How a cyber attack reshaped this hotel’s security

Joshua Edwards (Penta Hotels), a seasoned hotelier, shares how a major cyber attack, coinciding with the birth of his son became a turning point for his hotel’s cybersecurity. In response, they rebuilt their strategy around six core pillars: protect, prevent, detect, respond, recover and review. The overhaul included a new IT team, staff training on phishing, and tools like two-factor authentication and password managers.

EP 32

calendar-icon

June 4, 2025

time-icon

25 min

Follow and subscribe to Matt Talks:

Apple

Apple Podcasts
Spotify

Spotify
youtube

YouTube
MattTalks_32_Video_Thumbnail_1920x1080

Meet your speakers

Matt Avatar

Host

Matthijs Welle
CEO, Mews

After years in the trenches of hospitality, Matt joined the Mews journey during its early days in 2013. Since then, he’s been our fearless CEO, leading the company and the industry forward.

Joshua Edwards-modified

Guest

Joshua Edwards
Operating Systems Manager, Penta Hotels

Joshua brings extensive operational experience from the hotel industry. He is a seasoned hospitality professional with Penta Hotels, a hotel brand known for its lively neighborhood concept.

Episode chapters

0:00

Introduction

4:13

The cyber attack incident

7:57

Current security measures

14:52

Recent phishing attacks in hospitality

16:20

The importance of access control

19:33

Passkey technology

21:17

Security in shared environments

23:28

Single sign-on in hotels

Transcript

Introduction
 
Hi, everyone. Welcome back to another Matt Talks. This week, I wanted to talk about cybersecurity, a topic that you should all be passionate about, but possibly are not. And I'm hoping that Josh can get us excited about this particular topic.
 
Josh, thank you for joining.
 
Thank you. Good pleasure to be here.
 
So you're a hotelier. Right? You've gone through a lot of years of working through the trenches of hoteliering to get to where you are today. Can you give us maybe a a little hint of all of the jobs you've done in hotels?
 
Absolutely. So I started working with Accor back in two thousand and sixteen, for Novotel. I worked at the front desk, just as a guest service agent, moved to sort of like a hybrid role between front office and food and beverage. So using an on premise PMS, an old school POS.
 
Then I moved into sales. That's why I became a sales manager. So looking after conferences, events again.
 
A really tough old school system there as well.
 
Well, I'm just thinking about it.
 
Disempowers.
 
Oh, if I can remember it was Digi. I think it was called.
 
I've never worked there with that one.
 
Not a fun one.
 
But then yeah. Then of course in two thousand eighteen I moved to Penta Hotels.
 
Started as a guest service manager there. So looking after everything operational in the hotel.
 
Looking after food and beverage, front office, kitchen, housekeeping, maintenance, which was really good fun. And then in twenty twenty two moved to our central support office in Frankfurt, but from home in the UK.
 
Oh, that's nice.
 
So, yeah.
 
But your entire architecture today is in the cloud.
 
If you're working from home, I'm assuming you're just in cloud systems today?
 
Mostly. We have a couple that we're still phasing out.
 
Door lock systems or like what what what are those systems?
 
Door lock systems, financial ERP that we're trying to give away. Of course.
 
That's the other one.
 
Yeah. But mostly now at this stage, what because we've just I'm really pleased to say, as of last week, finished our rollout to Mews.
 
Nice. Congrats on that rollout. It's taken us a very long time from the first pilots to getting the entire chain rolled out. But it's been a personal passion project for me to get really involved in this and I just love the energy that I've been feeling from the brand and how you've embraced what we brought to you. So thank you for doing that so successfully.
 
Yeah. Thank you though. It's been a really exciting three months. It's not been easy. It never is.
 
Yeah.
 
But no With the right attitude, it's all possible.
 
And I think, honestly, now the fun starts because now you've got the right system in place to start building on top of it. And I do genuinely think that it only gets better from this point forward.
 
Yeah. I think that's the biggest thing the hotels have noticed. It's the fact that we can say, hey, we can actually just build on this so quickly compared to before where we were like, oh, if we want to develop something or have our PMS partner add something in, we have to wait six months. Yeah.
 
You know, I'm like, hey, I can actually activate this integration in ten seconds. You know? It's it's mind blowing for them. It's it's really crazy.
 
And your job title is operation systems manager.
 
Whereas most hotels will have a traditional IT department that manages the printers and the computers, and the server, but like your role sounds like it's something different than an IT role. Can you explain it maybe?
 
Yeah. So we have a digital department who focuses really on everything, sort of core IT, so the actual hardware, the network aspect.
 
But what we did is we then split off a systems team who are the real experts, I say experts, but experts in the field because we know so much about all of these systems such as PMS, POS, how to really utilize them best because we've lived and breathed them. You know, for me I've used, PMS as I said for ten years now. Yeah. And yeah then I have my colleague with me and she is also really good. So we have these experts in the field who were great to go into the hotels and know exactly what we're talking about and really tackle and develop and build on these systems. Nice. Compared to just having a typical IT team who are maybe network experts, but not so much a a hotel expert.
 
Yeah. Cloud cloud software experts. Yeah. That understand what happens in the operation and what systems you need to support that.

Chapter
The cyber attack incident
 
Yeah. So today's topic is around security. And I remember twenty twenty one was the year that you guys had quite a a bad cyber attack. Can you share what happened?
 
Yeah. So it was on October seventh twenty twenty one, which was the day my son.
 
Now you remember that date forever, right?
 
Yeah. It was the day my son was born.
 
Oh, that's why.
 
Yeah.
 
So it was a great day and a terrible day at the same time. I remember I was in the hospital.
 
My son had just been born. Everything was great. And then all of a sudden my phone's going crazy, and I'm like, hold the baby. Let me just check what's going on.
 
And then I just saw, hey. We've been hacked. Everything's not working. Everything's down. And at this time, I was working in one of the hotels.
 
So from my side I wasn't working centrally, but the messages just started rolling in from our central department. They were like, take every piece of hardware you have, every computer, every laptop, throw everything in the bin. And we were like, what on earth is going on? And at the time we were using an on premise PMS.
 
So we were like, but how can we work? They were like, you can't. They were like, we have to stop working. Shut everything down.
 
Shut the doors. Kick everyone out. Done. Wow. It's like, this is crazy.
 
So as we asked They had how had they gotten access to the systems?
 
So it was what we call an old school MPLS setup. So multi protocol, label switching. So basically we had, a network technology that basically everything goes through each other. So all the networks went through each other. So basically as soon as these hackers got access into one element of our system, they had access to our whole infrastructure.
 
And from there, they just walked freely through our whole network.
 
And they just broached one person's access to that network? Or how did they get in? Yeah.
 
It was literally just through one one singular access. And then as you said from there, they had access to every server, every virtual machine, every computer.
 
They deactivated our antivirus, and then that's when they put the ransomware in.
 
So That's crazy.
 
And then I'm imagining if you're running a hotel, then you have no system to check people in. You didn't even probably know who would the guests on arrival unless you had printed the backup reports.
 
Yeah. Luckily, this was quite a strict protocol we had in the hotel service. At least back in the day, these were one of the what we considered a top cybersecurity.
 
But now I look back, it's it's crazy. But, yeah, I mean, just for that one day, we had at least the arrivals report. But I remember we had to go to the local supermarkets, we had to buy supermarket laptops, we had to connect our key encoders by VGA cables. Just nothing was able to stay on the network at all. We literally managed everything from what time.
 
How many days?
 
This was a whole week we did this for.
 
For the entire chain?
 
Yeah. Every single hotel across six different countries.
 
So So then coming out of that, like, once you start coming online, you start to run an after action or postmortem, we call this app news where we start, like, how did this happen, but how do we prevent it going forward?
 
What came out of those meetings? Like, what was the biggest strategy change that you guys had saying we need to change the way we think about technology?
 
Yeah. I mean we completely overhauled everything. We, we then got working with an external IT partner and really changed our, IT team from sort of just IT people to sort of digital experts.
 
And we had to build like what we call these six pillars and now it's such a really important topic.
 
Because we now have these six pillars which is, to protect, to prevent, to detect, to respond, recover, and review.
 
And under each of those I think we have like twenty, twenty five different, steps and elements that we've put into place to really control everything regarding security.

Chapter
Current security measures
 
It's And and do you feel you're in a much better place today to prevent this from happening again?
 
Oh, yeah. I think so now. If we talk in terms of like protecting, we have everything from like conditional access to like IP restrictions and web content filtering.
 
Then we have detection You might not understand what you're just saying.
 
What is an IP restriction for example?
 
So for example, what we say is we know everyone works out of our hotels in Germany, for example. If one of those people picks up their laptop and flies over to Canada and then tries to log in, they won't be able to. Because we're like, we need to detect where this where something is not very common, something is not normal.
 
And when we see that we're like, no, you can't do anything. First, it needs to go through checks and approval to make sure you can work.
 
Wow. What what other things did you put in place?
 
So I think as well, obviously, like, network scanning, monitoring. So literally, we have, now a third party company who's literally constantly monitoring the entire network. So every user, every computer, anything that's flagged that is even remotely, you know, dangerous, then it looks like instantly they will shut down that whole device or that whole user.
 
And does this happen often that that that you shut someone out of their device?
 
I think now every day.
 
Every day?
 
Yeah. Because there's it's it's it's unbelievable how much happens now.
 
We see it with, like deep fake scams and one person's email gets hacked and then the CEO is is sending out an email asking for you to transfer a million million euros. It's it's it's unbelievable.
 
Yeah. But do you see that team members are now hyper aware of it or does it require constant training?
 
I think more so at a higher level it's very well known but the further down the scale you go the more people are just like, oh you've enabled two factor authentication. This is so annoying. This takes it so long for me to log into my system. I'm like, like, yeah, but if you actually saw behind the doors what we're doing and why we're doing it, and I think that's the awareness we're trying to push.
 
Because how do you bring people along that journey? Like through storytelling people like, oh, okay. So there is a history here. There's a reason why we're doing this. How do you bring people along? Because it is such a difficult topic to get people engaged on.
 
Yeah. So we we do an annual sort of, sad review of the of the event. So every seventh of October, we sort of bring it back up and say, hey, this happened.
 
This is our sad moment in history.
 
But on top of that, we also have, like, typical training, but we try and do it in a more engaging way. So we have this really cool partner, that uses a much more engaging, sort of training software. So it's like multiple choice. It's more engaging quiz questions than just your typical slideshows. Yeah.
 
And then our IT department also do a fantastic phishing campaign attempt.
 
Every every week or every two weeks, they'll send a fake email out to everyone. We see how many people click it, how many people open the attachment.
 
These things are really cool to see. The more we go along, how less and less people are clicking those things.
 
Because how would you recommend because you had a critical event in twenty twenty one that you can storytell throughout the company and to create that awareness. But a lot of hotels might not have had such a major critical event. How would you recommend that they broach this topic and get people talking about security settings etcetera?
 
I think the biggest thing that they should consider is not not going from experience but what would we do in the scenario that it did happen? Like really try and put themselves in the frame of mind of imagine tomorrow that we lose access to everything. That someone puts, an encryption on all of our data and we have to pay them or they're asking us to pay them.
 
Yeah.
 
How would we handle that? And if they're like, oh, we don't know, then you have a problem. Yeah. You know, and you really need to then sit there and work out.
 
Like it's a good role play to do with the team saying, Right, we are in a crisis scenario. We've got three hours and in three hours, all access will be cut. Or even now the access is cut. How would you role play this?
 
And it's really interesting to see how people respond to it. I remember when I was working in hotels, and and we would be asked this because when you get trained as a manager, they're like, well, what would you do? And we'd have Excel sheets set up on our computers where we would run all all of the check ins and the check outs from. And I thought this is crazy.
 
This is never gonna happen. But it did happen. And when it does happen, you are very thankful for that training.
 
Oh, absolutely. Yeah. It's, as I said, I can still remember it. And luckily, I was on paternity leave at the time, but, still from working very much from my phone and hearing from the team where they were like we are doing everything from WhatsApp and they were like this is just insane and you know back at the time we didn't have the best sort of software in place because as I said, we were using on premise solutions.
 
But So why why on premise less safe than in the cloud in your opinion?
 
I mean, you need things you need certain setups like you need VPNs and you have to have this physical server installed at your hotel and you're then so responsible for maintaining everything and it's okay if you're a large company But if you're a small company, you're not sitting there thinking about, like ways that your network can be infiltrated. You're not thinking about compliance and like ISO and SOC two compliance.
 
You're not thinking about those big things like if you're a small chain or a small property.
 
So, giving that sort of responsibility to someone who has everything in control for you as long as it's a good framework, then I think it's a bit more reassurance for you.
 
Yeah. Like I remember I've often met with hoteliers and the debate about on prem versus cloud and and the owners would say like, yeah, but at least I know where my server is. I can control it. I was like, yeah, but that also means that others who want to do bad to know where your server is and they can get access to that. Whereas in the cloud, it is like our servers are Microsoft and they are probably the best protected servers anywhere in the world versus a back office room with a lock on it. And, is that mindset that we're trying to to get through, but it's it's a really tough challenge to have this conversation.
 
Yeah. No. I can imagine. It's, I mean, sometimes there's even server rooms that don't have a lock on it as well. If you've used to that, it's, but, yeah, as well.
 
You you shouldn't be responsible for having to go in and manually restart it and having it sit on the network which is exposed and Yeah.
 
Especially when there is so many options nowadays to have it really.
 
There's just no reason.
 
Yeah.
 
On the like, hosted with Azure or things like this then.
 
And there's been in recent year in the recent year, we've seen an increase in phishing, attacks happening against hospitality. And it's not just against Mews. It's against any company that operates, with with really sensitive guest data. Have you seen any of this happening at Penta at this point, or have you been blessed so far?
 
Unfortunately not.

Chapter
Recent phishing attacks in hospitality
 
We have seen it, and seen it quite a lot recently. It's, you know, we have a sort of owner company, then unfortunately one of the email addresses got exposed. Yeah. And with that again, it's then emails out to everyone, hey, I need this done, this done, this done. And of course, if it's coming from that email address, you're more than happy to be like, okay, then I edit that person.
 
It seems okay.
 
And you'll just do you'll just do what you're asked.
 
And you know, it's not just us. We've seen, emails coming in from other, hoteliers or other suppliers that have the same problem. And because it's just coming from that email address that you've maybe emailed five thousand times in the past three years, you don't even think about it.
 
No. You really don't. You just assume it's correct. And we get so many emails that you just assume to click on everything. And, like, luckily, you have this IT set up where you do, you know, fabricated phishing where you create the phishing attempts trying to see if you can trick your employees, and then that leads to training. And I think that's probably one of the best ways to drive that education.
 
But you're as strong as your weakest link, and that is genuinely true. And, like, maintaining the settings of who has access to what is so critical to really review, do these people need administrative rights to the system or would they be fine without that? And that's one of those things that you get a lot of pushback because operations will be like, Yeah, I need it because I need to do these things. And you're like, I don't think you actually do, but that's a difficult conversation, I'm assuming.

Chapter
The importance of access control
 
Yeah. It it happens pretty much. I mean, if I talk by experience even this morning, I got three different requests. Hey, we need access to this per this permission or this person needs access to this permission. And like, the more we give you the more exposure there is, you know. If as you said, if that one person, someone gets access to their account, then the more permissions we give them, the more they can do with it.
 
Yeah. And have you so you mentioned you're all on two factor authentication one hundred percent. Are you looking at using passkey or other ways to protect the systems?
 
Yeah. So, we had quite a large system landscape if I talk about the last few years. We're condensing it now which was like why we did everything with Mews in the last few months. But I think we went as far as we had at one point like seventy five different systems or applications in use across all the departments and trying to get 2FA, SSO, all of these things enabled on all of them has been a lot of work. Yeah.
 
But one thing we're also trying to work on now is a passkey manager.
 
So we have quite a lot of central users who are using it but we now want to roll out a password manager to every user.
 
That's all good.
 
Which means that it will only pop up to put in those like to auto fill those credentials if you're on that correct website. So if you accidentally Google, Mews login and you go to Mews with two s's dot com, then it's not gonna auto fill your password and you're gonna stop and think, Hey, something's not right here. Yeah. So So that's already in the process and that's something we're definitely rolling out.
 
Yeah. The scenario you just explained, this is a thing that we see every day this happens. So you've got these, these phishing farms in like countries that's far in the east that are, targeted to just attack companies. And they will spin up a fake website that has just a spelling mistake in the URL. And then they work with Google to drive AdWords to kind of push up their ad with and it looks one hundred percent legit when you click on it. And only once you've clicked on it and you've gone into the website, the URL is slightly off. But the login page looks exactly like Mews.
 
Yeah.
 
And luckily because with when you have a password manager, it doesn't see like, it doesn't recognize the website, so it wouldn't give you the password. But a lot of hotels do not have these things. They've memorized their password, and they use the same password across systems. So the moment they've captured your password, they now can log in to all the other systems as well downstream.
 
And this is where, you know, two factor authentication, single sign on, or passkey are, like, these beautiful solutions that protect hotels. But it's been a battle. When we rolled out two factor authentication, you can only imagine the hate we got from hoteliers who are like, you make our lives miserable. I was like, no.
 
Like, we're protecting your guest data. But hoteliers, we just like to log into systems as fast as possible. Of course.
 
I mean, I still see it even now. Like I said, I've been on property for the last nine, ten weeks traveling around rolling news out and you still see people writing passwords down on post it notes. And you're like, what are you doing?
 
Yeah. It's unbelievable. But no, I think, also with the Mews passkey, we're trying to instill some information with them. But if you use Mews passkey, it's a one click login.
 
You don't have to wait and find your code on your authenticator app, but it's also then an added layer of protection.

Chapter
Passkey technology
 
Like, so I never really understood what Passkey was until I started using it and it's biometric login, basically. So with your password manager, you set up a biometric login. So every time you log into that on your computer, you log in with your facial scan or with your fingerprint, and they can't copy that. Like, that is impossible to copy. So it's the the safest way to log in to to anything.
 
And we all have Passkey. We all have a smart like, there's not a person I know that doesn't have a smartphone, with with these things installed.
 
And and it's really incredible. And I just last week I saw that even now WhatsApp has set up passkey, and I was like, oh, they they've been watching our blogs. Like, it's really nice that they're finally realizing that this is the future. But it's I I'd say if you do anything, it's really enforced passkey and making sure that biometric login is the only way to go. I was I I had a success this weekend because I had lunch with my mother and my father, and I have finally gotten my mother to use Apple Pay.
 
Oh, wow.
 
And I because I was like, it's biometric.
 
Like, every time you pay, it's the device knows that it's you because of your facial recognition. But it was I've been fighting that for a couple of years. So that's my big victory this week.
 
Yeah. I still I still have that fight when I go to Germany a lot. So in the UK, like for us to carrying a wallet is even seen as crazy. Yeah. Like it's just Apple Pay or Android or like Google Pay everywhere. Yeah. Then I remember the first time I went to Germany, I got in a taxi and the guy was like, cash only or if you really bust it's PayPal.
 
And I was like PayPal.
 
What is going on? Went to a shop and they were like, yeah, it's cash or you need a physical card. We don't accept Apple Pay. I was like, this is insane.
 
So Penta hotels tells us now fully in the cloud enabled with security settings. What's next? Like what's the thing that you get excited about from a security point of view?

Chapter
Security in shared environments
 
I think it's more sort of scaling up from here. As I said, the something as simple as, with the pass keys, it's okay. Like if someone has a personal device, right? Because you have a camera on your laptop or a fingerprint scanner on your laptop. But many hotels will probably sit there and think, what about front desk computers where everyone shares a login? There is no, like, there's no laptop. It's an actual computer.
 
I think they need to think it's actually quite simple. Like you can buy the Windows Hello cameras, that you just stick on top of your computer, plug it in, and then everyone now has facial recognition.
 
Yes, each user would have to have their own Microsoft account, but it's you can't put money or costs in front of like cybersecurity protection. I think that's the biggest thing we've understood.
 
Yeah. And like, do you like who in the company has given you the right to push security setting so far? Who's the person that enables you to take the lead on these conversations?
 
So our head of digital, he is so pro cyber security, like cybersecurity.
 
And we've had the conversations with then our leadership team.
 
So I think, you know, Victoria, right? Yeah.
 
And then just you don't even need to give an explanation. You're like, Hey, no, this is absolutely mandatory in terms of security. And we're like, we cannot say, Hey, this is too expensive. Yeah. Yes. Like you can go really far and say we've put in so many measures that it's crazy. But even at least the base layer, you cannot sit there and think it's too expensive for us to do.
 
Like single sign on, we've often had a conversation because single sign on is an entire infrastructure that you set up where you manage all of your employee logins across all of the systems.
 
But moment the employee leaves, you just delete the person from single sign on, and it gets removed from all systems beautifully.
 
But it's it is pricey. And for some smaller hotel groups, this might not be the best solution. And that's why we rolled out Passkey because we're like, at least logging into the system is secure, but single sign on is by far the the best thing to do. But have a conversation about budgets before you start to roll this out because it is, not cheap.
 
Yeah. No. True.

Chapter
Single sign-on in hotels
 
And as I said, as long as there's multiple options available. Yeah. SSO is, as you said, it's great because it's just a one remove, and then it's removed across all the systems that you've enabled it with.
 
Yeah. And we have lots of turnover in our industry. People leave. This is just a thing that happens every single day.
 
You know, people will always forget to off board people. Like you may remove them from the place where it costs you the most money, like with active directory or Azure where you're paying the license fee. But if you've got that user across fifteen other systems someone somewhere will forget to remove that user.
 
Each time that's one added element of risk and it just keeps building a building. And especially in this day and age, you you can't have any of those, like, exposures. No.
 
Josh, I've really enjoyed the conversation. I can imagine the stress that twenty twenty one and that attack has caused you, but I love how you guys have taken that as a moment of of change, and you've leaned into the change. You've embraced the cloud. You've embraced security settings.
 
I think you said such a great example for our industry, which is under a constant attack of these cyber criminals. So thank you for sharing so openly. I think having people like you talk about this will get hopefully, open up some people's eyes and and think maybe today is the day that I'm going to change these things. So thank you for sharing.
 
No. It's been a pleasure. It's, definitely something that we need to get the word out about for sure.
 
Nice.
 
Thank you.
 
Thank you.

Make it remarkable.

Ready to take the first step towards a more efficient, flexible, guest-centric approach to hospitality?

Book a demo