Invisible Threats, Visible Impact: Unmasking Cybersecurity Challenges in the Hospitality Domain

In 2022, Marriott, the renowned global hotel and resort company, fell victim to a cunning social engineering attack. During this security breach, cyber attackers successfully exfiltrated a staggering 20 gigabytes of highly sensitive customer data, including personal information and credit card numbers.

In that very year, InterContinental Hotels Group (IHG) found itself in the crosshairs of a cyberattack that effectively crippled its booking systems and rendered its mobile apps inoperative.

According to Trustwave findings, approximately 31% of businesses in the hospitality sector have experienced at least one data breach throughout their company’s history. These breaches, on average, have incurred a substantial cost of around US$3.4 million.

Extending its influence from hotels and restaurants to cruise ships, the hospitality sector has seamlessly integrated into the daily lives of millions, amplifying the breadth, intricacy, and significance of its cybersecurity challenges. Additionally, the ongoing digital transformation and the ascent of AL, ML technologies are further reshaping the threat landscape in this domain. These advancements bring both opportunities and vulnerabilities, necessitating a proactive and adaptive approach to cybersecurity to protect not only operations but also the privacy and safety of guests.

Ruggero Contu, the senior director analyst at Gartner, says, “The modern CISO needs to focus on an expanding attack surface created by digital transformation initiatives – Cloud adoption, remote working, third-party infrastructure integration, and the convergence of IT, OT, and IoT are all contributing to this expanded attack surface”

These incidents underscore the hospitality industry’s susceptibility to digital threats and the havoc they can wreak on critical services. It reinforces the urgency of implementing robust cybersecurity measures to safeguard finances and customer data. It’s imperative to identify common vulnerabilities and security threats in this sector.

1. Phishing attacks

Phishing involves the deceptive act of sending or receiving emails that appear genuine, with the criminal’s goal being to persuade the recipient into sharing sensitive information, typically passwords and financial details. This cyber scam has a long history on the internet and has evolved into a more sophisticated threat over time. Recent trends show an increased focus on targeting individuals in authoritative positions. The aim is to compromise the victim’s email account and send fraudulent messages to colleagues, often requesting them approve unauthorized transactions from a higher authority.

2. Ransomware

A ransomware attack in the hospitality industry is a malicious cyber incident where cybercriminals infiltrate a hotel’s computer systems and encrypt essential data, making it inaccessible. They then demand a ransom, typically in cryptocurrency, in exchange for providing the decryption key to unlock the data. Such attacks can disrupt hotel operations, compromise guest information, and lead to financial losses. Successful ransomware attacks in the hospitality sector have often resulted in hotels paying significant sums to regain control of their systems and protect their reputation. Preventative cybersecurity measures are crucial to mitigate the risk of such attacks.

3. DDoS

Hotels worldwide face a menacing threat known as Distributed Denial of Service (DDoS) attacks. While typically associated with web disruptions, DDoS attacks are now a preferred method of targeting the diverse systems hotels rely on. These attacks can compromise seemingly ordinary devices like sprinkler systems and security cameras, leading to the potential collapse of computer networks. Therefore, a comprehensive hotel cybersecurity strategy should include measures to mitigate the impact of compromised systems during a DDoS attack, ensuring uninterrupted operations and guest safety.

4. Point of sale/ payment card attacks

Point-of-sale attacks present the most significant threat to the hotel industry as they often target third-party vendors connected to the hotel’s system. These attacks exploit vulnerabilities exposed by human error, leading to potential financial losses for customers and unwanted media attention, tarnishing the hotel’s reputation. Also, hotels may face severe financial consequences, such as when MasterCard billed an undisclosed establishment $1.4 million and Visa incurred charges of approximately $500,000. Vigilant cybersecurity measures are crucial to mitigate these risks and protect both guests and the hotel’s financial stability.

5. DarkHotel hacking

Are you familiar with the term “DarkHotel”? It’s a relatively recent threat where cybercriminals exploit a hotel’s Wi-Fi network to target business travelers. These attacks involve using fake digital certificates to deceive victims into thinking a software download is safe. To execute this, hackers upload malicious code to a hotel’s server and selectively target specific guests. DarkHotel hacking was first observed in 2007, spreading through peer-to-peer networks and spear-phishing scams. To protect guests concerned about DarkHotel attacks, it’s advisable to encourage using virtual private networks (VPNs) when handling sensitive business data on hotel networks.

6. Customer data/ identity theft

Ensuring the security of customer identity and information is a vital aspect of any successful business, including hotels. Among the top concerns raised by hoteliers is the persistent threat of cyberattacks targeting guest data. With criminals worldwide seeking to exploit and steal identities and credit card details, network, and cybersecurity measures become paramount. Regrettably, this realm of criminal activity is continually evolving, creating an ongoing battle for hotel cybersecurity. Exploring essential secure hotel software tools to enhance group and meeting business and implement effective event venue security measures is essential to stay ahead.

7. Network Security

Network security plays a pivotal role in the cybersecurity landscape of the hospitality industry. Hotels and resorts heavily rely on networked devices like computers, smartphones, and smart home systems, all of which present vulnerabilities to cyber threats. The significance of network security lies in safeguarding against cybercriminals who seek to exploit these devices to access sensitive guest data, pilfer credit card information, or execute various cyberattacks. Without robust network security measures in place, hotels and resorts risk leaving themselves susceptible to these potentially devastating attacks, emphasizing the urgency of proactive cybersecurity efforts.

Cigniti’s Domain Competency Group (DCG) has 450+ testers and Digital assurance specialists with deep experience who provide end-to-end assurance for travel and hospitality-based digital apps (including e-commerce, digital platforms, departure control, passenger management, operations, fleet management, etc.) that enhance customer experience. Need help? Contact our security experts in the Travel and Hospitality domain to learn more about the challenges and security solutions.