How safe is your hotel and its guests? With technological advances in the hospitality industry designed to make the guest experience more pleasing comes a hidden danger of data theft.

Hotels and hotel companies need various security technologies to prevent malicious attacks as they maintain a huge amount of personally identifiable and financial data on file. This includes sensitive personal information that can be used to steal a guest’s identity. What are the tactics that hotels are using behind the firewall? Donald Gasper talks to some experts.

Hotels are expected to maintain the physical security of their guests. If the guests do not feel secure in their rooms they will not bring their custom to the hotel or the hotel brand.

“This need for physical security applies to data security as well,” says Robert E. Braun, a senior member of the Global Hospitality Group at Jeffer Mangels Butler & Mitchell LLP (JMBM). “Hotels must make guests feel that the hotel they visit is as concerned about their personal and financial data as they are about their physical security.”

Hotels must protect the massive amounts of data that they hold as they are the key to their competitive survival, stresses Braun, who is co-chair of his firm’s Cybersecurity & Privacy Group.

Robert E. Braun
Robert E. Braun

Hotels are the source of data theft

“Yet hotels are actually the most likely source of data threat,” he says. “There are a number of reasons for this vulnerability, including the prevalent use of vendors with access to hotel systems, a large and undertrained workforce, the use of legacy systems and the failure to follow key security procedures, such as updating software regularly.”

He says that hotels can transform themselves from being the most likely source of data theft to becoming the model for data security.

Braun says that at a recent panel on hotel security, panelists noted that each of the major hotel breaches in 2015, which involved every major hotel chain, implicated point of service credit card systems that complied with industry standards. Hence there is a need to look further than just ticking boxes and complying with standardised requirements.

However, he warns that while much focus is placed on the threat of credit card numbers, hotels must consider other risks.

“Hotels need to consider more than data; the interconnection of systems means that breaking into a financial structure can give a hacker access to door locks, heating and air conditioning systems, electrical, plumbing and other key structural and physical parts of the hotel. What would happen if a hacker flooded a hotel, or opened the doors? This damage can far exceed the damage from lost credit cards and could cause untold damage to the hotel, its brand and owners.”

Hotels can only achieve security for guests and integrity for their own data by creating a culture of security at all levels, Braun argues. And the key to this is the human factor: Hotels must train their personnel at all levels to minimise incidents and create a safe environment.

You and your guests are at risk

“From keycards and apps to PMS systems and guest internet, you and your guests are at risk,” warns Daniel Lister, CEO of Danmagi.

It is surprisingly easy for anyone with a card reader to quickly gain guest data, but easier targets for data theft also exist, he says.

Guests often sit and relax in the lobby or lounge areas unwittingly in the belief hotels have done everything to ensure their safety. Whilst the hotel “might” have selected IT solutions with high security it is more likely the human factor has made everyone vulnerable. It could be because of the budget cut, finance overruling, selecting a lesser product or the installation was poor and the IT skills are missing.

“Also, there has been a big increase in hotel staff using guest details, name and email for their own benefit, mostly used to gain access to the WiFi so they can browse their social media, but where does it stop? The WiFi providers should be able to track and identify the rogue user but it still comes as a shock to the guest to know the person in front office has their details.”

Daniel Lister, CEO of Danmagi
Daniel Lister, CEO of Danmagi

A poorly installed WiFi network will allow those with a criminal mindset to easily hack multiple guest devices. Poorly configured networks are more common than safe networks. This is often simply down to inexperience.

Hotel kiosk solutions are still one of the biggest sources of data theft. Guests will often print a boarding pass, rent a car, book an experience or check their social media. If the kiosk computer is not correctly managed it is very easy to add a key-logging device or even pull the data direct from the computer. Within a few weeks, you could have a considerable amount of guest data. “Seek advice before it is too late. The hotel is liable,” says Lister.