Safeguarding the Hospitality Industry from Cyber Criminals
Originally published in Hotel Executive: Hotel Executive Article
A quality guest experience and a hotel’s success go hand in hand, but at what cost? Ease of access around the hotel, instant connection to Wi-Fi, almost every aspect between the check-in to check-out process requires some form of technology. However, each of those access points is a prime target for cybercriminals to exploit and one of the reasons why attacks are only expected to increase.
Why Target Hotels?
Hotels have become appealing targets for cybercriminals for several reasons, including the data they collect, the volume of credit card transactions they make, the complex system of vendors, guest Wi-Fi networks, the proprietary and 3rd party apps and platforms they use, as well as the constant journey to make the customer experience as smooth and easy as possible.
The primary driver of attacks on hotels have historically been driven by financial gain, data theft, or causing disruption to hotel operations. One of the primary objectives is to steal payment card data, including credit card numbers, names, and security codes, which can be used for unauthorized transactions or sold on the dark web for profit.
Identity theft and fraud are also common goals, with cybercriminals aiming to use stolen personal information to commit various fraudulent activities. Ransomware attacks seek to encrypt critical hotel data, such as guest reservations or financial records, with attackers demanding a ransom in exchange for the decryption key, disrupting operations until payment is made.
Additionally, attackers may target a hotel’s financial systems, corporate espionage may occur in luxury or corporate hotels, and data exfiltration can be used for extortion, selling information to competitors, or intelligence gathering. Some attacks aim solely to disrupt hotel operations, causing financial losses and reputational damage. Opportunistic attackers may seek any vulnerability to exploit for financial gain.
Hotels are seemingly easier to infiltrate than other industries such as healthcare or financial. Historically, the hospitality industry is not known for building and incorporating a robust cybersecurity program. Which leaves hotels as low hanging fruit for these cybercriminals.
In fact, within the hospitality industry are likely unaware of how vulnerable their organization could be to an attack. A joint study from Cornell and FreedomPay revealed that of the 300 hospitality specific enterprises surveyed nearly all, 96% said they are confident in their companies internal risk assessment processes. Yet, nearly one-third (31%) experienced a data breach in their company’s history, the majority – 89% – having experienced more than one breach attempt in a year and 69% attacked more than three times in a year.
Top 3 Hotel Attack Vectors
We’ve covered why cybercriminals target hotels but how do they do it? While there are countless of ways for an attacker to get into a system, there are three primary points of access that every executive should be aware of.
The most common method is phishing attacks. Cybercriminals send deceptive emails to trick hotel staff, guests, or third-party partners into revealing sensitive information or downloading malware. You’ve likely received one of these emails in the last month, offering a “free” gift card or an “urgent” message from the IRS.
This method was the cause of the recent “vishing” attack on MGM Casino where hackers had access to the organizations system for 10 days. The adversary impersonated a fellow MGM employee on a phone call and persuaded the information technology helpdesk to provide them access into the MGM environment. From there, they gained access to other systems and eventually executed a ransomware with a total cost yet to be finally calculated, but you can be assured, it will be in the tens of millions.
Another common attack method is point-of-sale and payment cards which commonly pose the biggest threat to the hospitality industry. Threat actors find point of sale (POS) systems to be the most direct route to credit card information and financial gains. These systems are often configured improperly, with weak passwords and/or insecure remote access, opening the door for cybercriminals to easily infect them with card-skimming malware. The problem is compounded by the fact that hotels typically delegate their POS security to third-party vendors, offering threat actors yet another potential attack vector. Hotel POS systems are complex because they have multiple POS terminal locations – front desk, on-site shops, spas, restaurants, parking etc. – and thus the possible entry points are dispersed and more accessible. In 2017, Hyatt Hotels Corporation reported a data breach that impacted approximately 41 of its properties in 11 different countries. The breach involved the theft of customer payment card information from the hotel’s POS systems. The attack occurred due to malware that was installed on the POS systems, allowing cybercriminals to capture payment card details during transactions.
Finally, I couldn’t imagine staying at a hotel now a days that doesn’t offer Wi-Fi, unfortunately, this has opened yet another vector for hackers to infiltrate. Public Wi-Fi networks have fewer security levels than private networks. And many attacks on hotel systems are made possible by human error – for example, if an unaware hotel employee configures a secured network as “open,” they have effectively created a rogue access point (AP). Cybercriminals can use this rogue AP to attack the network from the hotel lobby or even a nearby building.
The Cost of a Cyber Breach
A cyber breach can bring about substantial legal and financial consequences for those involved. From a financial perspective, organizations can face direct costs such as expenses associated with investigating the breach, notifying affected individuals, offering credit monitoring services, and implementing security fixes.
According to IBM’s Cost of a Data Breach Report 2023 (2) the average cost of a breach for the hospitality industry was $3.36 million dollars, up from just under $3 million dollars the year before.
Indirect costs may include revenue loss due to downtime, damage to the organization’s reputation causing reduced business, and increased insurance premiums. Moreover, various regions have data protection regulations that demand compliance. Failure to do so can lead to substantial fines and penalties. Legal liabilities could arise as breach victims initiate legal actions, resulting in lawsuits, settlements, and legal fees. Organizations must also bear the cost of remediation, including upgrading security systems, forensic investigations, and implementing enhanced security measures.
Reputation damage can have long-lasting financial effects, leading to diminished customer trust, lower sales, and customer attrition. Lastly, the financial impact can extend beyond the immediate aftermath, affecting stock prices, investment prospects, and long-term financial stability.
Five Notable Hotel Breaches and How the Hackers Got In
InterContinental Hotels Group (2016): InterContinental Hotels Group (IHG) disclosed a data breach that affected more than 1,200 of its properties in the United States. The breach occurred due to a malware attack on the hotel chain’s payment card processing systems, which compromised guests’ payment card information.
Marriott International (2018): One of the largest hotel data breaches in history, the Marriott breach involved the exposure of data of approximately 500 million guests. It was discovered that unauthorized access to the Starwood guest reservation database had occurred, potentially compromising personal information, including names, addresses, phone numbers, passport numbers, and payment card data. The breach was ongoing for several years before being detected.
Hilton Worldwide (2019): The Hilton Worldwide data breach affected over 4.5 million guests. The breach was caused by a phishing attack that targeted Hilton employees. The phishing attack tricked employees into revealing their login credentials, which were then used by cybercriminals to access the Hilton reservation system. The cybercriminals were able to steal guest data, including names, addresses, phone numbers, email addresses, and passport numbers.
Wyndham Hotels & Resorts (2020): The Wyndham Hotels & Resorts data breach affected over 600,000 guests. The breach was caused by a malware infection in the Wyndham Rewards loyalty program. The malware was able to steal guest data, including names, addresses, phone numbers, email addresses, and Wyndham Rewards member numbers. For some guests, the malware also stole payment card numbers and expiration dates.
Wyndham Hotels & Resorts (2022): The May 2022 Wyndham Hotels & Resorts data breach affected over 1 million guests. The breach was caused by a malware infection that was able to steal guest data, including names, addresses, phone numbers, email addresses, and passport numbers.
Compliance Does Not Mean You Are Cyber Secure
Part of being an executive is making the hard decision about where to cut costs to keep a business profitable. Over the years, I’ve noticed a trend when it comes to organizations investing in cybersecurity. If the company meets compliance standards then they are protected but that’s not entirely true. Compliance standards within the realm of cybersecurity has a long way to go.
A Deloitte survey of 500 c-level executives found that 85% of chief information security officers said they can measure and demonstrate compliance (3). If that’s the case, why are companies still struggling with major breaches? That’s because current compliance standards only scratch the surface when it comes to being secure. Without getting technical, let’s look at your home security system in terms of cybersecurity compliance. It would be like, proving to your insurance company that you have door and window sensors that should go off if someone we’re to break in, but never really knowing if those sensors worked until someone was actually breaking in, but at that point it’s too late. Many compliance standards within cybersecurity can lead to the same outcome. An organization is required to have certain programs, training, or certifications but whether they are working and proving to be effective is another story. Now, that’s not to say that every organization does this but organizations that rely solely on “checking the box” are much still vulnerable to an attack.
Things to Focus on to be More Cyber Secure
- Educate and Empower All Staff Members
In more cases than not, a cybersecurity issue starts with human error. This is not to put fault on employees but primarily the lack of training and awareness. As we saw with the most recent MGM hack, most of these attacks begin with phishing, so training employees to be aware and prepared for phishing tactics is crucial.
Our firm was once hired to run phishing training for the entire organization. We sent out phishing emails to see who would respond and click the exploitable link. The CEO of the company, who knew we we’re running the training forwarded the entire email to the company believing there we’re actual changes from HR that everyone needed to be aware of.
It goes to show even if you are prepared and warned of an attack, it is so easy for something to slip by. These criminals are extremely tricky and good at preying on an individual’s emotions or finances to get them to open or download an email.
Regular training empowers employees to make informed decisions and act as the first line of defense. It’s important to remind everyone that safeguarding your companies most sensitive information is not just as “IT” issue.
- Bolster Network Infrastructure
Hotels must patch and update their systems as frequently as possible to mitigate their vulnerabilities. When a network is left unpatched, hackers can exploit these weaknesses to attack the system. In particular, hotels should direct their utmost attention for patching and updates to POS systems. Here are a few steps hotels should take to ensure their POS systems are secure:
- Use complex passwords on POS systems.
- Use two-factor authentication.
- Ensure antivirus or endpoint protection is up-to-date.
- Separate the POS network from other networks and investigate anomalies.
- Filter which external IP addresses can reach the remote-access mechanism of the POS controller.
- Use PCI-Validated Point-to-Point Encryption (P2PE) to encrypt credit card data immediately upon payment.
- Segment Wi-Fi networks by making guest Wi-Fi and business networks separate.
- Deploy Wireless Intrusion Prevention Systems (WIPS) to detect and prevent hacking attempts against the Wi-Fi network.
- Assess Vendors’ Security Capabilities
Many cyberattacks are carried out through third-party vendors. Third-party vendors are part of any organization’s attack surface and pose a huge risk to overall security. To assess third-party vendors, start by conducting a thorough risk assessment. Identify the criticality of their services to your organization, the type of data they handle, and their security practices. Request and review their security policies, compliance certifications, and incident response plans. Evaluate their past performance and reputation through references or industry reviews. Assess their financial stability to ensure long-term viability. Lastly, establish clear contractual obligations regarding security, data protection, and compliance to mitigate risks associated with third-party relationships. Regular monitoring and audits should also be part of your vendor management strategy to ensure ongoing compliance and security.
- Perform Internal Threat Hunting
Hotels have massive digital footprints because of all the different systems they use. Hackers often try to gain entry into a network and then move around within the system to find data they find valuable. Thus, security teams need to monitor their own internal network traffic to identify suspicious activity and discover potentially unauthorized access.
Threat hunting with a breach and attack simulation (BAS) solution is a proactive cybersecurity approach that helps organizations uncover potential threats and vulnerabilities within their networks. This process involves carefully planning and preparing objectives, selecting the right BAS tool, and assembling a dedicated threat hunting team. Data collection, including logs and network traffic, is crucial to the analysis. BAS tools simulate various attack scenarios, and the results are scrutinized for anomalies and unusual patterns. When potential threats are detected, they are investigated, and if confirmed, immediate action can be taken to contain and remediate them.
- Develop and Incident Response Plan
Hotel security teams cannot afford to sit around and wait for attacks to happen. They need to assume it’s a matter of when, not if, they’ll be targeted.
According IBM’s Cost of a Data Breach Report 2023, on average it took organizations 204 days to identify a breach and another 73 days to contain it (4). Every hotel should have an incident response plan in place if a data breach does occur to help streamline the communication and mitigation process.
One way to stress test your incident response plan it through tabletop exercises which hold significant value for organizations as they provide a structured and cost-effective way to assess and improve their incident response capabilities. These exercises simulate various crisis scenarios, allowing executives and key stakeholders to collaborate, identify weaknesses, and refine their response plans. By doing so, organizations can better prepare for real-world emergencies, minimize the impact of incidents, and protect their reputation and assets.
At the end of the day, even if a security team had an unlimited budget, there is no way to 100% prevent a cyberattack. However, with the right tools, training, and response plans in place, companies can at least take steps in the right direction.
Lauren Verno, OnDefend VP of Communications: Media@ondefend.com