With the advent of technology comes a responsibility on behalf of hoteliers to be aware and protect against a possible hotel data breach. A data breach, also known as a data leak or unintentional information disclosure occurs when information is intentionally (or unintentionally) released to an untrusted environment. It typically refers to secure or private and confidential information. 

Within Europe, protection of sensitive information is taken very seriously, and in 2018, GDPR, one of the toughest laws in the world, was implemented in order to protect sensitive data and security. 

In this article we will discuss hotel data breaches, including the most frequent kinds of breaches in the hotel industry, and how to improve your hotel data security.

Table of contents

What is a hotel data breach?

A hotel data breach is essentially when the private information of guests and customers falls into the hands of the wrong people, either unintentionally, or intentionally (typically by hackers). 

The type of information that’s typically leaked is financial information such as credit card or bank details; personal information such as emails and home addresses; or even hotel trade secrets in the form of files, documents and other sensitive information. The details are viewed or transferred to someone unauthorized to view such information. 

Not only is this kind of breach harmful to a hotel’s reputation, but hotels also run the risk of losing clients who are wary of booking with a hotel with subpar security standards. Furthermore, hotels can incur hefty fines.

What are the most frequent data breaches in the hotel industry?

Hotels are frequent targets of data breaches due to online bookings and even bookings made on behalf of the front desk. Furthermore, they process lots of credit card payments, making them all the more vulnerable. Many of the world’s largest companies have been subject to data breaches like Expedia and Yahoo, leaking personal information of people that made purchases by credit card or were conned. Let’s have a look at the most frequent kinds of data breaches in the hotel industry.

Malware and memory scraping

There are several types of data breaches that are caused by malware. Malware is a type of harmful software aimed at gaining access to sensitive information. Malware can take many forms such as Trojans, viruses, worms and adware, among others. The different types of malicious software spread differently. 

Trojans pretend to be legitimate software, but once they’re installed will attack the whole system. Viruses, on the other hand, are a piece of computer code that inserts itself into another program, and then will affect a computer like a human virus, spreading slowly to the whole system. Worms are a piece of malicious software that reproduces itself and infects the whole network. They can be spread locally or across the internet.

Memory scraping, also known as RAM-scraping, is a type of malware that is installed on a device by hackers in order to access credit card numbers from point-of-sale machines. Essentially the memory is scraped from digital devices in order to collect sensitive information.

By installing different kinds of malware, whether it be installed on a computer by the attacker themselves or as a mistake by hotel staff, or by accessing the computer physically or through remote administrator access through the Wifi network, the end goal is to get information for profit. These different types of malware are installed by hackers, essentially to get a hold of guest’s personal information such as addresses, credit card information and other guest details which can be used for the hackers’ profit. 

Denial-of-service attack

A denial of service attack takes place when a hacker shuts down a network or a specific machine. This DoS attack is oftentimes provoked on the hotel Wi-Fi network, and aims to temporarily or indefinitely interrupt the operations of the hotel’s services that are carried out over the Wi-Fi network. The hacker essentially overloads the system with traffic or sends information that causes the system to crash and thereby leak sensitive data.

Eavesdropping attacks

Eavesdropping attacks are a method hackers use to obtain access to confidential details, including passwords and session tokens over a Wifi network. They do this by monitoring and/or interfering with the communication channel or gathering information by surveying the session packages. The information they access by eavesdropping can be used for the hackers’ profit or for sale to competitors.

Spam or phishing

Spam and phishing can affect hotels in the way that a hacker can pose as a reliable source such as a hotel, asking for sensitive data and pretending to be the hotel. This can severely damage the hotel’s reputation because the customers trust the hotel to guard their personal information carefully. 

How to improve your hotel data security?

Improving hotel data security is an important step all hotels need to take in order to protect themselves from possible attacks. Keep reading to find out some steps that can be taken. 

Make sure hotel equipment is only used for intended purposes

A good way to prevent information from leaking is to only allow the hotel computers and business devices to be used for their intended purposes. For example, if employees check their personal email or social media accounts, it’s easier for malware to be installed accidentally or for employees to fall for phishing attempts to their personal accounts. It’s recommended that point-of-sale computers are used only for this purpose and for no other. 

Back up data regularly and keep systems up-to-date

Backing up data such as financial records, business plans, and confidential customer information to a backup server separate from the main system is a good strategy. Back ups should take place on a daily basis to a cloud storage, followed by weekly, quarterly and yearly server backups. In the case you were attacked then you would have the data available on another server. It’s also important for your devices and systems to be regularly updated with anti-virus software to keep them safe.

Compartmentalize networks

The best practice to avoid breaches is to compartmentalize networks for their respective purposes. For example, you don’t want guests connecting to the same Wi-Fi as the network used for your hotel PMS. As many hotels nowadays provide free Wi-Fi, it’s important that you have a designated Wifi for guests and a separate one for the corporate network as letting anyone connect to your corporate network can leave hotels vulnerable. Furthermore, mobile phones and devices used by staff should be limited to the corporate network via firewalls. 

Use secure passwords

Password security is fundamental to preventing data breaches. Make sure to frequently update your passwords, and use unique passwords for each program. If you don’t use different passwords for different accounts, then the hacker will be able to access all your accounts more easily, so change your passwords monthly, using a password generator or other smart tool. Don’t just use variations on the same password every time.

Education is key

Educate your staff about possible breaches. It’s important that employees recognize phishing attempts in order to protect them against attacks, and learn how to detect and deal with problems to minimize potential damage to the hotel’s data and reputation.

Conclusion

We’ve looked at what data breaches are, the different kinds of breaches and some tips on how to avoid them. Hotels are a likely target for hackers as they deal regularly with sensitive data and transfer of information. However, this can be remediated with the right PMS such as Mews. Transactions like payment requests have double authentication set up and hoteliers can protect information by having facial recognition turned on when they log in to their Mews session, among many other features designed to protect your properties.

By implementing some important protective measures such as secure passwords, compartmentalizing networks, regular backups and using designated hotel equipment only for designated purposes, data security breaches can be avoided.