Professional Documents
Culture Documents
Deep CyberSecurity Hacking, Analysis and Solution in Hospitality Industry
Deep CyberSecurity Hacking, Analysis and Solution in Hospitality Industry
Deep CyberSecurity Hacking, Analysis and Solution in Hospitality Industry
upcoming 2021/2022 at all layers, followed by ISO27001, GDPR, and CIS V7.1 Standards Compliances
Abstract
This review aims to emphasize the importance of cybersecurity in the hospitality industry,
followed by GDPR, CIS v7.1, ISO27001 compliances. This study further identifies and
analyzes the urgency, needs, and several common network threats and recommends applicable
security practices and techniques to prevent cyber-attacks in hotels at all layers Data-
>Application->End-Points->LAN->Perimeter->WAN->Cloud. The methodology of this
article is a unique combination of qualitative method and review method for an in-depth
understanding of real-life issues within the industry and the most recent technical and
practical solutions that hotels use to handle and solve these issues. The findings of this paper
show that the techniques currently utilized by hotels to prevent cyber-attacks are mostly
rudimentary and outdated.
Furthermore, it indicates that most hotel staff lack the knowledge and expertise to handle
potential threats. Thus, hospitality industry becomes even more vulnerable to cyber threats
and attacks. Finally, the paper discusses some implications and recommendations to hotel
policymakers to help secure the hotels and guests’ information from security attacks.
This analysis is a rich source of information for Information Technology (IT) directors and
Chief Information Officers (CISO) to advance their policies and procedures for security and
data in hotels using the most recent and updated information available in the hospitality
industry.
Introduction Data Privacy and Cybersecurity and techniques are currently used in hotels
needs in the hospitality industry are taking the regarding data privacy and security?
manifest of data-HUB, driven by increasing 2. What are the current threats and the ways of
transaction volumes, complex reporting handling security attacks at all layers (Data,
requirements, e-marketing, and international Application, end-points, LAN, perimeter, WAN,
communication needs. Information technology (IT) cloud in the hospitality industry?
can improve almost all areas of the hospitality 3. What is the importance of network security in
industry, such as guest services, reservations, room hotels?
and data access, sales, services, maintenance, 4. Which actions do hotels need to take in order to
security, and accounting. More recently, the internet secure their websites for data and financial
of things (IoT) is shaping the future of the transactions privacy?
hospitality management industry by opening up 5. What are the actions/steps that hoteliers need
new avenues for immediate, personalized, and to take, and what areas need to be covered to
localized services. For example, in-room IoT units keep their guests’ data private and secure?
like an electrical key for room access, In-TV The remainder of this paper is organized as
cameras, and motion sensors can penetrate follows. Section 1 provides an in-depth
customers’ privacy. Moreover, edge/fog computing background review of cybersecurity issues in the
can be utilized to provide location-based services hospitality industry. Section 2 outlines the Hotel
for the hospitality industry. Although technology security – main data assets to protect. Section 3
incorporation in the hospitality industry has details the most common compliances that the
transformed the way services are provided and hospitality industries need to meet to keep away
received and has helped improve guest experiences, hackers and meet the world’s best protection
it has also given rise to various challenges, among practices. The Practical Steps How Hoteliers Can
which ensuring the cybersecurity of these Improve Privacy and Data Protection which are
incorporated technologies in the hospitality industry the findings and results of this paper are
is of paramount significance. presented in Section 4. Section 5 concludes this
The use of technology in the hospitality industry study and provides recommendations for the
often requires gathering guest information and hospitality industry to help secure hotels and
thus can lead to data breaches and information customers’ data from potential security attacks.
loss. To prevent losses, organizations monitor
their computer networks for many security
threats, such as computer-assisted fraud,
espionage, sabotage, hacking, system failures,
fire, flood, etc. Since t h e hospitality industry
is data-HUB, a consumer-centric business where
consumer loyalty and trust directly translate to
revenue, hence to retain the public trust and to
prevent copycat hackers from hacking into an
organization’s computer systems, most of the
hospitality organizations try not to reveal the data
breaches and cyber-attacks against their
computer systems.
offer hotel management, branding and But why are hotels particularly vulnerable to
marketing, and franchise licensing, while hotel these attacks?
REITs focus on the acquisition, ownership, and IntSights believes this is because of the volume
operation of hotel real estate. The table below of financial transactions that hotels carry out,
includes both types. use of loyalty programs, their database of
sensitive personal data and finally, their national
and international spread.
1-Year
Revenue Net Income Market Cap
Trailing Total Exchange
Put plainly, the bigger the organization, the more
(billion $) (million $) (billion $)
Return (%) of a target it becomes for hackers due to the
Marriott International volume of information held. And that’s
10.6 267 49.4 114.8 NASDAQ
Inc. (MAR) why cybersecurity is so important; protecting
Hilton Worldwide
4.3 715 35.2 98.5 NYSE your customers’ data should be a primary
Holdings Inc. (HLT)
InterContinental Hotels concern - right alongside safeguarding against
2.4 260 13.1 80.6 NYSE
Group PLC (IHG) COVID-19.[5]
Hyatt Hotels Corp. (H) 2.1 703 8.7 85.4 NYSE In this day and age, your customers will be more
Host Hotels & Resorts
Inc. (HST)
1.6 732 12.2 66.3 NASDAQ cybersecurity savvy, and this may impact their
Huazhu Group Ltd. choice of hotel.
1.5 307.7 18.2 94.3 NASDAQ
(HTHT) In May 2021, one of the leading hospitality
Wyndham Hotels &
1.3 132 6.8 145.3 NYSE chains claimed on hotel cyberattack: an
Resorts Inc. (WH)
Service Properties “unauthorized party” got access to the personal
1.3 311.4 2 162.6 NASDAQ
Trust (SVC) information of 150 million customers.
Extended Stay America
1 23.3 3.5 192.7 NASDAQ Unfortunately, breaches like these are a feature
Inc. (STAY)
Park Hotels & Resorts of life in the online age, and cases are rising.
0.852 -1400 5.2 203.5 NYSE
Inc. (PK) Cybercrime costs will grow to $6 trillion by
Total 27 2021.
Business becomes a cybercrime victim every 40
According to research and markets, the world’s seconds. There are more than 170 million
largest market research store[2], The global malware incidents per year. Earlier, hotel
hospitality market is expected to grow from management reported receiving a notification
$3486.77 billion in 2020 to $4132.5 billion in 2021 from an internal security tool specifying that
at a compound annual growth rate (CAGR) of someone had attempted to connect the hotel
18.5%, and Expected to Reach $5297.78 Billion in guest reservation database. The unauthorized
2025 Which mean that the growth at all segments in party had copied and encrypted guests’
the hospitality CAGR of 6%. information, including passwords, e-mail
addresses, departure/arrival dates, and passport
information. Unfortunately, this breach was only
1.2 A Hotel is Under Cyberattack
detected after the fact. The typical time to detect
The threat of cybercrime and data breaches has
a data breach is over 8.5 months.
never been so prominent. By 2021, damages
related to cybercrime is set to hit $6 trillion,
Hospitality industries plan to put more resources
according to Cybersecurity Ventures. In the
into security.
hospitality industry, hotel cybersecurity is a
There are several reasons why hospitality
matter that shouldn’t be taken lightly.
organizations have a more challenging time
That’s because security experts now estimate
securing their assets than similarly sized businesses
that cyberattacks cost businesses $1.6 million to
in different sectors.[6]
recover. And what’s scarier: in 2019, the
Hospitality industries have extensive networks.
average time it took to identify a breach was 7
A hospitality firm has several end-points, plenty of
months, according to IBM [3].
them located in publicly accessible areas. They also
A study by IntSights [4] found that in the past
use various automated systems for functions like
three years, the hospitality industry has had 13
venting and heating, which are just another entry
“notable data breaches”. They also looked into
point for attackers. Most hospitality businesses have
the dark web hacker forums (a section of the
large guest databases that are regularly accessed
internet that isn’t visible to search engines and
directly by a booking system by requirement. Any
requires an anonymizing browser to access) and
compromise into the reservation system will place
revealed that Hilton had 31% share of mentions,
the database in danger.
followed by Marriot at 28% and IHG at 19%.
Hackers also, as clients might be on-site too - could result in not only fraudulent credit card
Both airlines and hotels have clients on-site transactions but identity theft as well, the effects of
constantly, providing the chance to receive direct which are almost impossible to assess.
access to entry points to attackers. Many offer free We live in what has effectively become a cashless
Wi-Fi services, together with Wi-Fi for the society. Compared to the norm from even a few
company and employee usage. There is nothing years ago, today’s consumers are much more likely
”wrong” with this. However, it needs additional to make all their transactions via a credit card or an
layers of safety to make sure no unauthorized access app on their smartphone. Even the process has
is permitted to sensitive areas of a network. changed. You don’t even need a PIN confirmation
1. Staff churn. for small purchases anymore, as contactless
When you have high personnel numbers and high payments have become such a normal part of our
churn, it becomes challenging to guarantee that staff life.
members are accurately trained to handle cyber Our life has become much more connected. But,
threats. Worse, it is common practice in the unfortunately, all that connectivity gives hackers an
hospitality sector to utilize group e-mail accounts almost limitless number of access points to attack,
(e.g., Reception, Client Services, etc.), which are including Wi-Fi, Bluetooth, LANS, Cloud, hotel
shared with a constantly changing staff member. security cameras, check-in and out systems, hotel
This makes it impossible for proper password POS systems, and more. Every single one of these
change procedures. There is no wonder that could be an entry point for a hacker.
credentials for these accounts are often leaked via People go on holiday to relax. Hotel guests will
the dark web. probably not be at their most diligent. Even
2. Franchising. security-savvy individuals will likely let their guard
Franchising is normal in the hospitality sector — down a bit when on holiday, and that creates a
especially for resorts — and franchise owners take particularly tempting target for hackers.
responsibility for safety. Most franchise owners do It starts as a vast majority of room bookings tend to
not always take the appropriate precautions to be for short-stay visitors, who, typically, will use
protect sensitive assets and have minimal credit cards for the bulk of their charges and use the
comprehension of cyber danger. hotel’s Wi-Fi extensively.[7]
3. Third-party risk.
Hospitality companies have significant ecosystems, 1. We are rapidly moving to a cashless society -
including a variety of technology suppliers and Most people carry more and more information on
partners. Possession or the transfer of digital assets their mobile devices. That could be banking or other
or information may open hospitality businesses up financial information, including credit card
to a considerable amount of risk. It can be tricky to numbers and personal information, including
discover the risk profile of a third party – sensitive identity information such as a passport or
significantly since every company’s profile will ID copies.
change over time, and lots of businesses in the 2. Guests connecting to your hotel network are
hospitality sector don’t have a proper way to potentially opening themselves up to what could
measure how much risk they’re accepting when a severe privacy breach -
picking and building connections with third parties. If your hotel Wi-Fi isn’t secure, guests accessing
their data over the network or even just using their
Why is it essential? mobile phones could be exposing their data to any
According to statistics from the hospitality industry, hacker with access to your systems. If your hotel
the average number of rooms per hotel in Europe in cybersecurity isn’t up to the job, your guest data is
2019 was sixty-two. With the occupancy rate for the at risk.
same period at around 72%, it’s easy to see why 3. The problem with hotel Wi-Fi or any hotel
hotels would be a prime target for hackers. The system, for that matter, is that it has to be secure
sheer volume of people going in and out daily, while still being accessible for your guests to
and more importantly, the amount of credit card connect to and use -
transactions being processed around the clock How many complaints would your front-office desk
every single day of the year, make for a much get if you made your guests use sixty-four-character
bigger pay-day for the successful hacker. passwords, for example? Your booking.com and
Combine that with the amount of personal data Agoda reviews probably would not be glowing!
involved in hotel stays, and a successful hacker Never mind that hotel guests are usually too busy
could potentially get access to credit card details, enjoying their holiday to pay any attention to extra
passport or ID numbers, and addresses. That security steps.
4. All of the Sub-Systems links to the hotel targeted feedback surveys are now starting to take
network - Booking and reservation systems, POS center stage. Nonetheless, this isn’t to say that
in restaurants, coffee shops, bars, etc., So the conventional employees are eliminated from the
systems’ security will only ever be as strong as the equation. Their services are rather being
weakest link. strengthened with in-house automation.
2. Hotel security – main data assets to 4. Guest Apps
protect. Smartphones have taken center stage in daily
communications. From chatting with friends to
answering e-mails and buying products on the
internet, the simple fact is that the ordinary
consumer has begun to rely upon these advanced
applications. This innovation hasn’t yet been lost
inside the hospitality industry. Hotels are now
creating their own choice of branded programs so
that guests may enjoy a much more excellent way
of correspondence and connectivity. Modern apps
provide features like virtual payments, 360-degree
hotel tours, and instant contact with a concierge.
5. Artificial Intelligence
It may be argued that AI represents the most
Even when hotels have robust security policies and profound example of how hotel technology is
procedures in place, [8] they’re still vulnerable progressing. The best objective of artificial
to cyber-attacks, fraud, theft, and other crimes. intelligence is to provide guests with a smoother and
When guest’s check-in, they are probably more streamlined experience throughout their stay.
worried about sightseeing or making meetings. Artificial intelligence plays a profound role in resort
Security should not be on their heads during or after technology and, despite this technique, has just
their trip. lately entered into the mainstream market, and its
Technology is currently changing, improving, and existence grows.
easing the traveling experience. However, to 6. Big Data
permanently update the hotel’s cybersecurity, you Big data represents the capacity to collect, interpret,
must stay aware of what is happening and track the disseminate, and react to essential information for
changes.[9] hotels. This is very important for large businesses,
1. Facial Recognition System which may cater to the requirements of tens of
The main challenge for hotel managers and many thousands of visitors every month. Through a blend
others within the hospitality sector looking to of the information they collect themselves and
implement facial recognition is balancing the information available online, hotels can use huge
benefits with privacy for clients. Indeed, a lot of information (big data) that assists them with
customers have worries about facial recognition due revenue management strategy, identifying offers
to the simple fact that it means more information that could suit specific travelers or hotel guests.
about them being gathered and stored by hotels. In summary, technologies are developing, and
2. Payment system encryption cybercrime is developing along with them. In order
The payment transactions must be end-to-end to be able to repel cyber-attacks and offer the best
encrypted. The number of a credit card will never hotel room security, stay up to date with the
appear in the hotel installations, and the only innovations.
information that travels within the network is
scrambled. Encryption always needs an internet 3.
connection, and a stable large-scale service must be
used to make the reliability of payment methods
more probable. 3.1 Hotel Industry under ISO/IEC 27001
3. Service Automation compliance
Self-service automation plans to put the decision- ISO/IEC 27001:2013 (also known as ISO27001) is
making procedure from the hands of their guests the international standard for information security.
rather than hotel employees. This directly follows It sets out the specification for an information
tendencies that have been seen across several security management system (ISMS). The
businesses. Self-service kiosks, online enrollment, information security management system
What is an ISMS?
An ISMS is a holistic approach to securing the
confidentiality, integrity, and availability (CIA) of
corporate information assets. It consists of policies,
procedures, and other controls involving people,
processes, and technology. Informed by regular The framework of ISMS Process
information security risk assessments, an ISMS is
an efficient, risk-based, and technology-neutral What are the 3 ISMS security objectives?
approach to keeping your information assets secure. The basic goal of ISO 27001 is to protect three
An Information Security Management System aspects of information:
- Confidentiality: only authorized persons have the
(ISMS) is a set of rules that an organization needs
to establish to: right to access information.
- Integrity: only authorized persons can change the security controls, and countless security checklists,
information. benchmarks, and recommendations.
- Availability: the information must be accessible So, we have a better understanding of the threat, as
to authorized persons whenever it is needed.
there is the emergence of threat information feeds,
reports, tools, alert services, standards, and threat
3.2 Hotel Industry under CIS V7.1 compliance sharing frameworks. To top it all off, security
requirements, risk management frameworks,
When a guest chooses your hotel, there’s a high
compliance regimes, regulatory mandates, and so
volume of trust involved. Clients trust that the bed
forth are required. Thus, there is no shortage of
they’ll be sleeping in and the toilet they’ll be using
information available to security practitioners on
are clean at a core level. Additionally, they trust that
what they should do to secure their infrastructure.
their favorite and private goods are secure inside the
hotel and the hotel room security has the best level.
If they have any reason to doubt these basic
requirements, they’d probably staying elsewhere.
In the present technological revolution, an
individual may feel that the hospitality sector has
entered the golden era. But instead of a futuristic
renewal and renaissance, hoteliers are experiencing
declining data safety issues.
“Small-Mid” size or related to the “Boutique” Data protection has countless aspects that protect
category and will be under IG2 compliance. data at rest, in use, and in movement. Below are
several technologies widely used by businesses to
3.2.1 All Layers Security safeguard information. But, first, let’s have a quick
The main of the described above usually involved look at types of data security:
attacks on several layers which need to be protected. 3.2.2.1.2 Data loss prevention
Some of the known cyber-threats due to DLP prevents users from transferring sensitive
Cybersecurity vulnerabilities include: information, and organizations may roll out it as a
business security program. DLP technology
provides a mechanism to help guard against a
sensitive information loss – and consequently
could be a mitigating element when dealing with
compliance agencies in the track of a data breach.
Therefore, DLP has come to be a top IT spending
priority.
Data security will remain a vital challenge in the
future, but modern cybersecurity companies will
always help you stay current.
3.2.2.1.3 Encryption
Among the basic concepts of data security is
encryption, as just encrypting sensitive
information may go a long way toward meeting
privacy and compliance mandates. However,
organizations need to choose the encryption
algorithm which matches their business security
conditions because encryption is not a one-size-
fits-all proposition. The most typical encryption –
- Phishing attacks symmetric – entails converting plaintext into
- Ransomware ciphertext with the same key for encryption and
- Distributed denial-of-service (DDoS) decryption. Asymmetric encryption uses two
- Remote hacking through third-party vendors/point interdependent keys, one to encrypt the data and
of sale malware you to decrypt it as x.509 security and key
- Botnet attacks management methods.
- Man-in-the-Middle (MiTM) attacks
- Location tracking and call interception 3.2.2.1.4 Tokenization
- More… Credit card data protection is a priority in hotel
As to face with the daily cyber-attacks and threats cyberattack prevention. Hotel’s experience
on the highest level, new there is a need to give a challenges in protecting the card information. The
well protective infrastructure and environment for main problem is the necessity to keep card data for
all layers: later charges. Storing credit card data should
always be avoided.
3.2.2 Layers 1-4: Data 2 Local Area Network Hotels must use a card processor that implements
(LAN) Security a tokenization service. With tokenization, when
Data security is among the most challenging tasks the hotel transfers credit card data to be
for hoteliers. Every year, hotels of all sizes invest a authorized, they send back the permission and a
sizable part of the IT security budgets protecting token that can be used for later charges. Even if
their businesses from hackers’ intent to access the token is compromised, it is only useful for
information through brute force, exploiting any kind transactions between that client and that hotel, so
of vulnerabilities. it is secure to be stored.
3.2.2.1 Data security is a trend for the hotel
industry. 3.2.2.1.5 LAN Protection
Data security is a critical part of cybersecurity. First, Wi-Fi is typically a weak link in a hotel’s
breaches will cost millions of dollars, including cybersecurity. There is no isolation between the
government fines and loss of reputation. devices connected to the hotel network, meaning
every guest can potentially be exposed to cyber-
attacks. Since the Wi-Fi password is visible, hackers Due to tokenization and encryption, the hotel’s net
could easily gain access, infect the entire network, connection must stay up constantly.
and spy on the traffic of all the guests. As such, No payments could be processed if the web is down.
Hotel owners should consider an investment into It is necessary to get support to maximize the
hotel network security to be essential and not an payment systems ’reliability. Therefore, it is
extra cost. The security includes setting up firewalls essential to have a dual-WAN or SD-WAN
and WPA2 encryption. broadband service to optimize the safety of payment
systems as well as cloud infrastructure and WAF
3.2.3 Layers 4- 6: Perimeter 2 Wide Area and DBWAF protections.
- For many companies in the hospitality information, etc. This is a good deal of sensitive
business, either CIS or PCI compliance is required. information that may be utilized fraudulently.
You just can’t expect your visitors to give you their Couple that with information obtained from several
private information without safety assurance. resources, such as point of sale programs, third party
- GDPR, or The General Data Protection reservations, e-mails, own website inquiries, and
Regulation, is essentially a law that addresses data walk-ins, hoteliers are a simple target for cyber
privacy and protection for everybody that resides in offenders.
a country that’s a member of the European Union.
Essentially, it regulates any type of private data that 3.3.4 A person’s rights and hotel response
is exported out of the EU. It is a hotelier’s duty to recognize that information
- Every internal and external account must be belongs to the guest and specify a core data security
appropriately encrypted. Unfortunately, encryption policy. Here are some individual rights under the
can be hacked too, but encrypted network devices GDPR and what actions you can take to guarantee
can’t be breached as easily as those without any compliance:
level of security at all. 3.3.4.1 The right to be informed - Clearly
describe what data you are collecting, why, and for
3.3.1 Building a cybersecurity culture. how long.
Today a hotel Wi-Fi is public access network, and 3.3.4.2 The right to access and modify data -
employee computers allowing access into this cloud Give access to personal data promptly, in a simple
database. All those factors higher the worries about format, and edit on request.
cybersecurity in the hospitality sector. Despite 3.3.4.3 The right for data deletion - Respect the
security measures in place, the hotel network may individual’s rights against public interest when
continue to be vulnerable. The only reliable way to receiving a deletion request and delete where
stop cyberattacks initially is a holistic strategy that relevant.
includes both trustworthy technology and 3.3.4.4 Hotelier’s steps to action - Hoteliers need
cybersecurity awareness. Ensure all your workers to initiate action immediately to support data
are well trained to utilize hotel software and the web security and avoid the risk of breaches.
in a secure and responsible way. 3.3.4.5 Be Clear and Transparent
3.3.4.5.1All data collection must meet GDPR
3.3.2 Reliable software conditions.
If guest information is being saved on the cloud, you 3.3.4.5.2 Collect the minimum amount of data
cannot do much about keeping it secure. Each demanded that purpose.
reputable hospitality software company that 3.3.4.5.3 The user must be notified of the
provides cloud-based hotel PMS solutions provides purpose of data collection and the time of
24/7 technical assistance and performs routine processing.
software maintenance for your benefit. 3.3.4.5.4 Only use the data for that allowed
These firms are maintenance and safety specialists. purpose.
But you should keep an open dialogue with their 3.3.4.5.5 Store data for a restricted period and
technical assistance, remain informed about their then delete it.
detection and prevention services. 3.3.4.5.6 Data must be kept in appropriate
security, which includes protection against
3.3.3 Does this apply to my hotel business located illegal processing or accidental loss.
outside the EU? 3.3.4.5.7 Confirm your compliance with
GDPR applies to information collected and stored GDPR – Companies must be able to show
on EU citizens, wherever they are in the world. It documents that prove their compliance with
will have an impact on the whole global hospitality GDPR.
industry.
The hotel market is very vulnerable to information 3.3.5. Report Keeping
threats on account of the numerous factors of (1) 3.3.5.1 Build a clear guideline for how PII
payment, (2) e-mail, (3) internet booking systems is collected and handled. A hotel must
and (4) files comprising card information. A rather follow technical and organizational reports
large quantity of charge card transactions occurs to prove it is protecting data and have that
daily. Every single guest’s information may ready to show.
frequently be saved long-term. Ordinarily, a hotel 3.3.5.2 Mark on your website – to enable
database may hold guests’ names, addresses, and your hotel to store PII data. Describe the
dates of birth, credit card information, passport
process and allow access and modification systems with applications that are not as secure as
or deletion. modern payment systems. There are other
3.3.5.3 Know the location of all PII held weaknesses hotel systems have that might cause
and guarantee strict guidelines in ransomware attacks.
accordance with the hotel data protection 4. Access to personal information through guest
policy. Wi-Fi – The attack is called “man in the middle,”
3.3.5.4 Ensure effective security systems and it imitates a legitimate Wi-Fi access point. It
are in place for the highest data protection. allows cyber criminals to view all the online activity
of users of this fake connection. It includes their
3.3.6 Regular Training logins to banking systems, entering credit card
3.3.6.1 Every staff member in your information on websites, or reading e-mail. It also
organization who deals with Personal Guest happens that hackers incite users of guest Wi-Fi
Information should be informed of GDPR. networks to visit websites that are actually scam
Hotel staff must be informed of how to versions of original websites. They gain more
collect, access, use, and disclose personal access to guests’ personal devices when
information. cybercriminals trick users into installing so-called
3.3.6.2 Additionally, how to limit access to “critical” updates.
cardholder data. Employees must also be There are now enormous amounts of private data
notified on how to create solid passwords shared online. As a result, client privacy and data
and know-how to accurately dispose of security have become significant issues in industries
records containing payment card data. worldwide, including hospitality.
lots of practical measures to guarantee guest cybersecurity precautions, so your hotel safety is
information storage. always on their mind.
References
12. Hiller, S.: Top 5 Risks and Security Challenges
for Hotels in 2015
1. https://www.investopedia.com/articles/investing/0
https://insights.ehotelier.com/insights/2015/01/22/
61015/top-5-most-profitable-hotel-companies.asp -
top-5-risks-and-security-challenges-for-hotels-in-
MAR, HLT, and IHG lead the 10 biggest hotel
2015/ (January 2015), Last visited on December 26,
companies and REITs list
2019
2. https://www.globenewswire.com/news-
13. Kansakar, P., Munir, A., Shabani, N.: A Fog-
release/2021/06/08/2243615/28124/en/Global-
Assisted Architecture to Support an Evolving
Hospitality-Market-Report-2021-Market-is-Expected-
Hospitality Industry in Smart Cities. In: Proc. of the
to-Reach-5297-78-Billion-in-2025-Forecast-to-
16th International Conference on Frontiers of
2030.html
Information Technology (FIT). IEEE, Islamabad,
Pak- istan (December 2018)
3. Bilgihan, A., Karadag, E., Cobanoglu, C.,
Okumus, F.: Research Note: Biometric Technology
14. Kansakar, P., Munir, A., Shabani, N.: Technology
Applications and Trends in Hotels. FIU Hospitality
in Hospitality Industry: Prospects and Challenges.
Review 31(2), 1–18 (2013)
IEEE Consumer Electronics Magazine 8(3), 60–65
(May 2019)
4. Hotel Cybersecurity: A Guide to Avoiding Threats
August 21, 2020 Hospitality Technology; By Olivia
15. Rusch, J.J.: Computer and Internet Fraud: A Risk
Cal; https://www.cvent.com/uk/blog/hospitality/hotel-
Identification Overview. Elsevier Computer Fraud &
cybersecurity
Security 2003(6), 6–9 (June 2003)
5. Butler, J.: Not Just Heads In Beds –
16. Neda Shabani and Arslan Munir, A Review of
Cybersecurity for Hotel Owners. https://
Cyber Security Issues in Hospitality Industry. Kansas
www.hospitalitynet.org/opinion/4073687.html
State University, Manhattan, July 2020
(2016), Last visited on December 26, 2019
Appendix A: Case Study and notified them of the data breach for their further
1. Choice Hotels Data Breach action.
The Choice Hotel chain does seem to have an Nobody needs this kind of publicity. With hotel
unhappy (or very happy – depending on your point guests increasingly sharing their experiences on
of view, of course) relationship with data security, online review boards, the effects of a data breach
over the last few years, the chain has been the victim can be costly and very far-reaching. An ounce of
of at least two data breaches of varying magnitude prevention is worth a pound of cure, so drop us a
and severity, involving different entry points. line and let our security experts show you how to
keep your data safe and secure!
Data breaches at the Maryland lodging giant have a
far broader impact than their hotel guests. Choice 2. Cyber Security Threats in Hotels And Lessons
Hotels manages bookings for over seven thousand We Learned
hotels and properties around the world. These The hospitality business represents a profitable
bookings include major hotel and hospitality chains target for hackers cyberattacks: Hotels, casinos, and
such as: restaurants are interesting to cyber thieves as they
- Ascend Hotel Collection frequently handle large amounts of financial
- Cambria Hotels transactions containing client information.
- Clarion, Comfort Compared to banks and insurance companies which
- Econo Lodge handle similar information, restaurants and resorts
- MainStay Suites aren’t bound by regulations to maintain the
- Roadway Inn maximum safety standards. Moreover, they don’t
- Sleep Inn have the resources to develop the optimal cyber
- Woodspring Suites defenses. Therefore, it’s not surprising that the
In December 2019, an unsecured database exposed hospitality industry ranks highly in the “Data
guest data after a metasearch engine indexed the Breach” listing.
database contents. The data set included full names, The hospitality industry, restaurants, and casinos
e-mail addresses, and home phone numbers. The experience crises in cyber defense for a long
irony was the data breach happened during a time. Let’s have a look at the most resonant cases
planned security data test run! (includes phishing attacks, hacktivism, malware,
According to Choose Hotels, approximately 5.6 and identity theft) that have occurred over the past
million records were affected, but only 700,000 of few years.
these had to do with real guest information. The a. 2016: Kimpton Hotels and Restaurants
bulk of the exposed data comprised dummy Malware on the point of sale
information the chain had created specifically for Kimpton Hotel and restaurant is a part of the
their security test run. That may well have been the Intercontinental Hotels Group (IHG) declared that
case, but even if that was the situation, Choice their payment terminals had been harmed by
Hotels should have secured or excluded any real malware. In this way, the guest’s credit card
guest information from what a trial of an untested information might be compromised. Later, the
system was. company determined and removed the malicious
A subsequent investigation into the breach by software that took credit and debit card details. But
cyber-attack protection researchers discovered a who knows, it wasn’t too late.
ransom note, purportedly from a hacker, who b. 2017: InterContinental Hotel Group
claimed the 700,000 exposed records had been Remote installation of malware on point-of-sale
backed up and demanded approximately $4,000 InterContinental Hotels Group Plc (IHG.L) claimed
from the hotel chain to delete his files. 1,200 hotels in the United States, including Crowne
An earlier data breach incident at the hotel chain Plaza and Holiday Inn, were victims of cyber-
involved a technical issue on one of Choice Hotel’s attacks for 3 months. In that period, cyber thieves
websites, which left guest information accessible to attempted to steal customer payment card data. The
hackers. expertise conducted by an independent cyber
Visitors to the hotel website using the Safari defense team revealed that criminals were able to
browser left their entered information exposed to install malware on the servers that the hotels’
third parties. This exposure only occurred if the payment card processing systems relied upon,
Safari browser crashed, but it seems to have been which in turn collected the data contained in credit
quite a frequent event, taking place approximately card tracks such as card numbers, cardholder names,
88,000 times from June 2015 through November and verification codes. Such information may well
2019. Choice Hotels did identify the guests involved
be used to make fraudulent payments through 3. During the reconnaissance, they also managed to
cloned cards. gather several user accounts with their credentials.
c. 2018: Marriott International Hotel Chain 4. Eventually, one of the harvested credentials led
Eavesdropping attack the attacking team to an internal server in the hotel
The Marriott International Hotel chain faced an network, which was managing the PMS system of
enormous security breach. Sensitive data of 500 the hotel. The attacking team now had full control
million hotel guests globally was stolen and of the hotel’s network and could make bookings,
exposed. control the smart TVs of all of the rooms in the
This compromised information had details hotel, and extract sensitive guest details.
regarding credit cards, passports, and birthdays. By
2018, it had been among the biggest data breaches Appendix B: Why cybersecurity matters in
reported in the media. However, the most hotels.
frightening fact about this story is when the In an era in which personal data is worth more than any
criminals had access to the network – about 4 years. bank heist, industries processing massive amounts of
Cyber analysts discovered weaknesses and personal information are the preferred target for
vulnerabilities while the Starwood reservation cyberattacks.
Hackers breaching systems in the hospitality and tourism
system had merged with the Marriot chain.
industry are reported regularly, as the amount of
Lessons we learned. information processed through the industry’s systems
As we know from the above-mentioned cases, many daily makes them a major target.
cyberattacks against the hospitality industry follow The data processed by the industry is a gold mine
a common pattern: sending malware or viruses via for cybercriminals looking to carry out credit card fraud
e-mail. and identity theft crimes, as the information customers
The Marriot resort chain might have been alerted to provide to hospitality companies often includes a copy of
unusual entry action, even prior to the Starwood the client’s passport, including its full name, address,
merger. Utilizing automated analysis tools, date of birth, country of origin as well as its e-mail, and
organizations could ascertain whether the source of credit card details – to name only the most frequently
gathered and documented details.
the attack was external or internal. Suspicious links
Although credit card data seems the most coveted,
that are not easy to detect with human intervention personally identifiable information (PII) is considered the
would have averted malicious malware at the most valuable.
Kimpton hotel instances. Smaller hospitality Failing to guarantee your guest’s confidentiality and data
companies with limited human resources need to safety would cause major detriment to your organization,
put money into highly automated, artificial whether it be to its reputation, legal or financial standing.
intelligence and machine learning options which Published research from Cisco determined that 22% of
may imitate specialist analysts and operate round breached companies lost clients following the attack,
the clock to restrict unauthorized remote access, showing just how seriously customers take the
enhance network security and protect against commitment of a company to secure their data.
It is estimated by The World Tourism Organization
infiltration of IoT apparatus and systems.
(UNWTO) that by 2030, there will be approximately 1.8
The matters of regulations remain unsolved. With billion international tourists crossing borders; keep in
the huge degree of financial transactions and their mind that these numbers don’t include local tourism.
vulnerabilities due to millions of travel websites, it’s With these numbers in mind, the understanding of the
the right time to get regulated at the same level as need for immediate actions regarding handling the
the financial industry. gargantuan amount of data that is being collected,
processed, and safeguarded becomes clear.
3. The security team for demonstrating hacking Typically, when you think about cybersecurity, virus
vulnerabilities in 2019 attacks through malicious malware come to mind.
In a recent hotel cyberattack simulation, our attack Despite these common security threats, human error
remains the underlying concern for business owners.
team managed to take full control of the hotel just
In fact, according to Decode the Human Threat, only
from the minibar’s network connection. This is how 18% of data breaches are caused by an external threat,
it was done: and up to 82% of all cyber-attack claims are due to
1. Our attack team connected their computers to the human error.
minibar’s ethernet port. They discovered a router 1. The primary factor of security breaches: human
and managed to gain access to it by guessing its error
password. The business structure of the hospitality industry is often
2. From there, they managed to jump to the built out of complex ownership collaborations, consisting
corporate network and breach their way into the of a management company that runs the business, a group
corporate structure of the network. of owners, and often a franchisor.
Each of the entities above is storing crucial data in McAfee estimates that 97% of people are unable to
different computer systems, moving it around frequently, identify a sophisticated phishing e-mail making phishing
and possibly sharing it with different external third the most dangerous and successful of all cyberattacks (
parties. 91% of all cyberattacks start with a phishing e-mail).
This complex ownership structure is on its own a possible 3. How Can Businesses Mitigate Exposure?
source of breaches, as proven in the case of the Wyndham Beyond the imposed requirements, data management is a
Worldwide breaches, which occurred back in 2008 and business reality, and it is imperative as a hospitality
2010: by gaining access to the entire corporate network company to take care of your guests the best you can. For
of the organization, hackers stole credit card and other this reason, securing data must be a strategic process
details about customers resulting in $10.6 million in involving everyone within the organization.
fraudulent charges. The company’s first step is to implement a cybersecurity
As the primary form of payment in the hospitality management plan, with actions to prevent data loss and a
industry is a credit card, infecting point-of-sale systems continuity plan ready to go in the case of a breach.
with malware is one of the preferred practices of hackers The main defense will be to train staff on the security
to reach a massive amount of credit card details. risks, how to minimize them, and how to detect
The breach doesn’t need to occur remotely. It can very infiltration. This is an ongoing process that needs
well be carried by affecting an unattended device and continual maintenance: making sure software and
spreading the virus to the whole computer system from systems are up to date, as well as firewalls and antivirus
that one location. programs.
Protecting this sensitive data becomes particularly tricky It’s imperative that business owners put together a form
when considering that when talking about keeping of a training plan for new and old employees alike to keep
personal data safe, human error is the number one them up to date with cybersecurity basics that may
reason for breaches. It implies that business owners must prevent the loss of crucial information.
invest more in employees, both through the provision of
education & awareness; a full reeducation needs to be Joining forces with an experimented cyber risk
carried amongst all personnel and third-party service management company that offers business owners and
providers. In addition, recurrent training programs and their employees with the training, the knowledge, the
new Protocols need to be implemented as well. tools, and the support to building a healthy and efficient
safety policy around their existing IT infrastructure will
Considering that one-third of hospitality business owners not only help hotel owners reduce the likelihood of a
admit to not having protocols or even policies in place to cyber-related incident, but it also offers valuable training
store and dispose of confidential information stored on services to ensure employees are up to date with the latest
devices, enforcing policies for document destruction and security policies.
their digital storage is the first step in creating a more Always remember that being compliant is not the
secure line of protection for customer information. same as being secure!
These numbers should be a great source of concern for
customers who trust these hosting companies with their Appendix C: Dependability on IoT devices
sensitive information, and this should be a strong manufactured with a lack of security together
incentive for those brands to protect their clients and with 5G Require New Approaches To
understand that although 36% of them believe that data
Cybersecurity
breaches are not a real issue and are blown out of
proportion… It isn’t so: instead, it is a genuine threat that
needs to be addressed by intensive training programs and 5G is the “Fifth Generation” mobile network, the latest
the implementation of strict protocols. global wireless standard. It will eventually replace or at
2. Falling Culprit to fraudulent e-mails
Another way of taking advantage of employees’ lack of
training and supervision is through fraudulent e-mails,
commonly known as phishing. It is one of the most
dangerous security threats. Regardless of how skilled
your employees may be and despite what they may think
they know about phishing, the skills of cybercriminals
invested in creating extremely sophisticated e-mails
least augment the 4G LTE existing connection standard.
replicating trusted business communication can fool an
With 5G, you’ll be able to experience exponentially
untrained and gullible clerk. Opening such an e-mail or
faster download and upload speeds, and the time it will
its attachment would launch a trojan horse or a virus
take for devices to communicate with wireless networks
which will extend its ramifications through the whole
(Latency) will drastically decrease.
computer network of the organization, giving attackers a
foothold into the business from which they can extract
It is designed to connect everything and everyone at
sensitive client data, account passwords, intellectual
higher data transfer speeds:
property and much more.
1. First and foremost, speed is the most attractive perk
of this new generation network!
Latency- milliseconds
than 4G with lower
2. The second reason is latency: by shortening the “lag latency, referring to the
time” between device communications, the possibility of time taken for device-to-
performing remote live actions such as remote surgery, 20-30 >10 network
or coordinating the communication between self-driving communications. Since
cars, is now something that can be seriously considered. devices can “talk” to the
3. The third reason would be connectivity. While the network faster, you’ll get
existing Network 4G LTE is powerful, we are quickly data faster.
outgrowing this network by overloading it and pushing it
to its limits. Current LTE networks are becoming 5G is faster than 4G with
overloaded at peak hours in major cities; 5G could more bits-per-second
support 100 times more devices per square mile versus able to travel the
Average Speed
200- network. With the new
4G, and with the rise of internet-connected “smart” 25mbps
400mbps upload and download
gadgets, such as IoT (Internet of Things) there is a need speeds, you could be
for a faster and higher-capacity system to support the downloading movies in
billions of devices already in use and the many more to seconds versus minutes.
come.
mMTC (Massive Machine-Type Communications) is a 5G uses less power than
brand-new service category of 5G that can support an 4G since it can rapidly
extremely high connection density of online devices. switch to low-energy use
Currently, IoT is communicating through sensors; those when cellular radios are
LTE Developing
Technology
sensors require a lot of resources and are quickly not in use. This extends
depleting the existing 4G LTE data capacity. the device battery life to
let devices stay
Compared to current smart devices on the market, MTC
unplugged for longer.
devices will require fewer resources since a huge number
of these devices will be able to connect to a single base
station, making them much more efficient by using the Incredibly
5G can carry more
speed and the low latency of the 5G network. fast
Ultra-fast devices than 4G as it
download
internet, low- expands the available
5G vs. 4G for speeds
latency and radio waves. Congestion
paved the
5G transmits tons of data over shorter distances than 4G improved issues that lead to slow
way for
Features
available on the market, originating from manufacturers - Turn off Universal Plug and Play (UPnP)
with low concern about cybersecurity, the use of 5G will - Set a clear Bring your own device (BYOD) policy
encourage the connection of more devices between them for your employees.
and ultimately through its network. Each unsecured
device translates to possible breach points. Every
portable speaker, Smartwatch, smart lights, smart locks,
and thermostats, and even minor devices like a fish tank
thermometer can be a network vulnerable breaching
point.
A lack of control and security standards over IoT devices
implies infinite potential network breaches and hacking.
5. Focus on networks first - Network providers will
have to invest in software protections and will need to
collaborate with cybersecurity firms to develop solutions
for encryption and network monitoring to cover the
unique risks of 5G.
6. Manufacturers need to invest in their security
efforts - The high costs of developing and implementing
secure tech don’t motivate low-end product
manufacturers to focus on cybersecurity.
Many IoT devices used by the population have been
bought prioritizing the use above the tech, not
understanding that the potential breach originating from
those unsafe devices could cost them a thousand times
the saving made on the purchase of the device; and if used
in a public place such as a hotel in our case, this could
also affect other guests or the organization’s network as
a whole
7. Consumer education - Product labeling standards
will be a necessity. Because users have no intuitive way
to know how safe IoT devices are, smart tech
manufacturers might start to be held accountable with a
label system.