Cybercrime is big business and security breaches of hotel guest data are becoming all too common, if not a fact of life. 2018 was dubbed “the year of the breach,” with hundreds of major brand names falling victim to data thieves including T-Mobile, British Airways, Air Canada and Marriot – the most recent hotel brand to join a very long list of hotel data breach exposures.
Over the past decade, the hospitality industry has been the target of numerous security breaches and threats. More than a dozen data breaches and data security attacks have been reported by hotels since 2010, affecting everything from major multinational corporations including Hyatt, Hilton, Kimpton, Omni, to single properties and providers, namely, Orbitz, Sabre and FastBooking. Hospitality is an attractive target for hackers not only because they collect troves of passwords, personally identifiable information, credit card details and other sensitive information but unlike other industries, more of hotel applications and systems are exposed to the internet, creating more entry points for attack.
While modern technology allows hoteliers to easily collect, store and use vast amounts of personal data about their customers enabling them to enhance, streamline and personalize the guest experience, any breach of data is serious, and can have severe consequences in terms of loss of revenue, financial penalties and also for the hotel’s reputation and customer loyalty.
As attacks continue to grow in frequency and sophistication, hospitality security requires ongoing diligence and multiple layers of defense. So what can and should you be doing to keep your guests’ personal data safe?
Conduct a Risk Assessment of Your Existing Data: Hotels receive personal data details through multiple channels and touchpoints including email, fax, phone, website, forms, etc., and this data is often stored on multiple platforms across several departments. To properly assess risk and come up with a cybersecurity plan one of the first issues a hotel needs to tackle is to complete a full assessment to understanding all points where data is received, where specific data is held, who has (or actually needs) access to it and the implications of it being compromised.
Additionally, this risk assessment should include an examination of third party vendors to ensure their cyber protection is adequate. Weaknesses in a vendor’s cybersecurity could jeopardize your hotel data as well.
Hack Your Own System: In order to gauge just how robust and secure your data is and identify any weaknesses hoteliers can employ the expertise of the security research community. Ethical hackers can report vulnerabilities, security flaws, leaky servers and more before less well-intentioned individuals stumble across them, potentially leading to cyberattacks or data theft.
Hyatt Hotels are one such brand that has recently launched a bug bounty program that will reward researchers who find vulnerabilities in its sites and apps – all in the name of keeping guest data safe. “As one of the first global hospitality brands to launch this type of program, we extend the ways we care for our guests and deepen our commitment to protecting their sensitive information,” Benjamin Vaughn, Chief Information Security Officer, Hyatt Hotels.
Implement Attach Based Security: As attacks continue to grow in frequency and sophistication, Tamulyn Takakura, Cybersecurity expert at Prevot has said “Its impossible and impractical to find and fix every vulnerability to account for every threat”. As a solution to this, attack based security can provide hoteliers with real-time attack protection, meaning that attacks can be detected, prevented, and neutralized in real-time, so business keeps going even in the face of an such an event. While business would preferably like to prevent breaches from happening, should an incident occur, attack based security buys time, which is a critical asset to have when responding to data security threats.
Complete Ongoing Training and Monitoring: Prevention is always better than a cure when it comes to cybersecurity. Hoteliers should provide regular refresher training for all staff in data security to ensure an awareness culture exists and protect against possible breaches. Ensure employees know the processes in the event of a breach and to report any mistakes immediately to the DPO or the person or team responsible for data protection compliance.
While strengthening your defenses in the face of cyber security can be complicated and tedious, these are a few such ways your hotel can protect its business and guests from data breaches. Beyond the need to protect your company against heavy fines, audits, remediation costs, hoteliers need to realize the full consequences of data breaches also include reputational harm and potential loss of business. The business of the hotel industry is taking care of the guest and this care should be extended to include securely managing their information.