Select an option

Need Help?

Get a Quote for a Program

Preventing cybercrimes in the hospitality industry.

Posted 3/11/2019

Download whitepaper

Day in and day out, the hospitality industry has access to a steady stream of customers’ personal information: a cybercriminal’s dream. In the past decade, hotels have been repeatedly targeted for cybercrimes, and the trend is not slowing down. From small properties to global corporations, hotels have taken the hit with stolen data, locked computer systems, and costly fines. Not to mention damage control.

In 2017, Hilton received a $700K fine for mishandling their data breach after experiencing a malware attack in 2015. Hilton was fined for waiting nearly a year to confirm to guests that their credit card information had been exposed and for not having proper safeguards in place to prevent a cybercrime. Likewise, Hyatt suffered another major breach last year, affecting cards that had been swiped at reservation desks, adding insult to injury after undergoing an online cyberattack in 2015.

According to the 2015 Trustwave Global Security Report, the hospitality industry is among the top three industries targeted by hackers. Hotels face unique challenges as they offer multiple points of entry for a hacker. From countertop POS systems to online reservations to on-site malware attacks or remote breaches, the opportunities to enter the computer system abound. The number-one issue to prevent cybercrimes is PCI compliance. Hot on its heels is analysis, training, and education to reduce the risks of cyberattacks.

In addition to the financial losses incurred when resolving a data breach—which could soar to the millions for large corporations—there are the loss of business assets as well as damage to the brand name. All fifty states, including the District of Columbia, have adopted laws that require a company to inform clients and customers when their personal information—name, address, credit-card information, social security number, etc.—may have been compromised.

WHAT ARE YOUR LEGAL OBLIGATIONS?

Because hotels interface with guests in many different arenas, the hotel must analyze the notice requirements in every state that might be implicated to comply with the laws, which vary in the timing, content, and nature of the required notice.

In addition, many hotels may choose to assist their guests by providing free credit-card monitoring and other services to help guests avoid potential problems. This also can be a significant expense, but it has become something of a standard response to help retain guest loyalty.

HOW CAN YOU BETTER PROTECT YOUR ORGANIZATION?

For some suggestions designed to assist you in developing sound policies and procedures for your organization, please review our helpful checklist.

Maintain yearly PCI compliance. The Payment Card Industry Data Security Standards (PCI DSS) offers a comprehensive and proven set of guidelines to bolster data security, and compliance is required by the five major card brands. Major brands usually provide the necessary IT support to ensure compliance, but smaller chains, portfolios, or one-off properties likely will have to hire an outside consultant or security auditor to make sure the 12 guidelines are being met—and then implement appropriate security measures.

Secure your POS. Having experts regularly assess your POS system will go a long way in preventing a data breach. Hackers often take advantage of the inherent vulnerabilities in POS systems, like configuration errors or hackable passwords, lending an easy entry for malware. Shoring POS up is extremely important.

Confirm your network divide. There should be two sides to every hotel network: one side for guests to access the Internet and the other for hotel associates to access necessary programs and information. The guest side should in no way be touching the hotel side and vice versa. Regular checking is recommended.

Secure Wi-Fi. Make sure the Wi-Fi has its encryption and password protection settings enabled, and have guests log on using a password. Hotel employees should first verify the guest is registered at the property before disclosing that network key.

Firewall away! Firewalls should require authentication every time a user moves from one side of the network to another. Investing in these security systems can be expensive, but it’s one of the best ways to isolate and contain breaches.

Limit remote access. There are various types of authentication and encryption, and users should have their own unique usernames and strong passwords. Most importantly, the remote access channel should be disengaged after each use.

Reduce collected info. Only collect information you need, and do no store it longer than needed. Simply by following that rule, hotels will be able to reduce potential exposure.

Conduct an informal audit. Gauge your employees’ use of and ability to access information. Ask yourself: Who has access to what information? How are they getting it? Do they need that information to do their jobs? And if they do, make employees have their own usernames and passwords for tracking purposes.

Assess everywhere data exists. Make a concerted effort to track personal data throughout your entire information infrastructure. For example, you might have a guest’s credit card number stored on a paper fi in your office (not that you should ever keep paper records of personal data), but did you know there might also be electronic copies in the hands of vendors or third parties if you outsource any booking services?

Adopt a policy. Make information security a written workplace policy. Raise that level of awareness that this information represents a trust that your guests have placed in you—that you’re going to use it appropriately, it’s a value to the company, and it’s an area that can get you in trouble if you misuse it or use it inappropriately.

Set up a breach protocol. Planning for a breach is essential. This means having a protocol for addressing the breach, and most importantly, identifying, by name, a response team, including attorneys, security experts, C-level executives, public relations professionals, and others who can act immediately to identify the scope of a breach, the proper response, and make executive decisions to limit damage.

Related Media

More Collateral

View All