The uptake of online business and internet transactions in recent years has exploded and hotel brands need to be more aware than ever of keeping their own – and customers’ – data safe.
The need for data security was not ignored over time but the fact is today’s cyber-criminals are finding new and increasingly sophisticated ways of stealing sensitive customer data from hotel websites, systems, servers and mobile platforms – even your front desk.
And what could a security breach of your hotel’s systems or that of your partners lead to? Investigations, serious damage to your reputation, and loss of consumer trust, to name but a few immediate consequences – not to mention thousands of dollars in penalties and fines.
Ask yourself: what if it was your hotel guests’ data that was hacked into?
To match the endeavour of hackers, hoteliers need to pay even closer attention to how they accept, store, and secure customer data and how they use their systems.
In this blog we’ll tell you everything you need to know about data breaches, including what they are, the various ways you could be hacked, the consequences, and how to protect yourself.
Table of contents
What is data security? Watch this first!
Data security is defined by protecting sensitive information and data from being accessed, stolen, or damaged by unauthorised persons. Data security may be impacted by cyberattacks or data breaches and can have serious consequences for businesses.
Watch this video to find tips on how you can keep your hotel safe from data security threats:
What is a hotel data security breach?
A data breach is the release, intentional or unintentional, of private or confidential information to an untrusted environment. In other words, when data is viewed or transferred by someone not authorised to do so, this is a breach.
Data breaches may involve financial information such as credit card or bank details, personal health information (PHI), Personally identifiable information (PII), trade secrets of corporations or intellectual property. Most data breaches involve files, documents, and other sensitive information.
Data breaches are a concerning and damaging threat to all kinds of industries and businesses worldwide. Hotels are especially vulnerable because they deal with a large amount of personal information from guests and customers. Hackers can take all types of sensitive information from hotels – anything from email addresses to home addresses and credit card data.
The fines for such breaches are steep, but they’re not the only things your hotel should worry about. A security breach can significantly tarnish your company’s reputation in a very public way and many travellers say they will be less likely to book again with a company that lost their data through a security breach.
3 types of hotel security breaches
Here are the most common forms of online security breaches that may occur – along with some tips to avoid a hotel data breach where you are…
Malware is any piece of software that was written with the intent of doing harm to data, devices or to people. Malware is perhaps the most common and most dangerous online security threat thanks to its diversity.
Officially standing for malicious software, malware incorporates many different types of potential dangers to hotel technology such as reservations systems.
Just like a virus you might contract, a computer virus will infect files on your system and then spread uncontrollably, eventually crippling the machine if left unchecked.
Trojans are chameleons, disguising themselves as all types of legitimate software or hiding with legitimate software that’s been tampered with. Once installed, they will then attack the system.
Somewhat obviously, spyware is designed to linger undetected in the background of your system and take note of what you do online. It will look for passwords, payment card data such as credit card information, names and addresses, and other private details.
These have the ability to infect a whole network of connected devices, and then use all of them to infect more, either locally or across the Internet.
Again self-explanatory, this malware essentially locks your computer and threatens to destroy everything unless you pay a ransom to the owner. (Talk about dramatic.)
This is not the most hostile of the group, often it will simply serve you annoying ads or pop-ups, but it can also open a way for other malware to get in.
The problem is that all of these types of malware require slightly different methods of removal and protection if a breach does take place at affected hotels. It’s always good practice to avoid engaging with suspicious emails and clicking insecure links, but the only way to be completely safe is to ensure you have anti-malware and antivirus software installed on all the devices you conduct your business with.
Spam has its origins way back in 1970 thanks to a Monty Python sketch and is the sending of an unsolicited message, mostly advertising via email.
The term can also apply to other media such as instant messaging spam, search engine spam, spam in blogs, wiki spam, online ads spam, text message spam, Internet forum spam, junk fax transmissions, social spam, spam mobile apps, television advertising and file sharing spam.
It’s all very unwelcome usually and in some cases carries more dangerous malware with it.
However, there are plenty of ways to ensure you’re not bothered by spam at your hotel. Here are some tips:
- Avoid opening emails that look like scams or spam
- Never give in to spammers by purchasing something or accepting an offer
- Don’t bother replying. Simply delete and/or block
- Don’t be tricked into clicking. Even if a link is labelled ‘unsubscribe’ it will just confirm the email address is active and encourage more spam
- Use a disposable email address for purposes that may attract spam such as online purchasing
- In fact, be very wary where you put your main email address and who you give it to
- Try to use web contact forms instead of actually posting your email address on your website publicly
- When communicating your email address, present it in a way a person will understand but a spambot won’t. For example, test at test.com instead of email@example.com
A denial-of-service (DoS) attack occurs when a hacker or virus shuts down a machine or network and prevents it being accessed by its intended users. This is usually done by flooding the system with an unprecedented amount of traffic or by sending information that triggers a crash.
The victims of DoS are usually high-profile organisations who people have a slight against.
A few different methods of DoS attacks exist. They include:
- Buffer overflow attacks sending more traffic to a network address than the programmers have built the system to handle
- ICMP floods that leverage misconfigured network devices by sending spoofed packets that ping every computer on the targeted network
- SYN floods that send a request to connect to a server, but never complete it. This continues until all open ports are saturated with requests
DoS attacks are very hard to predict or prevent. Usually solutions depend on countermeasures once the attack has been noticed.
Examples of a hotel data security breach
Some of the world’s largest companies have fallen prey to data breaches, costing millions of dollars in damages. In 2013 Yahoo was attacked and three billion user accounts were compromised. In the same year eBay had almost 150 million customer accounts accessed illegally.
Hotels and bed and breakfast properties have also been key targets of data breaches for many years – and there is one main reason for this: credit card payments. The security breach happens online, because that’s where your guests are making their bookings, or where your front desk staff are making bookings on their behalf. Unfortunately, going ‘off the grid’ isn’t a feasible solution to the issue – the online space is too big to ignore and credit card usage continues to grow.
Seeing as hotels process countless credit card payments every day, it’s important to protect all the transaction details of each payment. If the correct systems aren’t in place, there is potential for a security breach to occur.
Hotels aren’t unique in being attacked by hackers; other travel companies can be affected. Expedia-owned Orbitz admitted its systems may have leaked the personal information of people that made purchases between January 1 2016 and December 22 2017, affecting about 880,000 payment cards.
And while not a strict data breach, Booking.com paid about 10,000 customers who fell victim to a scheme which conned customers out of data.
However, a casual look at a timeline of incidents suggests the hotel industry has been more vulnerable than most. The incidents may have the side effect of deterring customers from trading data with the hotels in exchange for potential benefits of personalised services, a major commercial goal for hotel managers and owners.
Marriott data breach
In 2018 Marriott announced that hackers had attempted to access its Starwood Hotels & Resorts Worldwide guest reservation database. Further investigation revealed unauthorised access to the system as far back as 2014, two years before Marriott acquired Starwood.
A valuable lesson here is that businesses should always scrutinise the cybersecurity and data handling of other companies before they enter into any type of deal. Even though the hack happened before the acquisition, it’s still Marriott’s reputation that is compromised. The same principle should be applied when a company acquires new infrastructure, applications, and systems. While these seem like assets, they should also be treated as potential liabilities.
Estimations said up to 500 million guests, including 327 million guests whose data includes “some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest (“SPG”) account information, date of birth, gender, arrival and departure information, reservation date and communication preferences, may have had their information at risk in the period between 2014 and 2018. Marriott also confirmed some compromised guest data includes payment card numbers and expiration dates.
IHG data breach
Front desk cash registers at more than 1,200 hotels in the InterContinental Hotels Group, which includes the Holiday Inn and Crowne Plaza brands, were infected with malware that stole customer debit and credit card data between September 29, 2016 and December 29, 2016. The company has a network of more than 5,000 hotels in over 100 countries so that could mean more than one-fifth of its hotels were affected.
The malware stole information read from the magnetic stripe of a payment card as it travelled through the affected hotel’s server. That information could have included the cardholder’s name in addition to card number, expiration date, and internal verification code.
The company suggests that anyone who stayed at one of its properties during the time period the malware was present review their payment card statement for any unauthorized activity and report the charges to the credit card issuer.
Hilton data breach
In 2017 BBC News reported Hilton was fined $700,000 for mishandling data breaches in 2014 and 2015.
The company discovered the first breach in February 2015 and the second in July 2015, but first went public with the breaches in November 2015. US federal investigators said Hilton “had taken too long to warn customers and lacked adequate security measures.”
Wyndham data breach
Wyndham Worldwide were involved in a lawsuit after failing to properly safeguard customer information, in a case arising from three data breaches affecting more than 619,000 customers.
The Federal Trade Commission wanted to hold Wyndham accountable for breaches in which hackers broke into its computer system and stole credit card and other details from customers, leading to over $10.6 million in fraudulent charges.
Under the order, Wyndham established a comprehensive information security program designed to protect cardholder data including payment card numbers, names and expiration dates.
Expedia security breach
Expedia subsidiary Orbitz disclosed that about 880,000 payment cards had been impacted by a security breach that potentially exposed customers’ information to hackers.
The travel booking site said an investigation determined that an attacker may have accessed personal information of people who made purchases between January 1 2016 and December 22 2017.
The personal information potentially exposed includes credit card information, addresses and phone numbers of customers. The information attackers “likely accessed” included people’s names, dates of birth, email addresses, street addresses, and genders, Orbitz said.
How to protect your hotel: cybersecurity best practices
No hotel is too big or small to be a target. In fact, smaller independent properties may be even more vulnerable to attack, and less able to bounce back from the loss of reputation and damages paid.
It’s not enough to have an SSL certificate on your website, or rely solely on third-party payment services such as Paypal or Google Checkout to handle your guests’ credit card security. Each program you use must be securely locked down.
After all, sensitive data can be intercepted at any point in your guests’ booking process. For example, if your online booking system vendor is not Payment Card Industry Data Security Standard (PCI DSS) compliant, a wayward employee could easily decide to steal credit card data. This is why PCI DSS standards were invented.
Furthermore, allowing your guests to pay securely helps to stop abandoned website bookings. Worldpay reports that nearly one in five online shoppers have dropped out of an online travel bookings because of security concerns around payment.
If you are not actively protecting your guests credit card data, you are putting your business and customers at serious risk.
Hotel security systems tip #1
Keep your devices and systems up-to-date
One of the biggest risks to security is allowing your devices and systems to go too long without updates and software patches intended to improve and keep them safe. This makes them much more vulnerable to attack from hackers.
The updates issued by your software providers are designed to protect you so it’s important to set your computers to automatically accept and install them periodically.
Tip 1: Regularly backup your data
To eliminate the risk of losing data or having it irretrievably damaged, it’s essential to make a habit of backing it up. This will include financial records, business plans, customer data, personal information etc. Backing up your data is generally easy and cost-effective, meaning there’s no excuse not to do it.
Here’s a recommended strategy:
- Daily backups to a portable device and/or cloud storage service
- Weekly server backups
- Quarterly server backups
- Yearly server backups
Tip #3: Protect against malware and viruses
Often emails, pop-ups, fake accounts and profiles, and actual hackers will try to infect your computer and other devices with software designed to cripple your business or steal from you. Regularly check your bank and billing records to make sure this isn’t happening.
It’s important to install antivirus and anti-spyware and always update when prompted. Additionally you should keep a track of all the equipment used by your business and who uses it.
Educate all your employees on the risks and best practice, and never allow them to take sensitive material home with them, or use personal devices for work purposes.
Tip #4: Prioritise password security
Some easy-to-remember tips here include frequently updating your passwords, never use the same password for everything, and use unique passwords.
Once a hacker has used one password, every account you own could be under attack if you’ve always used the same one. The same goes if you’re using weak passwords that are easily guessed. The best idea is to change your passwords every few months.
Tip #5: Know when to trust your software provider
It’s vital that you don’t take every correspondence with your hotel technology providers at face value. Phishing emails are very good at seeming legitimate when in fact they’re fake emails trying to steal information.
So if your provider sends an email they have never sent before, there could be a good reason not to trust it.
What is PCI compliance?
The PCI Compliance Guide define PCI DSS (Payment Card Industry Data Security Standard) as “a set of requirements designed to ensure that all companies that process, store or transmit credit card information maintain a secure environment”.
PCI DSS has changed the way the travel industry approaches safety standards relating to how credit card payments are handled and processed. The standard is enforced by major credit card companies – including Visa, MasterCard, American Express, Discover and JCB – as part of their merchant agreements.
Designed to help prevent payment card fraud, the standard applies to any business involved in the processing, storing or transmitting of cardholder data, regardless of the transaction volume or dollar value involved. Should a guest use their credit card to pay for something at a hotel, for example – be it a room reservation, spa treatment or coffee – PCI DSS applies to that purchase.
PCI DSS compliance is not a ‘nice-to-have’, but an absolute necessity. A security breach not only damages your reputation, but it could potentially wreak havoc on the lives of your guests, and cost you a significant amount in the way of data breach fees.
Hotel PCI DSS requirements
Here’s your quick start list on PCI DSS compliance for hotels:
- Name an owner or champion of PCI DSS compliance within your organisation
This person within your hotel can work with the various departments to ensure PCI DSS compliance is understood and act as ‘go to’ person if staff have questions.
- Be proactive
Teach staff why data security is important and the impact any breach may have. Show them how they can be proactive in managing security every day.
- Protect physical data
Control access to the back office and anywhere receipts are filed. Provide secure disposal bins or a shredder for disposal sensitive paperwork.
- Proactively manage access to systems
Restrict access to payment or personal data to only staff who require this information to do their job. Use individual logins and access codes to systems.
- Check your vendor’s approach to data security
Clarify the role vendors play in terms of compliance with data-related standards, and seek PCI DSS compliant partners.
- Secure online booking data
While you may need a paper copy of a reservation, do not print credit card details of customers from your online systems. Select an online booking engine that is fully PCI DSS compliant.
To help businesses determine their level of PCI DSS compliance, the PCI Security Standards Council provides various Self-Assessment Questionnaires (SAQs) online, as well as professional training for firms and individuals.
The cost of becoming PCI DSS compliant depends on a number of factors, including the size of your business, existing IT infrastructure among other factors.
To achieve PCI DSS compliance, follow these steps:
1. Speak with your acquiring bank(s) to determine the correct SAQ for your business
(e.g. Visa, MasterCard, AMEX)
2. Complete the appropriate SAQ for your business
3. Submit the SAQ, evidence of a passing scan (if required), the Attestation of Compliance
and any other requested documentation to your acquiring bank(s).
HTTPS website security for hotels
Creating a safe hotel website experience should be treated as a duty of care for your guests; can you imagine the consequences of a traveller being defrauded via your website? There’s also the very real danger of travellers abandoning or not even landing on your homepage in the first place.
The majority of websites use SSL encryption to protect any data that’s transmitted between a website and a shopper.
The SSL encryption requires a secure form of communication between a website and the consumer, known as HTTPS – where the ‘s’ stands for secure. This is indicated to the user in the URL which displays ‘https’ in place of the standard ‘http’.
It also shows the padlock symbol on the left-hand side of the URL bar which reassures people their data is secure when entering bank details or viewing their account online. It looks like this…
What does it mean for your hotel’s website?
Basically, Google shows a huge bias towards websites that are HTTPS secure. In fact, if your website isn’t secure, Chrome will actively warn users it isn’t safe and could even restrict access to your website pages.
The reality is at some point you will probably collect data from visitors, even if it’s just an email address. It’s also been proven that HTTPS sites will load faster than HTTP, another factor influencing user experience.
Surveys say 84% of users would abandon a purchase if data was sent over an insecure connection, and a large majority are concerned about their data being intercepted or misused online. So, if you’re a hotelier that wants to convert direct bookings and maintain a high ranking on Google’s search results, it’s vital you’re HTTPS secure.
In the psychology of a prospective guest, seeing that little green padlock will give them peace of mind and an immediate sense of trust in your hotel business.
How to make a website HTTPS secure
The steps to follow when migrating your website to be HTTPS secure include:
- Host your website with a dedicated IP address
With a dedicated IP, you ensure that the traffic going to that IP address is only going to your website and no one else’s.
- Buy an SSL certificate
An SSL certificate will prove your website is your website. When people visit your site via HTTPS that password is checked, and if it matches, it automatically verifies that your website is who you say it is.
- Activate the certificate
Your web host may do this step for you – check with them before proceeding. This can get complicated and if you can wait 1-2 days it may be best to let them do it.
- Install the certificate
- Update your site to use HTTPS
At this point if you go to https://yoursite.com you should see it load! Congrats, you’ve successfully installed SSL and enabled the HTTPS protocol. Keep in mind that you only need to protect a few pages, such as your login or checkout. If you enable HTTPS on pages where the user isn’t submitting sensitive data, it’s just wasting encryption processing and slowing down the experience
One of the easiest ways to ensure your website is secure, along with many other benefits, is to invest in a professional website builder tool. These solutions will automatically come with secure encryption and will also help you maintain a functional, SEO-friendly, and charming hotel website.
The beauty of using a customisable website builder is that you’ll have your brand new website within days and it will automatically keep up with Google’s updates as time goes by.
The rise of the hotel credit card breach
Global online travel sales are forecast to hit US $817.5 billion by 2020. Furthermore, statistics show that 74% of travellers from the US alone make use of credit cards while travelling – citing convenience, theft protection, and easier tracking of purchases as the top reasons.
According to data from payment systems industry information provider Nilson, credit card use in the US jumped 42% from 2012 to 2018, accounting for US $120 billion in transactions.
Unfortunately, these transactions are vulnerable to cyber-criminals who specifically target travellers with disposable incomes. Indeed, hotels are an active hotspot for credit card fraud; according to a study by Trustwave’s SpiderLabs, of 218 data breach investigations from 24 countries, 38% of the attacks occurred on hotels and, of the data stolen, 98% was credit card information.
How hotels can avoid credit card fraud
With so much travel now being booked online – and through a variety of channels – the opportunity for hotels to increase sales is getting bigger all the time. However, it also creates challenges in making sure customer payment data is protected and that no breach occurs at the hands of hackers or fraudsters.
The vast majority of security compromise (91%) occurs at point-of-sale systems and is most often Card Not Present (CNP) fraud.
Because CNP transactions are so prevalent in the travel industry and much information is exchanged between hotel and customer, it’s important to know when you might be at risk and how to prevent any data breaches from happening. Since guests expect a hotel to be a safe place to escape to, even a single instance of failing to protect a customer’s data could have huge ramifications on your reputation and finances.
Here’s what to look out for:
It’s common for fraudsters to contact you in a panic, wanting to rush to set up their accommodation.
It’s important you don’t get flustered. Take the adequate time to verify their credit card, passport details, and other relevant documents to make sure they’re genuinely are who they say they are.
Take the adequate time to verify credit cards, passport details, and other relevant documents to make sure people genuinely are who they say they are.
It makes sense to be more cautious of people who haven’t booked with you before. With regular customers you can build a relationship and learn their purchase habits.
Be aware of a first-time customer who contacts you online to make a large purchase. Collect all the necessary verification information. For greater security, adopt a payment solution that is designed to capture transaction data in an intelligent manner.
These days many fraudsters have become adept at hiding their true location and stopping themselves being tracked.
If you do have suspicions about a customer, do everything you can to verify their legitimacy, including calling and emailing them to collect data and confirm their identity.
One of the biggest warnings that everything is not what it seems is when someone wants to use different addresses for billing and shipping, which may not apply as strongly to hotels but is very relevant for the travel industry in general.
5 best practices for keeping your hotel data secure:
1. Use systems that can secure your customers’ cards
You need to utilise a system that can send and receive card authorisation digitally and store it all securely in one place.
2. Inform all managers and employees of company policies
Every employee should know the policies at your hotel regarding compliance and safe handling of customer information. They all should be trained on the software you use and have a consistent process to follow each time a purchase is made.
3. Protect your point-of-sale systems
Make a point of investing in the latest cyber security tools including encryption, anti-virus software, and firewalls to safeguard against POS attacks and other malware hackers may target you with.
4. Comply with PCI security
The PCI Security Standards Council fights hotel credit card fraud by maintaining global payment card industry standards. Ensure your hotel is committed to PCI compliance.
5. Vet third parties
Your hotel may often deal with airlines, car rental companies, retail organisations, hotel technology providers, and other suppliers. Make sure all these partners – which become access points – are committed to information security best practices just like you.
Email phishing scams
Given 15 million online hotel reservations are made on bogus third-party sites every year, travellers and guests are on high alert about being scammed.
These rogue websites trick people into thinking they’re reserving directly with their hotel of choice then go on to steal their information and money.
However, travellers aren’t the only people in the industry who should be worried; your hotel business is just as much of a target as anyone else, and you need to be aware of what phishing is and how to stop it.
Almost 80% of organisations report they had been the target of a phishing attack each year.
Let’s go through what it is, what it may look like, and how to prevent your hotel falling victim to email scams and phishing.
What is a phishing scam?
As the name suggests, phishing is quite similar to ‘fishing’ although far more malevolent.
Whoever the phisher or hacker is attempts to lure their target into opening a malicious download, clicking on fake links, or entering personal information in order to steal data or identities. The end goal, of course, is to make money at someone else’s expense.
In the case of a business like your hotel, the most common form of phishing would come via email. Likely to be posing as a friend, co-worker, manager, or trusted company the email would make a seemingly reasonable request to open an attachment or verify information but would then infect your computer and capture valuable data.
Phishing email example
Often a phishing email will look very similar to a normal email you would expect to receive, which is why people can get caught out.
Usually the email subject will be around changing a password, discussing transactions, updating information, important notifications etc.
Consider this example of a phishing email from scammers posing as eBay:
Seems perfectly legitimate on first glance but it’s hiding some concerning secrets.
Here are some clues that may indicate this is a phishing email:
- It’s simply addressed to ‘sir’, rather than anyone in particular
- The threat of account suspension – if eBay truly believed the account was being used for fraud they would suspend it immediately
- Spelling and grammar errors – note ‘advise’ is misspelled as ‘advice’. Phishing emails commonly contain errors like this
- The link reveals itself to be a fake website if you hover over it, instead of clicking it
You should also carefully check the incoming email address. Sometimes it’s complete nonsense, but often it will closely mimic the real address it’s passing itself off as.
Looking for these clues will help your hotel to avoid being caught by these online scams.
How to prevent email phishing attacks at your hotel
It’s particularly important you keep your data safe as a security compromise could also endanger the information of your guests, which could do catastrophic damage to your hotel’s reputation and brand image.
There’s a whole range of actions you can take to reduce the amount of phishing emails you receive, and also how to make sure you delete them immediately if they make it to your inbox.
Here’s a list of preventative measures for any email you suspect might be fake:
- Ensure anti-spyware, anti-virus, and anti-malware tools are installed and up-to-date on your systems
- Make sure all your applications are regularly updated
- Check the spelling and grammar of emails you receive
- Test links and attachments before opening them
- Pay close attention to email addresses and the specificity of email content – authentic emails will include your name, account information/numbers etc.
- Be wary of fake login screens trying to capture information – the website URL will not be legitimate
- Run an education session for all hotel employees, since less informed staff members may take the bait
Once you know how to spot general phishing emails you should be relatively safe from harm.
There are more complex attacks, known as ‘spear phishing’, which target high profile figures (whales) such as celebrities, but these should affect your hotel far less.
6 hotel data security tips to action now
Don’t forget these six expert tips outlined in the video at the start of this article.
1. Set up anti-virus software such as Windows Defender on your computer and make sure it’s up to date.
2. Don’t use email accounts shared between employees, for example firstname.lastname@example.org, to log in to any online platforms and solutions. If an employee is accidentally careless online with the shared password, it can make you that much easier to hack.
3. Try not to use an email address listed on your site as your online system login or username. That potentially makes it easier for a hacker to identify you as their target.
4. Turn on the 2-Step Verification (or multi-factor verification) setting for your email account, Google, Microsoft and many others support this feature. 2-Step Verification is an extra layer of security, and will help keep hackers out, even if they manage to find your password – 2-Step Verification requires an additional piece of information that only you could know, like a generated code via your mobile phone or a personal security question. This is in addition to your username and password.
5. Schedule monthly reviews via HaveIBeenPwned.com (HIBP) to check if your email account has been involved in a data breach that you might not even have known about. You can subscribe to HIBP to be alerted of any future breaches. Go on, try it now – you might be shocked to find your email there!
6. Do not reuse passwords on different business-related accounts. Ideally, use a different, complex password for each online account you have where you have sensitive customer or financial data processed.
This can be a hassle, but for a monthly fee, most password manager solutions, like 1Password.com, can make it simple by helping you remember all your passwords through their app, helping you to keep account information safe without worrying about forgetting many passwords.