Why hotels are so vulnerable to data breaches

Data breach on a computer.

Data is the backbone of a lot of industries. Hotels are no different, as all accommodation providers can benefit from understanding their guests’ behaviours and offering them personalised solutions and services. With loyalty programmes and all sorts of other initiatives which gather and collect data, hotels have become particularly vulnerable to data breaches.

In a widely publicised ordeal last November, Marriott had 327 million users’ data stolen, and as a result, now faces a class action lawsuit. Marriott International’s shares dropped 5.6 percent in the first week alone. And while this is the most high-profile incident of a data leak in the industry, it’s far from an isolated incident.

In August 2018, data from 130 million customers was leaked, the biggest reported data breach in China since 2013. In that case, the hacker tried to on-sell the data for profit on the Dark Web. Hilton Hotels was attacked in 2014 and 2015, with over 363,00 accounts exposed. Similarly, to the Marriott hack, Hilton hadn’t publicly acknowledged the data breach. Hyatt Hotels were hacked in 2015 and had credit card information from 250 locations stolen.

The list could keep going.

Hotels are particularly vulnerable because of the widespread nature of a hotel’s marketing and sales processes. Online reservations, loyalty programmes linked with credit cards, guest surveys, personalised add-on schemes, and especially front desk payments are all points which are being targeted by data hackers.

Additionally, the more services on offer, the bigger the threat. If one part of an interconnected hotel is breached then the rest could very quickly be affected, making for a very strenuous recovery. In Hilton’s case, the company was fined $700,000 (USD) for not sufficiently protecting data or warning customers about the situation. Marriott’s forthcoming lawsuit is poised to be much more expensive given the scale of the breach.

According to Verizon's 2018 Data Breach Investigations reports, the main threats of hotel data breaches are from hacking and malware. In the accommodation industry, most breaches occur at the point-of-sale, 90 percent. It works with remote attacks aimed at places where retail transactions occur, and both the terminal and the user itself are targeted with either hacking or malware.

In Hilton’s case, malware had infected some of its cash registered computers and attempted to send that credit card information to an external computer. But because of the non-traceable tools the hackers used, investigators could not figure out exactly how the malware had got there in the first place.

Unfortunately, most data breaches aren’t discovered until they have been prevalent for months. Furthermore, it’s normally an external organisation tracking back common points of purchase for customers with stolen data or law enforcement.

Even when a breach is discovered, it’s almost impossible to identify exactly how many people have been affected. In cases like Marriott’s where it took a matter of years for the hotel to discover the flaw, the best the company can do is determine the maximum number of people affected.

Natasha Ching, product manager, at payment processor SmartPay suggested limiting access to devices that deal with secure information.

“Businesses that need to collect customers payment card information (e.g. keep a record of credit card details) must ensure that they have good processes in place for safe handling, storage and also disposal of that data. Access should be limited to staff who require this type of information and these people should be trained in the processes and consequences of security breaches,” said Ching.

A lot of the time, data breaches simply come down to human error. Someone working on a vulnerable computer will install something they shouldn’t or leave secure passwords in an easily discoverable place. On rare occasions, there will be a rogue insider who will intentionally run malware and steal information, but most of the time, human error is to blame.