, reservations are increasingly made on external websites and apps – an additional potential vulnerability – as opposed to the hotel chain’s own website.
What is the extent of the problem, which justifies hotel cyber security services?
Ponemon Institute and IBM have analyzed the average costs of a breach in the hospitality industry, including not only the cost of lost business, but also costs resulting from damage to reputation, expenses covering forensic activities, legal services, crisis management, regulatory response and customer notification. They have concluded that the average total cost of a breach in this industry between 2021 and 2022 was $2.94 million.
Some recent attacks targeting hotels are described below:
- In September 2022, Marriott Hotels was required to pay a fine of £14.8 million by the UK’s Information Commissioner’s Office (ICO), following a cyberattack which began in 2014 (against the Starwood Hotel Group, which Marriott acquired two years later). This data breach, which was only 4 years later, may have affected up to 339 million guests.
- Also in September 2022, a UK-based multinational hospitality company suffered a two-day outage to its online booking system following a hack. This came after a ransomware attack a month earlier at a Turkish location operated by the same multinational company, which in 2019 settled a class-action lawsuit for a malware breach that affected a number of its hotels, restaurants and bars.
- In an attack targeting MGM Resorts Hotels in February 2020, the perpetrator gained access to the personal details of more than 10.6 million guests and published them on a hacking forum. The guests included celebrities, tech CEOs, reporters, government officials, and employees at some of the world’s largest tech companies, in addition to regular tourists and travelers. The personal details stolen were reportedly names, home addresses, telephone numbers, emails, date of birth and passport numbers.
What are the types of cyberattacks targeting the hospitality industry, which hotel cyber security can protect against?
The most frequent types of cyberattacks that the hospitality industry needs to protect itself from include:
- Point of sale/ payment card attacks, which are regarded by many as the greatest threat to the hospitality industry. This is a third-party crime in which the vendor is targeted, rather than the hotel itself.
- Ransomware, which can prevent access to systems and data and disrupt hotel operation until the ransom is paid. It should be note that in October 2020, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) warned that ransom payments may not only encourage cybercriminals, but also place organizations that pay the ransom at risk of violating OFAC regulations.
- Remote hacking through third-party vendors, such as various contractors and service providers.
- Phishing scams targeting customers and hotels. Guests sometimes find themselves providing their personal and credit card information on what they discover later are fake websites posing as legitimate ones. Cases in which hotels have sent their monthly fees to falsely branded web pages have also been recorded.
- DDoS attacks – hotels are particularly vulnerable to this type of attack because so many of their devices and systems are managed by computers and can be leveraged to disrupt other systems operating on the same infrastructure.
- Theft of personal information over hotel Wi-Fi, which the FBI has warned against, stating that Wi-Fi networks in hotels typically favor guest convenience over strong security practices. Guests cannot be sure that all the security features have been activated on a hotel’s Wi-Fi network, and that security patches are installed without delay.
- DarkHotel hacking is particularly worthy of attention. Classified by Kaspersky as a major risk, it has been known to compromise luxury hotel networks, then stage attacks from those networks on selected high-profile victims. Kaspersky explains that the DarkHotel group appears to use a combination of spear phishing, dangerous malware, and botnet automation designed to capture confidential data. It adds that its attacks are typically layered and involves two malware infections stages – an initial bait for malware infection in order to infiltrate devices and vet for high value targets, followed by a secondary malware infection aimed at stealing their data.
Is cybersecurity in the hospitality industry cost-effective?
As stated above, the cost of a breach in the hospitality industry is, on average, close to $3 million. The harm to reputation and resultant loss of business to a hotel, which may continue for an extended period of time, must also be taken into account.
Even when hotels do take action to improve security, running a single penetration test to detect vulnerabilities in their computer systems can cost up to $25,000, according to Tristan Gadsby, chief executive of hospitality consultancy Alliants.
ACID uses AI algorithms and clusters of bots that scan the clear, deep and dark web to detect the first signs of an impending attack. Its advance alerts allow avoiding or mitigating the effect of attacks aiming to steal data theft, and protect reputation – and can spare hotels the potentially severe consequences of a cyberattack.