The hospitality industry needs personal data to be successful – but that comes with a price. If you’re collecting or processing personal data, you’re responsible for securing it. The hospitality industry relies on the feeling of being secure, in every aspect of guests’ visits. Organizations within the hospitality must consider why they’re a target for cybersecurity attacks, which data privacy and security frameworks and regulations apply to them, and what challenges they will face.
The more details that a hotel or a travel agency knows about guests, the better – right? It can provide a more personalized experience, hopefully making a loyal client. Plus, some data is needed for booking or payment purposes, like cardholder data, passport numbers, driver’s license information, or rewards numbers. Every business has an asset that they can’t bear to lose, and for the hospitality industry, that asset is personal data. Every day, the hospitality industry is expanding the ways they collect personal data.
Data collection inherently makes the hospitality industry a target for hackers and cyber attacks. For local hotel chains or bed and breakfasts, it may not seem like the amount of personal data collected would be significant. For worldwide chains, though, like Wyndham, Marriott, or Hilton, their data is their biggest asset. When Marriott’s guest reservation database was breached, the names, mailing addresses, phone numbers, email addresses, passport numbers, rewards account information, dates of birth, gender, arrival and departure information, reservation dates, communication preferences, and encrypted payment card numbers of up to 383 million guests were compromised – making it one of the largest known thefts of personal records in history.
Because hotel and resort chains span countries and continents and hold things like gift shops, restaurants, and bars, it makes them an ever more lucrative target for hackers. If a hacker can get into just one location’s gift shop or front-desk system, they can access a whole lot more. We rarely see a cyber attack sticking to one location. If a hotel is connected to casino, both could be compromised. If a restaurant is connected to a resort, both could be compromised. The list goes on and one. In 2016, malware was installed on the payment card processers of restaurants at hotels managed by InterContinental Hotels Group (IHG), impacting 1,000 hotels. Where are the places in your organization that are connected to something bigger, something that would attract a hacker?
Every vendor relationship poses some level of risk, but especially in the hospitality industry. Instead of directly hacking a resort, casino, or travel agency, a hacker can attack one of their vendors as a route to get to them.
Sabre Hospitality Solutions provides a third-party reservation system to hotel companies like Hard Rock Hotels & Casinos, Four Seasons Hotels and Resorts, Trump Hotels, and Loews Hotels. In 2017, when Sabre’s SynXis Central Reservations system was breached, so were these companies. Hard Rock reported 11 properties worldwide were impacted by the breach, Trump Hotels reported 14, and Loews Hotels reported 21. When you enter into a relationship with a vendor, you accept the risks that they bring you. The amount of vendors that the hospitality industry interacts with – from security cameras to point-of-sale systems – poses a real cybersecurity challenge for protecting personal data. What do you do to ensure you partner with secure vendors?
There’s always a human element to hospitality – and cybersecurity is no different. When a breach involves insiders, one in five times it’s due to human error. With the rise of BYOD policies, phishing attempts, and the inherent need to accommodate guests, your employees must be aware that cybersecurity is everyone’s job.
There are so many elements that go into securing personal data – information security frameworks, security and privacy regulations, information security programs. Even when you are breached, you must respond in the appropriate way; Hilton was fined $700,000 for mishandling 2014 and 2015 data breaches. If you need help deciding whether or not the personal data you collect is secure, contact us today.