By Roy Reichold
Yes, you may not be a big box store or a Wall Street behemoth; however, you most certainly do have sensitive and valuable client information in your business. Not only that, but you are also a much easier target than most of the companies you hear about on the news that are the victims of cyber-attacks. The sensitive data hotels capture as a fundamental part of the business is vast. Hotels collect consumers’ identification (including passports), credit card information, addresses, and — in cases involving spas, for example — protected health information. Hospitality companies also retain employee data, trade secrets, and suppliers’ bank information. This data makes hotels a valuable target for cybercriminals.
Ponemon and IBM Security’s 2022 global case study report revealed that $2.94 million was the average total cost of a data breach in the hospitality industry from 2021 to 2022. The associated costs from a breach come from several sources, including lost business, reputational damage, legal costs, forensic activities, crisis management, regulatory response, and customer notification — to name a few.
Recent examples of cyber-attacks on the hospitality industry: Hotels and resorts have suffered from a variety of cyberattacks, but the most effective has been low-level social engineering and phishing campaigns. One cybercrime group known as TA558 has been targeting hospitality companies in Latin America with malicious links and attachments. Their method includes luring reservation emails directed toward hotel and travel company employees.
According to IBM Security’s report, 83% of global organizations suffer more than one data breach. In September 2022, the hack of a well-known UK-based multinational hospitality company led to a two-day outage to their online booking system. The same group also suffered from a ransomware attack at one of its Turkish locations the previous month, although no connection necessarily exists between the two breaches. The same multinational hospitality company settled a class-action lawsuit in 2019 for a malware breach that affected several of its hotels, restaurants, and bars.
Hotel-specific cybersecurity challenges:
A major challenge for hospitality in cyberspace is allowing consumers to have a single access point to roam freely across a property. Third parties often manage restaurants, shops, or spas within a hotel, which means systems need to be interconnected and data needs to be shared. This typically involves a property management system (PMS), but it’s not bulletproof. It requires strong cybersecurity measures and strict data compliance. Payment Card Industry Data Security Standard (PCI-DSS), Multi-Factor Authentication (MFA), Endpoint Detection and Response (EDR), and Data Protection Act compliance are safeguards required in different scenarios.
According to NordLocker, within the US, the hospitality industry is one of the industries most targeted by ransomware over the past two years. Ransomware attacks are two notable ransomware attacks. The hospitality industry may be a prime target for bad actors because it’s known as a laggard in cybersecurity hygiene. The industry has fewer regulatory requirements than other industries, such as the healthcare and financial sectors.
A ransomware attack can cripple a hospitality firm’s day-to-day work, causing delays in reservations, rental venue timelines, and outgoing/incoming payment processing. Furthermore, sensitive information such as client and employee data is at risk. Reputational damage can also cause a lasting impact on the relationships of the business. Without a plan for mitigating these risks and dealing with the financial repercussions of a cyber-attack, your hospitality business could very likely go out of business. We are experts in ensuring that your hospitality business is protected from the risks of a cyber-attack.
Roy Reichold is a Senior Risk Advisor at Lakenan Agency in St. Louis. For 25 Years he has specialized in assessing risk specifically for the hospitality industry across the Midwest