Data security is a pivotal concern for different industries and the hospitality sector is not an exception. Hotels, motels, resorts, and rented apartment complexes all gather, process and electronically store sensitive personal customer data. The existence of multiple databases and devices containing both Payment Card Information (PCI) and Personally Identifiable Information (PII) makes the hospitality sector an ideal target for credit card fraud and identity theft crimes. The COVID-19 pandemic created new vulnerabilities when hotels resorted to various measures to stay in business.
Cybercriminals can sell guest information on the dark web, employ ransomware to demand payment, or leverage the data for additional illicit activities such as phishing attacks and identity theft. Data breaches in the hospitality sector leads to huge public scrutiny, damage to reputation, and creates panic across customer and supplier bases. The financial implications are staggering. The 2022 Ponemon Institute and IBM Security report reveals that a data breach in the hospitality sector carries an approximate cost of $2.94 million. This underscores the importance of worthwhile investment in cybersecurity and reliable data processing services for the hospitality industry. Partnering with experts in these fields can promote data security and confidentiality.
Typical data breaches in the travel industry include incidents such as POS attacks, malware and ransomware infections, phishing attacks, Wi-Fi network hacks, DDoS attacks, and DarkHotel hacking, according to acropolium.com. Tech Informed recently cited a Trustwave report which found that more than a third of hospitality organizations have disclosed experiencing a data breach in their company’s history. Of the hotels, restaurants, cruise ships, and other hospitality businesses surveyed, 89% of those affected by a data breach reported experiencing such incidents more than once a year. The likes of the Marriott hotel chain, Best Western’s Auto clerk reservations management system, and the Choice Hotel franchise have all suffered major data breaches.
“With unique considerations, such as the adoption of contactless technology and the steady turnover of customers and employees, the hospitality industry faces a complex security landscape with distinct challenges,” notes Trustwave chief information security officer Kory Daniels.
Top Data Security in the Hospitality Sector
In order to improve data security in hotels, it is important to identify the key concerns or factors related to data hacking.
Data Sovereignty
Data sovereignty addresses the rights to storage of company and customer data based on geography. Several laws associated with it are in place to secure data and guarantee privacy for populations from foreign threats. The data sovereignty aspect gives any company the right to release or withhold any information held secure within their cyber security system.
Complex Ownership Structures
Hospitality businesses usually have complex ownership structures in which there is a franchisor, an individual owner or group of owners, and a management company that acts as the operator. They function as a separate team, take on individual responsibilities and use different computer systems to store data or information, and the information frequently moves across those systems. All of this increases the risk of data breaches.
Heavy Reliance on Electronic Payment Methods
The hospitality industry heavily relies on electronic payment methods, particularly credit cards. Restaurants and hotels commonly collect credit card details for reservations, and the same card is often used for the final payment. Cybercriminals exploit this reliance, infecting point-of-sale (POS) systems with malware to steal credit and debit card information. In 2017, 20 out of 21 high-profile hotel data breaches were attributed to POS system malware. As malware can spread across POS systems operated by the same entity, multiple hotels may be affected by unnoticed attacks lasting months.
Data Disposal Processes
It is estimated that about 20 percent of hospitality companies don’t have any policy in place for storage or disposing of confidential paper documents, and nearly a third of them do not have a regulated protocol in place for storage and disposal of their customers’ electronic information. This in turn increases the risks of data breaches.
Rapid Staff Turnover
Ensuring staff is trained in secure protocols for collecting and storing personal data is a critical priority for hospitality businesses. Comprehensive training familiarizes employees with company compliance guidelines and enhances their ability to recognize social engineering attempts. High turnover and frequent staff movement between locations pose challenges in maintaining consistently well-trained teams. Even a single staff member lacking familiarity with data security protocols can be advantageous for cybercriminals seeking to exploit vulnerabilities and gain unauthorized access to sensitive information in a company’s system.
Human Manipulation
Hotel staff can be one of the biggest security threats as they are most vulnerable to attacks from hackers. Data intruders exploit normal human behavior to steal credentials and infiltrate networks and extort information.
Compliance
Regulators in the hospitality industry are adopting a more stringent stance on overseeing the storage and processing of personal data. The GDPR regulation, instituted by the EU in May 2018, is a landmark legislation designed to empower individuals with control over their personal information, imposing rigorous rules for its protection. Additionally, the global PCI DSS regulation safeguards credit card data, with non-compliance incurring fines starting at $500,000 per incident.
Insider Threats
While less frequent, the potential for company employees to clandestinely sell data to third parties poses a genuine concern for hospitality businesses. Insider threats tend to manifest in areas such as customer preferences and behavior data, collected across various touchpoints-from website interactions to booking system information to reviews. This data can be highly valuable in the hands of individuals who understand how to leverage it for a competitive edge.
Data Protection in the Hospitality Industry -Top Strategies
In the age of GDPR, when countries across the world are increasingly adopting new legislation that aims to protect individuals’ sensitive information and make companies liable in case of data breaches, hospitality companies need to make cyber security a key point of focus for managing risk and avoiding potential financial losses, fines and disastrous consequences to their reputation.
Here are some important strategies that organizations in the hospitality sector can implement to protect customer data –
Train Staff on Cybersecurity
Setting up comprehensive employee training for all staff is crucial to ensure data security. This will help ensure that every employee is trained and proficient in handling sensitive data securely. In addition, educating staff on the basic methods of how hackers obtain information will potentially increase the security of the company as a whole. Clear and strict policies regarding the disposal of sensitive physical documents and wiping clean electronic records are critical for all hospitality companies.
Encrypt Payment Card Information
Encrypting payment card information refers to the process of converting the sensitive data on a payment card (such as credit or debit card details) into a secure and unreadable format. This enhances security and protects the data during transmission or storage. In the context of financial transactions, encryption helps prevent unauthorized access and reduces the risk of data breaches. It ensures that even if intercepted, the payment card details remain unintelligible and unusable to malicious actors. This is crucial for maintaining the confidentiality and integrity of sensitive financial information in electronic transactions.
Keep Devices Up-to-date and Back up Data
Outdated hardware and software, whether in the back office or digital locks, pose a security risk, making them susceptible to data breaches. Failing to update devices and apply software patches is a major security vulnerability. Ensure your devices automatically accept periodic updates from software providers to safeguard sensitive data. Regularly backing up data is a cost-effective measure to enhance security and prevent data loss. This includes financial records, business plans, customer data, and personal information. Installing and updating antivirus and anti-spyware is crucial, along with monitoring equipment usage and users for comprehensive security.
Prioritize Password Security
Choosing your data passwords wisely and strategically is another simple yet powerful data protection measure. Choose a password that’s hard to guess yet easy to remember to prevent unauthorized access. The password security standards set forth by the National Institute of Standard and Technology (NIST) keeps changing. In 2024, NIST password guidelines recommend opting for a minimum of 8 characters for passwords created by users and aiming for at least 6 characters for those generated by machines. Ensure secure storage of passwords by employing hashing and salting methods without truncation.
Opt for unique passwords for each login and consider using a digital password manager for secure storage. Implement Multi-Factor Authentication (MFA) as an extra layer of security, requiring additional authentication alongside a password, such as a PIN, security key, or biometrics. MFA protects against unauthorized access even if a password is compromised through phishing or other methods.
Secure Financial Information
Reports indicate that the majority of data breaches in the hotel industry are financially motivated. Hotels and hospitality management companies need to secure all computer systems and applications used for accessing financial information. For example, in sensitive systems that contain financial information or guest data, they should use MFA wherever possible. Computer systems, laptops or tablets should be shielded from public view. Installing a privacy screen to help prevent unauthorized access to sensitive financial information.
Secure On-property Networks
Public Wi-Fi is a common area of data vulnerabilities for hotels. Newer Wi-Fi technologies include Intrusion Prevention Systems (IPS) to identify and automatically block potential threats. Ensure the separation of guest wireless networks from internal networks used by staff or property computer systems. This segregation can be achieved physically with two separate sets of hardware or through virtual networks (VLANs).
Every sector faces security threats, and the hospitality industry is no exception. Given the collection and storage of sensitive customer data, it’s imperative for hotels and travel companies to prioritize secure data management. This involves staying informed about emerging cybersecurity threats, reassessing risks and capabilities, pinpointing vulnerabilities, and implementing essential enhancements. When outsourcing data processes, choosing reliable business process outsourcing solutions is paramount for maintaining data security and confidentiality.
Transform your workflow and drive success with efficient and secure business process outsourcing services!
