HOTEL CYBER SECURITY

ACID Technologies helps hotels protect themselves by detecting the first signs of an impending cyberattack – as early as in its planning stage, and providing real-time, detailed alerts that enable the targeted hotels to implement effective preventive measures

There is a critical need for cybersecurity in the hospitality industry

The Financial Times reported in 2022 that hotels and hospitality businesses are now the third most cyber-targeted industry. Hotels store enormous amounts of customer data, including names, addresses, passport details, credit card information and more. This is a treasure trove for cybercriminals, who can launch ransomware attacks after stealing this data and encrypting it.

Hotels suffering from ransomware attacks must make the difficult choice of either paying hefty ransom payments, or risking disruption to their operation, and potentially incurring disastrous harm to their reputation and loss of business.

The vulnerability of hotels is explained by the fact that computer systems have replaced many of the face-to-face services provided by hotel staff to guests. Staff shortages have led to even more widespread use of computerized services. Additionally, reservations are increasingly made on external websites and apps – an additional potential vulnerability – as opposed to the hotel chain’s own website.

Hotel & hospitality businesses are the third most cyber- targeted industry

(Financial Times)

The average total cost per breach in the hotel & hospitality industry in 2021/22 was $2.94M
(Ponemon Institute & IBM)

The costs of cyberattacks, which make hotel cyber security services a wise choice

Ponemon Institute and IBM have analyzed the average costs of a breach in the hospitality industry, including not only the cost of lost business, but also costs resulting from damage to reputation, expenses covering forensic activities, legal services, crisis management, regulatory response and customer notification. They have concluded that the average total cost of a breach in this industry between 2021 and 2022 was US$ 2.94 million.

Some recent attacks targeting hotels are described below:

  • Marriott Hotels: In June 2022, a hacker stole 20GB of data from one of Marriott’s servers after tricking a company employee. The stolen data included credit card information of the hotel chain’s guests, reservation logs for airline crew members, as well as other sensitive information about guests and employees.

    In September 2022, Marriott Hotels was required to pay a fine of £14.8 million by the UK’s Information Commissioner’s Office (ICO), for failing to implement adequate security measures to protect its customers’ personal data. The attack in question began in 2014 (against the Starwood Hotel Group, which Marriott acquired in 2016), but was detected only 4 years later. It is believed that it may have affected up to 339 million guests.
  • Intercontinental Hotels Group (IHG), UK: Also in September 2022, a UK-based multinational hospitality company, which operates 6,000 hotels around the world, suffered a two-day outage to its online booking system following a hack. The hackers, who identified themselves as a Vietnamese couple, contacted BBC and said: “Our attack was originally planned to be a ransomware but the company’s IT team kept isolating servers before we had a chance to deploy it, so we thought to have some funny [sic]. We did a wiper attack instead.” In a wiper attack, data, documents and files are irreversibly destroyed.

    This attack came after a ransomware attack a month earlier at a Turkish location operated by the same hotel chain, which in 2019 settled a class-action lawsuit for a malware breach that affected a number of its hotels, restaurants and bars.
  • MGM Resorts Hotels: In an attack targeting MGM Resorts Hotels in February 2020, the perpetrator gained access to the personal details of more than 10.6 million guests and published them on a hacking forum. The guests included celebrities (among them then Twitter CEO Jack Dorsey and Canadian musician Justin Bieber); US government officials connected to the FBI, Department of Homeland Security, Department of Justice, and Transportation Security Administration; CEOs and employees at some of the world’s largest tech companies. The stolen personal details were reportedly names, home addresses, telephone numbers, emails, dates of birth and passport numbers.

Types of cyberattacks that ACID’s hotel cyber security services help protect from

ACID’s hotel cyber security solution helps protect from diverse cyberattacks, including the most common and frequent ones:

  • Point of sale/ payment card attacks, which are regarded by many as the greatest threat to the hospitality industry. This is a third-party crime in which the vendor is targeted, rather than the hotel itself.
  • Ransomware, which can prevent access to systems and data and disrupt hotel operation until the ransom is paid. In October 2020, the U.S. Department of Treasury’s Office of Foreign Assets Control (OFAC) warned that ransom payments may not only encourage cybercriminals, but also place organizations that pay the ransom at risk of violating OFAC regulations.
  • Remote hacking through third-party vendors, such as various contractors and service providers.
  • Phishing scams targeting customers and hotels. Guests sometimes find themselves providing their personal and credit card information on what they discover later are fake websites posing as legitimate ones. Cases in which hotels have sent their monthly fees to falsely branded web pages have also been recorded.
  • DDoS attacks – hotels are particularly vulnerable to this type of attack because so many of their devices and systems are managed by computers and can be leveraged to disrupt other systems operating on the same infrastructure.
  • Theft of personal information over hotel Wi-Fi, which the FBI has warned against, stating that Wi-Fi networks in hotels typically favor guest convenience over strong security practices. Guests cannot be sure that all the security features have been activated on a hotel’s Wi-Fi network, and that security patches are installed as soon as they are provided.
  • DarkHotel hacking is particularly worthy of attention. Classified by Kaspersky as a major risk, it has been known to compromise luxury hotel networks, then stage attacks from those networks on selected high-profile victims. Kaspersky explains that the DarkHotel group appears to use a combination of spear phishing, dangerous malware, and botnet automation designed to capture confidential data. It adds that its attacks are typically layered and involve two malware infections stages – an initial bait for malware infection in order to infiltrate devices and vet for high value targets, followed by a secondary malware infection aimed at stealing their data.

ACID’s hotel cyber security services – a cost-effective solution

As stated above, the average cost per breach in the hospitality industry is close to US$ 3 million. The harm to reputation and resultant loss of business to a hotel, which may continue for an extended period of time, must also be taken into account.

Even when hotels do take action to improve security, running a single penetration test to detect vulnerabilities in their computer systems can cost up to US$ 25,000, according to Tristan Gadsby, chief executive of hospitality consultancy Alliants.

When weighing the cost of ACID’s cybersecurity solution for hotels against the resources an organization would need to invest in-house to achieve results that may not provide a comparable level of protection, leaves no doubt that ACID’s services are not only essential, but also highly cost-effective.

ACID uses AI algorithms and clusters of bots that scan the clear, deep and dark web, as well as social networks and other sources, to detect the first signs of an impending attack. Its real-time, detailed alerts, screenshots of threats detected on the dark web and subsequent updates as more information becomes available, provide IT teams with highly valuable information. If the client wishes to add sources to the very long list that ACID continuously monitors, we are happy to oblige. The information provided by ACID supports the IT teams in preparing effective countermeasures that can potentially thwart the cyberattack or mitigate its harmful effects.

Subscribing to the cybersecurity services offered by ACID Technologies can spare your organization the potentially disastrous effects of cyberattacks at a fraction of their cost, and enable you to put your resources to good use where they are most needed.