Cyberattacks on Hotels — What Should Hotel Owners and Operators Do?

This article was originally published by Hotel Business Review and is reprinted with permission from www.hotelexecutive.com.

Almost as soon as there were data breaches, hotels became a prime target of hackers, and the hospitality industry has consistently been one of the most commonly targeted businesses. Since 2010, hotel properties ranging from major multinational corporations to single location hotels have been impacted.

The recent report that Hyatt Hotels was a victim for the second time in as many years has raised more concerns about the industry’s ability to address cybersecurity. While consumers are so used to receiving breach notices that “breach fatigue” has set in, the second successful attack on Hyatt is sure to raise the eyebrows of regulators, plaintiffs’ lawyers, and guests. The data breach will affect the loyalty, trust and consumer perception of all Hyatt Hotels guests. So how can hotels prove to guests that they are safe and trustworthy?

“While the company claims that it has implemented additional security measures to strengthen the security of its systems, no explanation was given as to why these additional measures were not implemented after the first attack,” said Robert Cattanach of Dorsey & Whitney. “Estimates of actual harm have yet to be provided, which is typically the weak spot of any attempted class action, but the liability exposure seems problematic regardless.”

Hyatt is in no way alone. On November 2, 2017, the BBC reported that Hilton was fined $700,000 for “mishandling” two data breaches in 2014 and 2015. The attorneys general of New York and Vermont said Hilton took too long to inform their guests about the breaches and the hotels “lacked adequate security measures.” Hilton discovered the first of the two breaches in February 2015 and the second in July 2015, according to the article, but the company only went public with the breaches in November 2015. The company has said there is no evidence any of the data accessed was stolen, but the attorneys general said the tools used in the data breaches made it impossible to determine what was done.

What do Hackers Want?

Hackers seek a variety of types of information. Most commonly, hackers compromise systems so that they can obtain credit card numbers and sell them on the dark web. While this is possibly the most common – and certainly the most reported – type of data theft, it is far from the only kind of data hackers look for.

Other types of guest data can be as or more valuable to hackers. While credit card data can only be used until the theft is reported and the card inactivated, hotels collect volumes of data on guests that can be monetized. More sophisticated hackers collect information on individuals as a means of compromising other computer systems and to impersonate individuals. For example, a hotel guest may use the same password to access a hotel brand’s loyalty program as he or she uses to access financial institutions. Even when the connection is not that direct, the loyalty program might collect the birthdate and personal preferences of a guest, all of which can be used to successfully guess at passwords or other credentials, and enable the hacker to break into a personal or business accounts. Or, the hacker may use the information that a hotel or a hotel brand collects about a guest to impersonate the guest in communications which can then be used to compromise other networks.

Hotel companies should also not underestimate the importance of non-personal, but valuable, business information. Even “anonymized” information may give competitors a competitive advantage, giving them advance notice of marketing programs, new operating policies or other trade secrets.

Why Are Hotel Breaches Prevalent?

Trustwave’s 2016 Global Security Report reported that 14% of the incidences investigated by Trustwave originated at hotels – the second largest share of data breaches, followed closely by the food and beverage industry. As further described below, the hospitality industry possesses a number of factors that make them attractive to hackers: large volumes of valuable information, multiple vectors for accessing information, large workforces and dependence on vendors, to name a few. There are, however, a number of trends that make hotels more vulnerable. However, there are other reasons that contribute the frequency of cyberattacks on hotels.

First, the increasing incorporation of technology into hotel operations can lead to more breaches. Hotels are seemingly in a race to become more innovative – consider the trend to allow guests to bypass the need to go to the front desk by using their mobile devices to select a room, check-in, receive texts when their room is ready, and even unlock the door to their room. Guests are encouraged to use mobile devices to customize their stay by requesting items, ordering room service, planning activities, or purchasing upgrades. Not only does this trend increase the likelihood of a breach by adding new access points to the system; these programs collect even more data, making a hotel breach more valuable.

Hotels are also pressured to expand Wi-Fi networks, share data with OTAs, and proliferate other interconnected systems, making the hospitality industry more vulnerable to a data breach. Each of these factors increases the number of parties that have access – authorized or otherwise – to hotel data, and increase the number of threats to the industry.

One of the key issues facing the industry is the prevalence of outside vendors who provide key hotel functions. Consider that virtually all of the breaches involving hotels that have been reported over the past several years generated not with hotel functions, but from companies engaged by hotels to provide services to the hotel. Virtually every major hotel chain has suffered a data breach through point of sale merchants – each of Hyatt, Marriott (and before its acquisition by Marriott, Starwood), InterContinental, Hard Rock, Four Seasons, Trump and Loews has reported at least one breach in the past two years, and many have reported multiple breaches.

Third parties are a common source of breaches for many industries, but the hotel industry is particularly reliant on third parties for many functions. In addition to credit card processing, hotels look to third parties for reservation services, payroll, human resources, asset management, maintenance and improvements – many hotels have determined that third parties are better qualified to provide specialized services, and thus have access to hotel systems. Many hotel companies have not fully recognized the need to monitor vendors and require them to implement adequate secure standards.

The widespread dependence on third party vendors is a greater problem because hotel systems are widely interconnected. To follow up on the point of sale example, these vendors must tap into basic hotel systems in order to allow for room charges and financial reporting. Hotel executes want and need single point access to hotel operations, meaning that information from separate systems must be accessible and shared by a variety of systems. Even where direct access is limited, varying systems may share a single hotel network, and often a wireless network; the network itself has the potential of breach, which can impact all systems. Ultimately, hotels face the dilemma that the system as a whole is only as strong as its weakest link, and a single vulnerability may expose the entire system.

A variety of other factors exacerbate the vulnerability of hotels:

  • Multiple Systems – Hotels use a variety of different systems for operations, ranging from off-the-shelf, commercial programs to specialty programs. Each of these programs presents the potential for breach and, as noted above, a single weakness can create a weak system. Moreover, the transfer of information from one system to another is, in itself, a source of weakness.
  • Legacy Systems – along with the existence of multiple systems, many hotel systems are legacy systems that were never designed with security as a key element. Legacy systems are a particular weakness.
  • Unclear Lines of Responsibility – As the hospitality industry has developed, there is rarely a unity of ownership and management; instead, most hotel properties are owned by one party, which has entered into a franchise agreement to operate under a particular brand, and managed by yet another company. While each of these entities shares responsibility for data security, it is often unclear who is ultimately responsible – it is the manager, who operates the hotel, the franchisor, who selects or approves systems, or the owner, who has financial responsibility for the venture? The lack of precise responsibility can lead to a vacuum in leadership.
  • The Human Factor – Hotels rely on large numbers of employees, many of whom have access to hotel information systems. Most data breaches can be traced to individuals, whether acting maliciously, negligently or with complete innocence, and training hotel personnel is time-consuming and expensive. Added to this, many hotels have high turnover rates, further complicating creating a culture that promotes security.

What Should You do?

While creating a secure environment is a daunting task, hotel owners and operators can and should begin the process, and the most important thing owners can do is to take responsibility for the security of the properties they own. Rather than leaving the issue to franchisors and managers, all involved should take actions that will start the process of creating a data secure environment.

  • Take Control – Cybersecurity cannot be relegated to a single party; owners, operators and brands all need to take an active role in reducing cyber risks. Even where one party might contractually assume responsibility for security, all parties must conduct their operations so as to promote security. If a franchisor establishes effective security guidelines, it does no good if the manager ignores those guidelines.
    Taking control means conducting a detailed risk analysis of your enterprise, and determine what risks must be avoided, what risks can be assumed, and what risks must be shifted to other, including insurers. With that analysis in hand, a company can make realistic business decisions that reduce cyber risk.
  • Prepare for the Inevitable – It is often, and accurately, said that a data breach is a matter of “when,” not “if.” With that in mind, all parties should be prepared to react to a breach by having a well-constructed and tested incident response plan in place – reacting in the midst of an emergency is ineffective and counterproductive.

Similarly, in light of the prevalence of ransomware, wiperware and other threats, firms need to have robust and effective backup programs that allow them to recover and protect their guests, employees and properties.
Finally, preparing for the inevitable means identifying means of mitigating damages, which must include obtaining effective cyber insurance that addresses and covers the actual damages hotels face.

  • Respond to Breaches – Much of the criticism of hotel companies has been not just to the perceived insecurity of their systems, but to delays in responding to breaches. The Hyatt and Hilton incidents noted above, as well as the FTC’s action against Wyndham, are all based on failure to take the existence of breaches seriously. Hotels, like all companies, need to have in place and have tested effective incident response teams and plans, including identifying all internal and external sources (attorneys, security consultants and public relations, among others) who will respond to a breach.
  • Create a Culture of Security – Probably the hardest task, but arguably the most important, is to create a top-to-bottom culture of cybersecurity. Every individual in the organization, and every affiliate and third party vendor, must take the task of cybersecurity seriously, and take on the responsibility of creating a cybersecure environment.

What Will the Future Bring?

Predicting the future is a difficult and fraught task, but in this case, it is straightforward – there is no reason to expect that the number of cyberattacks will drop. Rather, we can expect more sophisticated and dangerous moves, particularly those which move beyond credit card theft and into the key operations of hotels. In particular, hotels can expect to be the target of ransomware and similar attacks that threaten the viability of the hotels and hotel companies themselves; without adequate preparation, hotels will face an unattractive choice of funding future attacks by paying ransomware, or attempting to operate a sophisticated business without the benefit of electronic data systems.
And hotels need to consider other factors – US laws are in constant flux, and the adoption of European Union regulations covering privacy will create greater challenges, which can only be addressed by advance planning.

Robert E. Braun is the co-chair of the Cybersecurity and Privacy Law Group at Jeffer Mangels Butler & Mitchell LLP. Bob helps clients to develop and implement privacy and information security policies, negotiate agreements for technologies and data management services, and comply with legal and regulatory requirements. He helps clients to develop and implement data breach response plans, and he and his team respond quickly to clients’ needs when a data breach occurs. Contact Bob at RBraun@jmbm.com or +1 310.785.5331.

JMBM’s Cybersecurity and Privacy Group counsels clients in a wide variety of industries, including accounting firms, law firms, business management firms and family offices, in matters ranging from development of cybersecurity strategies, creation of data security and privacy policies, responding to data breaches and regulatory inquiries and investigations, and crisis management. The Cybersecurity and Privacy Group uses a focused intake methodology that permits clients to get a reliable sense of their cybersecurity readiness and to determine optimal, client-specific approaches to cybersecurity.