Hospitality News & Business Insights by EHL

Data Security in Hospitality: Risks and Best Practices

Written by Limor Wainstein | Dec 2, 2018 11:00:00 PM

Information security is a pivotal aspect of many industries, not least the hospitality industry due to the nature of the data collected by companies operating within hospitality. Hotels, motels, resorts, and rented apartment complexes all gather and electronically store a range of sensitive personal guest data, such as names, phone numbers, addresses, and credit card details.

From the perspective of cybercriminals, hospitality appears to offer an ideal target vector for conducting crimes such as identity theft and credit card fraud due to the existence of multiple databases and devices containing both Payment Card Information (PCI) and Personally Identifiable Information (PII).

This article focuses on five of the biggest data security concerns in the hospitality industry and highlights some best practices for protecting hospitality data.

Data Security Concerns in Hospitality

Complex Ownership Structures

Restaurants, hotels, and other companies in the hospitality sector often have complex ownership structures in which there’s a franchisor, an individual owner or group of owners, and a management company that acts as the operator. Each of these groups may use different computer systems to store information, and the information can also frequently move across those systems.

A case in point was the Wyndham Worldwide breaches of 2008 and 2010. Hackers gained access to the systems of an individual operating company through easily guessed passwords, and the attack easily proliferated through the entire corporate network, with the result that 619,000 customers had their information compromised.

 

Reliance on Paying By Card

The nature of the hospitality industry is such that it is extremely reliant on cards as a form of payment. Restaurants and hotels alike often require credit card details for reservations, and final payment is also frequently made by the same card.

Cybercriminals use this reliance on cards to infect point-of-sale (POS) systems with malware that steals credit and debit card information by scraping the data. In fact, it was reported in 2017 that out of 21 of the most high-profile hotel company data breaches that have occurred since 2010, 20 of them were a result of malware affecting POS systems.

Because this malware can often proliferate or move between POS systems run by the same operator, multiple individual and groups of hotels can be afflicted by these types of attacks, and they can go unnoticed for months.

 

High Staff Turnover

A vital part of protecting data is training staff to securely gather and store personal information. Well-trained staff also know how to recognize social engineering attempts and they understand an organization’s compliance requirements. The risk is that the hospitality industry involves lots of seasonal work in which people might move on after only a few months, or they might be transferred. In the U.K., for example, the job turnover rate in hospitality is as high as 90 percent.

The high level of turnover and high degree of staff movement between different locations makes it a real challenge to maintain teams of well-trained staff. All it takes is one person who isn’t familiar with the importance of data security for a cybercriminal to exploit a hospitality company’s systems and gain access to sensitive data.

 

Compliance

Data security risks in the hospitality industry extend far beyond the reputation hit that a hotel can take if guests’ data is compromised. Industry and political regulators are becoming stricter in governing how organizations process and store personal data.

The GDPR regulation was introduced by the EU in May 2018 as a landmark legislation that aims to return control over personal information to individuals while simultaneously enforcing stricter rules for organizations in protecting such information during any period in which they possess it.

While GDPR protects individual data within the EU and EEA, its ramifications have rippled through industries globally, and organizations are realizing the need to put greater compliance measures in place.

PCI DSS is another important global regulation that protects credit card data, and fines for non-compliance begin at $500,000 per incident. The risk here is not just to data security but to the future survivability of hospitality companies, many of which would not be able to absorb the substantial losses resulting from non-compliance fines.

 

Insider Threats

This type of data risk is more subtle and it involves employees selling data to third parties without the knowledge of the organization that employs them. Such insider threats typically occur to data on customer preferences and behavior, which hospitality companies can collect at multiple touchpoints, from interactions with their website, to form data on booking systems, to review data.

This data could be potentially lucrative when it ends up in the hands of those who know how to use it to gain a competitive advantage.

Best Practices for Data Security in Hospitality

Best practices for companies in the hospitality sector to protect data include:

  • Always encrypt payment card information.
  • Operate a continuous training program in cybersecurity to maintain a well-trained workforce.
  • Always adhere to relevant regulations, such as PCI DSS.
  • Use cybersecurity measures such as firewalls, network monitoring, anti-malware, and traffic filtering to protect against common threats.
  • Conduct tests against your organization’s cybersecurity defenses in which you mirror the behavior of an actual hacker.
  • Know where your data is and enforce the principle of least privileges to limit access to sensitive information.

 

Wrap Up

With a full understanding of the main data security risks and some best practices for mitigating those risks, organizations in the hospitality sector are better placed to implement a comprehensive information security strategy that entails the necessary procedures, processes, and people to improve cybersecurity.