United States: Cyberattacks On Hotels — What Should Hotel Owners And Operators Do?

Last Updated: January 15 2018
Article by Robert E. Braun

This article was originally published by  Hotel Business Review and is reprinted with permission from www.hotelexecutive.com.

Almost as soon as there were data breaches, hotels became a prime target of hackers, and the hospitality industry has consistently been one of the most commonly targeted businesses. Since 2010, hotel properties ranging from major multinational corporations to single location hotels have been impacted.

The recent report that Hyatt Hotels was a victim for the second time in as many years has raised more concerns about the industry's ability to address cybersecurity. While consumers are so used to receiving breach notices that "breach fatigue" has set in, the second successful attack on Hyatt is sure to raise the eyebrows of regulators, plaintiffs' lawyers, and guests. The data breach will affect the loyalty, trust and consumer perception of all Hyatt Hotels guests. So how can hotels prove to guests that they are safe and trustworthy?

"While the company claims that it has implemented additional security measures to strengthen the security of its systems, no explanation was given as to why these additional measures were not implemented after the first attack," said Robert Cattanach of Dorsey & Whitney. "Estimates of actual harm have yet to be provided, which is typically the weak spot of any attempted class action, but the liability exposure seems problematic regardless."

Hyatt is in no way alone. On November 2, 2017, the BBC reported that Hilton was fined $700,000 for "mishandling" two data breaches in 2014 and 2015. The attorneys general of New York and Vermont said Hilton took too long to inform their guests about the breaches and the hotels "lacked adequate security measures." Hilton discovered the first of the two breaches in February 2015 and the second in July 2015, according to the article, but the company only went public with the breaches in November 2015. The company has said there is no evidence any of the data accessed was stolen, but the attorneys general said the tools used in the data breaches made it impossible to determine what was done.

What do Hackers Want?

Hackers seek a variety of types of information. Most commonly, hackers compromise systems so that they can obtain credit card numbers and sell them on the dark web. While this is possibly the most common – and certainly the most reported – type of data theft, it is far from the only kind of data hackers look for.

Other types of guest data can be as or more valuable to hackers. While credit card data can only be used until the theft is reported and the card inactivated, hotels collect volumes of data on guests that can be monetized. More sophisticated hackers collect information on individuals as a means of compromising other computer systems and to impersonate individuals. For example, a hotel guest may use the same password to access a hotel brand's loyalty program as he or she uses to access financial institutions. Even when the connection is not that direct, the loyalty program might collect the birthdate and personal preferences of a guest, all of which can be used to successfully guess at passwords or other credentials, and enable the hacker to break into a personal or business accounts. Or, the hacker may use the information that a hotel or a hotel brand collects about a guest to impersonate the guest in communications which can then be used to compromise other networks.

Hotel companies should also not underestimate the importance of non-personal, but valuable, business information. Even "anonymized" information may give competitors a competitive advantage, giving them advance notice of marketing programs, new operating policies or other trade secrets.

Why Are Hotel Breaches Prevalent?

Trustwave's 2016 Global Security Report reported that 14% of the incidences investigated by Trustwave originated at hotels – the second largest share of data breaches, followed closely by the food and beverage industry. As further described below, the hospitality industry possesses a number of factors that make them attractive to hackers: large volumes of valuable information, multiple vectors for accessing information, large workforces and dependence on vendors, to name a few. There are, however, a number of trends that make hotels more vulnerable. However, there are other reasons that contribute the frequency of cyberattacks on hotels.

First, the increasing incorporation of technology into hotel operations can lead to more breaches. Hotels are seemingly in a race to become more innovative – consider the trend to allow guests to bypass the need to go to the front desk by using their mobile devices to select a room, check-in, receive texts when their room is ready, and even unlock the door to their room. Guests are encouraged to use mobile devices to customize their stay by requesting items, ordering room service, planning activities, or purchasing upgrades. Not only does this trend increase the likelihood of a breach by adding new access points to the system; these programs collect even more data, making a hotel breach more valuable.

Hotels are also pressured to expand Wi-Fi networks, share data with OTAs, and proliferate other interconnected systems, making the hospitality industry more vulnerable to a data breach. Each of these factors increases the number of parties that have access – authorized or otherwise – to hotel data, and increase the number of threats to the industry.

One of the key issues facing the industry is the prevalence of outside vendors who provide key hotel functions. Consider that virtually all of the breaches involving hotels that have been reported over the past several years generated not with hotel functions, but from companies engaged by hotels to provide services to the hotel. Virtually every major hotel chain has suffered a data breach through point of sale merchants – each of Hyatt, Marriott (and before its acquisition by Marriott, Starwood), InterContinental, Hard Rock, Four Seasons, Trump and Loews has reported at least one breach in the past two years, and many have reported multiple breaches.

Third parties are a common source of breaches for many industries, but the hotel industry is particularly reliant on third parties for many functions. In addition to credit card processing, hotels look to third parties for reservation services, payroll, human resources, asset management, maintenance and improvements – many hotels have determined that third parties are better qualified to provide specialized services, and thus have access to hotel systems. Many hotel companies have not fully recognized the need to monitor vendors and require them to implement adequate secure standards.

The widespread dependence on third party vendors is a greater problem because hotel systems are widely interconnected. To follow up on the point of sale example, these vendors must tap into basic hotel systems in order to allow for room charges and financial reporting. Hotel executes want and need single point access to hotel operations, meaning that information from separate systems must be accessible and shared by a variety of systems. Even where direct access is limited, varying systems may share a single hotel network, and often a wireless network; the network itself has the potential of breach, which can impact all systems. Ultimately, hotels face the dilemma that the system as a whole is only as strong as its weakest link, and a single vulnerability may expose the entire system.

A variety of other factors exacerbate the vulnerability of hotels:

  • Multiple Systems – Hotels use a variety of different systems for operations, ranging from off-the-shelf, commercial programs to specialty programs. Each of these programs presents the potential for breach and, as noted above, a single weakness can create a weak system. Moreover, the transfer of information from one system to another is, in itself, a source of weakness.
  • Legacy Systems – along with the existence of multiple systems, many hotel systems are legacy systems that were never designed with security as a key element. Legacy systems are a particular weakness.
  • Unclear Lines of Responsibility – As the hospitality industry has developed, there is rarely a unity of ownership and management; instead, most hotel properties are owned by one party, which has entered into a franchise agreement to operate under a particular brand, and managed by yet another company. While each of these entities shares responsibility for data security, it is often unclear who is ultimately responsible – it is the manager, who operates the hotel, the franchisor, who selects or approves systems, or the owner, who has financial responsibility for the venture? The lack of precise responsibility can lead to a vacuum in leadership.
  • The Human Factor – Hotels rely on large numbers of employees, many of whom have access to hotel information systems. Most data breaches can be traced to individuals, whether acting maliciously, negligently or with complete innocence, and training hotel personnel is time-consuming and expensive. Added to this, many hotels have high turnover rates, further complicating creating a culture that promotes security.

What Should You do?

While creating a secure environment is a daunting task, hotel owners and operators can and should begin the process, and the most important thing owners can do is to take responsibility for the security of the properties they own. Rather than leaving the issue to franchisors and managers, all involved should take actions that will start the process of creating a data secure environment.

  • Take Control – Cybersecurity cannot be relegated to a single party; owners, operators and brands all need to take an active role in reducing cyber risks. Even where one party might contractually assume responsibility for security, all parties must conduct their operations so as to promote security. If a franchisor establishes effective security guidelines, it does no good if the manager ignores those guidelines.
    Taking control means conducting a detailed risk analysis of your enterprise, and determine what risks must be avoided, what risks can be assumed, and what risks must be shifted to other, including insurers. With that analysis in hand, a company can make realistic business decisions that reduce cyber risk.
  • Prepare for the Inevitable – It is often, and accurately, said that a data breach is a matter of "when," not "if." With that in mind, all parties should be prepared to react to a breach by having a well-constructed and tested incident response plan in place – reacting in the midst of an emergency is ineffective and counterproductive.

Similarly, in light of the prevalence of ransomware, wiperware and other threats, firms need to have robust and effective backup programs that allow them to recover and protect their guests, employees and properties.

Finally, preparing for the inevitable means identifying means of mitigating damages, which must include obtaining effective cyber insurance that addresses and covers the actual damages hotels face.

  • Respond to Breaches – Much of the criticism of hotel companies has been not just to the perceived insecurity of their systems, but to delays in responding to breaches. The Hyatt and Hilton incidents noted above, as well as the FTC's action against Wyndham, are all based on failure to take the existence of breaches seriously. Hotels, like all companies, need to have in place and have tested effective incident response teams and plans, including identifying all internal and external sources (attorneys, security consultants and public relations, among others) who will respond to a breach.
  • Create a Culture of Security – Probably the hardest task, but arguably the most important, is to create a top-to-bottom culture of cybersecurity. Every individual in the organization, and every affiliate and third party vendor, must take the task of cybersecurity seriously, and take on the responsibility of creating a cybersecure environment.

What Will the Future Bring?

Predicting the future is a difficult and fraught task, but in this case, it is straightforward – there is no reason to expect that the number of cyberattacks will drop. Rather, we can expect more sophisticated and dangerous moves, particularly those which move beyond credit card theft and into the key operations of hotels. In particular, hotels can expect to be the target of ransomware and similar attacks that threaten the viability of the hotels and hotel companies themselves; without adequate preparation, hotels will face an unattractive choice of funding future attacks by paying ransomware, or attempting to operate a sophisticated business without the benefit of electronic data systems.

And hotels need to consider other factors – US laws are in constant flux, and the adoption of European Union regulations covering privacy will create greater challenges, which can only be addressed by advance planning.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Authors
Robert E. Braun
Similar Articles
Relevancy Powered by MondaqAI
 
In association with
Related Topics
 
Similar Articles
Relevancy Powered by MondaqAI
Related Articles
 
Related Video
Up-coming Events Search
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
 
Email Address
Company Name
Password
Confirm Password
Position
Mondaq Topics -- Select your Interests
 Accounting
 Anti-trust
 Commercial
 Compliance
 Consumer
 Criminal
 Employment
 Energy
 Environment
 Family
 Finance
 Government
 Healthcare
 Immigration
 Insolvency
 Insurance
 International
 IP
 Law Performance
 Law Practice
 Litigation
 Media & IT
 Privacy
 Real Estate
 Strategy
 Tax
 Technology
 Transport
 Wealth Mgt
Regions
Africa
Asia
Asia Pacific
Australasia
Canada
Caribbean
Europe
European Union
Latin America
Middle East
U.K.
United States
Worldwide Updates
Registration (you must scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.

Disclaimer

The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.

General

Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions