Data Security in Hotels: Why it is Important and How to Improve it?

Since the get-go, I have been writing about different aspects of the hospitality industry. But lately, I realised that there’s still amiss in my content.

I don’t know why but I haven’t covered one of the most important segments of this industry — hotel data security. So, this blog is going to be all about it.

But why have I decided to do so?

Because cyber security in the hospitality industry isn’t much talked about. And guess what, hotel data breaches aren’t shocking anymore. The world has witnessed (and is still witnessing) numerous hacks. What truly shocking is that many businesses are still not prepared for cyber-attacks.

Hotels are amongst those businesses that have a carefree approach towards cyber threats and breaches.

I will try to put down all the information around cyber security in the hospitality industry so that hotels will be prepared for all the possible threats.

Why is Data Security so Important in the Hospitality Industry?

Cyber-Security is much more than a matter of IT. 

Stephane Nappo

There was a time when people had the notion that cyber-attacks are mostly targeted towards businesses in the technology domain.

But soon they realised, these attacks are not about a company’s domain, it’s about the data that businesses hold. That’s why there is a series of high profile breaches affecting payment cards.

And when we talk about data, hotels gather and digitally store a wide range of sensitive guest data. Due to this nature of data collection, hotels are an ideal target vector for conducting cybercrimes.

Let me tell you about some past hotel data security breaches:

In the past, there have been a number of data breaches in the hotel industry. While some got the attention, many were just out of the spotlight. In this section, I am going to list some of the well-known hotel data breaches.

Starwood Hotels

Starwood Hotels group data was compromised in 2014. But guess what, till 2018, the hack was unnoticed. That’s not all, even Marriott, which acquired Starwoods, didn’t have any clue about it.

The hackers were in the systems for years and had access to all affected systems including hundreds of millions of data like names, email addresses, phone numbers, passport numbers, arrival and departure information, VIP status, and loyalty programme numbers.

Radisson Hotel Group

In 2018, Radisson confirmed that it suffered a data breach. The hack exposed personal details such as names, addresses, country of residence and email addresses.

Moreover, in some cases, information like company name, phone number, Radisson Rewards member number and frequent flyer numbers were also stolen.

Hyatt Hotels Corporation

Hyatt is another big name from the hotel industry that fell prey to cyber-attacks.

The corporation in 2017 confirmed that it had discovered that between March 18, 2017, and July 2, 2017, there was an unauthorized access to payment card information at certain Hyatt-managed locations worldwide.

Talking about compromised data, it included cardholder name, card number, expiration date and internal verification code.  

What’s more shocking is that the data was stolen from cards manually entered or swiped at the front desk.

Factors That Lead to Security Breaches

From all these hacks, it is clear that hotels are the new playground for hackers. And the cyberattacks are going to get more dangerous with the amount of data hotels have.

Further, it also shows that there are many loopholes in the infrastructure of cyber security in hotels. And it’s time that we take cybersecurity in the hospitality industry seriously.

Privacy – like eating and breathing – is one of life’s basic requirements.

Katherine Neville

To know how to improve data security in hotels, we must first look at the factors behind such hacks.

Here are some of them:

• Human error is one of the greatest causes of data breaches. These are the careless actions of staff working in the hotel. They sometimes keep systems logged in, use personal devices for official tasks without any security, give away credentials, lose data storage devices or other such activities.
• Application vulnerabilities could be loopholes in software or poorly designed network systems that hackers can exploit to get inside a system and steal data.   
• Insider threat is another critical factor behind compromised cyber security in hotels. You must know the folks well who you are working with. You never know who can leak out your business data to outside parties.  
• If you haven’t heard about social engineering, it is a type of psychological manipulation to trick humans into making security mistakes. And when someone from your hotel falls prey to this, it becomes a human error.
• Extensive Reliance on electronic payment modes is also a major factor that leads to hacks. Hyatt Hotels Corporation is a perfect example of this.
• Collecting, using, buying, transferring, or storing data is important for Hotels. But when the same data is no longer necessary to keep, they dump it. To ensure data security, hotels must have a secure equipment and data disposal policy.
• Malware is also a huge threat to hotels. Once enter a system, these notorious pieces of code open up access for a hacker to exploit a system and also the ones connected.

How to Improve Data Security in Hotels?

Now that we have learnt about the threat and how it can affect a hotel and its guest, let’s look at best practices for ensuring data security in the hospitality industry.

1. Train every hotel staff

Many hotels don’t emphasise cybersecurity or information security. They think that their staff should only be aware and trained for hotel operations.

However, that shouldn’t be the case now.

Hotels, despite their size, must conduct routine training sessions. The hotel staff should be provided with all the fundamental skills to ensure a secure environment for guests and employees. 

Further, if required, you can also conduct tests to see whether the employees are keeping abreast with all the learnings.

2. Set strong rules and regulations

Apart from training your staff, you also need to have a set of strict protocols. It should be clear that information security is one of those aspects that need to be taken seriously by everyone.

Even if it sounds harsh, I would suggest you take necessary actions against employees who don’t abide by the rules.

At the end of the day, data security also matters for you and your guests, and is a part of the overall experience at your property.

3. Use cybersecurity tools

It goes without saying, wherever there’s computing involved, it is important to have security tools such as firewalls, network monitor, traffic filter, and anti-malware.

There are various top-notch cybersecurity tools available in the market. Pick the ones that best fit your budget and need, and protect against common cybersecurity threats.

Further, you can also test the tools and see if they are effective. If not, then you can always switch. (Will cover this in detail in the next point).

4. Conduct routine penetration tests

Penetration testing (also known as pen test or ethical hacking) is a simulated cyberattack on a computer system that is done legally with authorization. Pen test is done to evaluate the security of a system.

Hotels nowadays rely on a lot of technological integrations and it is advised to turn to routine pen tests and see if the infrastructure has got any loopholes.

Like I mentioned in the last point, you can also do that on the security tools you incorporate to check whether they are worth relying on

5. Encrypt payment card information

The Payment Card Industry Data Security Standard (PCI DSS) provides certain security measures. It ensures that the cardholders, merchants and everyone in between are safe from any type of malicious attacks.

Therefore, the hotels must adhere to all the protocols. One of the aspects to look after is the encryption of card information. So, make sure you use strong data encryption methods to keep safe.

Furthermore, if you are using PMS, ensure that it is PCI DSS compliant. 

There’s a detailed blog on Encryption of Payment Card Data on the RSA conference’s website. You can check that out for more information.

6. Keep devices up-to-date and back up data

Incorporating the top technologies for your hotel cyber security is one thing, but you also have to keep your systems healthy and secure.

In hotels, most of the systems are interconnected and if some of them are vulnerable, then all of your machines are affected.

Therefore, you MUST update systems regularly. If you overlook its importance, you’re going to have weak spots that can lead to attacks.

Furthermore, you should also create a backup routine and make sure it is an automated process. So, even if there’s any mishap and you lose your data from a server, you’ll always have a backup ready.

7. Isolate sensitive information

With the rising number of cyber-attacks, hotels need to take extra care of sensitive information.

I would highly suggest you keep the most sensitive information in isolated storages. It shouldn’t be accessible to anyone, except the authorised person.

You can store it on a physical device or cloud storage without letting anyone else know.

8. Adhere to technologies that are compliant with data security standards

While all the above-mentioned things are important, you also need to look at the technologies you are going to use or are currently using. You have to check whether they are compliant with all the data security standards.

For example: A hotel PMS is one of the most-used and critical pieces of technology for a hotel. It is responsible for streamlining almost every segment of the hotel and also deals with a lot of sensitive data. So, if you have a hotel PMS or are planning to get one, then make sure it is compliant with the protocols of data privacy in the hospitality industry.