One must be living under a rock to not have heard of the infamous Marriott International cyber breach. The international hotel chain was the victim of a massive data breach from 2014 to 2018, compromising the personal information of approximately 500 million guests, including names, addresses, passport numbers, and credit card details. This was not the first attack that hit the hospitality industry, and it was not going to be the last. Since then, the hospitality sector across the globe has become aware of the impending danger that cyber threats pose to them. And it seems as if the cyber criminals have made it their mission to breach the most secured networks to prove a point. In this blog, we will take a look at the growing tension between cyber threat actors and the hospitality industry.
The Attacks that Shook the Hospitality Industry to its Core
Cyber attacks are not a new phenomenon; they have been around for a while now. But every now and then, there are a few of them that are so destructive and smart that they become immortal for the world. Here are a few notable cyber attacks that have targeted the hospitality industry:
Marriott International (2014–2018 and 2022)
A significant data breach affecting Marriott International’s guest reservation database was disclosed in 2018. About 500 million visitors’ names, addresses, passport numbers, and credit card information were stolen in the data breach. It was one of the biggest and longest-running data breaches in the hotel sector, the attackers had unauthorised access to the system since 2014.
Then again in the year 2022, the Hotel was hit by another cyber breach that resulted in disclosing of personal information of over 5.2 million guests. This was the second attack on Marriott within 2 years.
MGM Resorts (2019)
2019 saw a data breach at MGM Resorts, one of the biggest hotel chains in the world. Over 10.6 million visitors’ private information was made available on a hacking forum. Names, addresses, phone numbers, email addresses, and passport numbers were exposed.
However, the hotel claimed that the financial information like payment card or password data was not leaked. Some of the guests were hit more severely than others, these guests had their sensitive data like driver’s licenses, passports, or military ID cards, etc. Exposed.
Hilton Worldwide (2015)
In 2015, Hilton Worldwide experienced a data breach in which hackers broke into the point-of-sale (POS) systems of the business. Customers’ payment card details, including names of cardholders, card numbers, and expiration dates, were revealed as a result of the breach. Numerous American properties operated by Hilton were impacted by the incident.
Not just that Hilton experienced numerous attacks in 2014 and 2015 but disclosed a select few, which resulted in a fine of $700,000 for mishandling these breaches. The hotel took a big hit in terms of customer loyalty and brand reputation.
Hyatt Hotels Corporation (2015-2017)
Hyatt Hotels revealed that it had experienced a data breach in 2017 that had lasted for more than a year. The hack exposed consumer credit card information because it targeted the hotels’ payment processing systems. The hack affected 41 properties in 11 different nations.
Although this was not the first time that the hotel was experiencing such an attack. According to company officials, a malware attack on payment processing systems was identified on November 30. More so the Hyatt revealed that hackers targeted credit card data from cards used on-site at 250 Hyatt locations between 13 August 2015 and 8 December 2015.
Trump Hotels (2014-2016)
Between 2014 and 2016, The Trump Hotel Collection faced several data breaches. Attackers got into the business’ payment systems and stole client credit card data. Several Trump hotels in the US were impacted by the breaches.
The breach was identified by several financial organizations that witnessed a pattern of credit card fraud among the customers who visited Trump Hotel Collection properties. These properties included Trump International Hotel in New York, the Trump International Hotel & Tower in Toronto, and Trump Hotel Waikiki in Honolulu.
Did you notice similarities between these cases? Well, there are a few of them but the two worth mentioning are that these cases were repeat attacks!! This draws out two conclusions; First that the hotels were not prepared even after facing their first attack. And second, the mentality that after you get attacked once you are no longer a target is completely wrong. Along with that, these attacks highlight the vulnerabilities in the way that the hospitality industry operates and deals with data security practices. There is much need to emphasize a robust cybersecurity posture to protect customer information. Hospitality businesses must pull up their game to beat the cyber threats.
What Seems to Be the Problem? Where Are the Vulnerabilities?
The hospitality industry is an attractive target for cyber attacks, and several factors make it so. Here are some of the major vulnerabilities that leave the hospitality sector susceptible to cyber attacks:
Treasured Customer Data
A vast amount of important consumer data, such as personal information, credit card information, travel itineraries, etc., is gathered and stored by the hotel industry. Cybercriminals are deeply interested in this data, as it can be used for financial gain, identity theft, or even business espionage. The amount of data that hotels and other companies in the sector acquire makes them lucrative targets.
Dependency on Technology
The hospitality industry heavily relies on technology to streamline operations and enhance guest experiences. This dependency on technology opens up potential vulnerabilities that are exploited by cybercriminals. For example, insecure Wi-Fi networks, unpatched software, or weak access controls can provide opportunities for attackers to infiltrate systems.
Lots of Financial Transactions
A sizable amount of financial transactions, including credit card payments, bookings, and billing data, are processed by hotels. Cybercriminals target these transactions to steal credit card data or commit fraud. Hotels are viewed as a point of entry for getting financial information that can be utilised for illegal transactions or sold on the dark web.
Multiple Points of Entry
There are multiple points of entry for cyberattacks in the hospitality sector. This covers hotel websites, booking platforms, WiFi hotspots, point-of-sale platforms, and property management platforms. Any of these systems can be attacked to allow unauthorised access, introduce malware, or intercept private information.
Partnering with Third-Party
Online reservations, payment processing, and data storage are just a few of the services that the hotel sector frequently enlists the help of outside suppliers and partners. If the third-party systems are not sufficiently secured, these relationships could pose new security threats. Attackers can use these external systems to access hotel networks or client information.
Hiring temporary or seasonal staff in the hospitality sector is a common practice however this workforce is often oblivious to any cybersecurity training. This raises the possibility of insider threats, in which workers unintentionally or deliberately undermine security procedures. Staff employees’ ignorance of security protocols can lead to palpable situations that attackers can take advantage of.
And the biggest factor here is the impending danger to the brand reputation of a hotel, hackers purposely target big hotel chains to coerce them into paying desired ransoms. Given the high likelihood of a cyber assault, the hospitality sector must give cybersecurity measures top priority, put in place solid security protocols, and train their staff members on best practices to reduce the risk of cyberattacks and safeguard sensitive customer data.
What Can Be Done to Avert the Evasive Cyber Attacks?
It cannot be made any more clear that a brilliant cybersecurity mechanism is the answer to fighting these brutal attacks. On top of that, there are a few things that must be kept in check to ensure there are no entry points left unattended for the threat actors to exploit. Here is what we suggest:
- Being proactive and adhering to GDPR guidelines
- Ensuring regular data backup in case of a system failure or an attack
- Implementing strong passwords and security measures to keep your data safe
- A strong internal security policy as well as an internal data security policy
- Curating a personalised cyber incident response plan
- Performing regular risk assessments
- Implementing a security awareness program and recurring employee training
- Strengthening physical security measures
It’s time to take back control from the threat actors and ensure that the hospitality industry remains the top contributor to the global economy. GoAllSecure can help in achieving this goal. We can handle all cybersecurity-related issues, providing the hospitality sector with much-needed peace of mind and protection from malicious threat actors. For more information about us, kindly visit us at https://www.goallsecure.com/ or call us at +91 85 2723 7851 or +44 20 3290 4885.