The uptake of online business and internet transactions in recent years has exploded and brands need to be more aware than ever of keeping their own – and customers’ – data safe.

The need for data security was not ignored over time but the fact is today’s cyber-criminals are finding new and increasingly sophisticated ways of stealing sensitive customer data from hotel websites, systems, servers and mobile platforms – even your front desk.

And what could a security breach of your hotel’s systems or that of your partners lead to? Investigations, serious damage to your reputation, and loss of consumer trust, to name but a few immediate consequences – not to mention thousands of dollars in penalties and fines.

Ask yourself: what if it was your hotel guests’ data that was hacked into?

To match the endeavour of hackers, hoteliers need to pay even closer attention to how they accept, store, and secure customer data and how they use their systems.

In this blog we’ll tell you everything you need to know about data breaches, including what they are, the various ways you could be hacked, the consequences, and how to protect yourself.

What is data security? Watch this first!

Data security is defined by protecting sensitive information and data from being accessed, stolen, or damaged by unauthorised persons. Data security may be impacted by cyberattacks or data breaches and can have serious consequences for businesses.

Watch this video to find tips on how you can keep your hotel safe from data security threats:

What is a hotel data security breach?

A data breach is the release, intentional or unintentional, of private or confidential information to an untrusted environment. In other words, when data is viewed or transferred by someone not authorised to do so, this is a breach.

Data breaches may involve financial information such as credit card or bank details, personal health information (PHI), Personally identifiable information (PII), trade secrets of corporations or intellectual property. Most data breaches involve files, documents, and other sensitive information.

Data breaches are a concerning and damaging threat to all kinds of industries and businesses worldwide. Hotels are especially vulnerable because they deal with a large amount of personal information from guests and customers. Hackers can take all types of sensitive information from hotels – anything from email addresses to home addresses and credit card data.

The fines for such breaches are steep, but they’re not the only things your hotel should worry about. A security breach can significantly tarnish your company’s reputation in a very public way and many travellers say they will be less likely to book again with a company that lost their data through a security breach.

3 types of hotel security breaches

Here are the most common forms of online security breaches that may occur – along with some tips to avoid a hotel data breach where you are…

Hotel malware

Malware is any piece of software that was written with the intent of doing harm to data, devices or to people. Malware is perhaps the most common and most dangerous online security threat thanks to its diversity.

Officially standing for malicious software, malware incorporates many different types of potential dangers to hotel technology such as reservations systems.

These include:

Viruses Just like a virus you might contract, a computer virus will infect files on your system and then spread uncontrollably, eventually crippling the machine if left unchecked.

Trojans Trojans are chameleons, disguising themselves as all types of legitimate software or hiding with legitimate software that’s been tampered with. Once installed, they will then attack the system.

Spyware

Somewhat obviously, spyware is designed to linger undetected in the background of your system and take note of what you do online. It will look for passwords, payment card data such as credit card information, names and addresses, and other private details

Worms These have the ability to infect a whole network of connected devices, and then use all of them to infect more, either locally or across the Internet.

Ransomware Again self-explanatory, this malware essentially locks your computer and threatens to destroy everything unless you pay a ransom to the owner. (Talk about dramatic.)

Adware This is not the most hostile of the group, often it will simply serve you annoying ads or pop-ups, but it can also open a way for other malware to get in.

The problem is that all of these types of malware require slightly different methods of removal and protection if a breach does take place at affected hotels. It’s always good practice to avoid engaging with suspicious emails and clicking insecure links, but the only way to be completely safe is to ensure you have anti-malware and antivirus software installed on all the devices you conduct your business with.

Spam

Spam has its origins way back in 1970 thanks to a Monty Python sketch and is the sending of an unsolicited message, mostly advertising via email.

The term can also apply to other media such as instant messaging spam, search engine spam, spam in blogs, wiki spam, online ads spam, text message spam, Internet forum spam, junk fax transmissions, social spam, spam mobile apps, television advertising and file sharing spam.

It’s all very unwelcome usually and in some cases carries more dangerous malware with it.

However, there are plenty of ways to ensure you’re not bothered by spam at your hotel. Here are some tips:

Avoid opening emails that look like scams or spamNever give in to spammers by purchasing something or accepting an offerDon’t bother replying. Simply delete and/or blockDon’t be tricked into clicking. Even if a link is labelled ‘unsubscribe’ it will just confirm the email address is active and encourage more spamUse a disposable email address for purposes that may attract spam such as online purchasingIn fact, be very wary where you put your main email address and who you give it toTry to use web contact forms instead of actually posting your email address on your website publiclyWhen communicating your email address, present it in a way a person will understand but a spambot won’t. For example, test at test.com instead of test@test.com

DoS attacks

A denial-of-service (DoS) attack occurs when a hacker or virus shuts down a machine or network and prevents it being accessed by its intended users. This is usually done by flooding the system with an unprecedented amount of traffic or by sending information that triggers a crash.

The victims of DoS are usually high-profile organisations who people have a slight against.

A few different methods of DoS attacks exist. They include:

Buffer overflow attacks sending more traffic to a network address than the programmers have built the system to handleICMP floods that leverage misconfigured network devices by sending spoofed packets that ping every computer on the targeted networkSYN floods that send a request to connect to a server, but never complete it. This continues until all open ports are saturated with requests

DoS attacks are very hard to predict or prevent. Usually solutions depend on countermeasures once the attack has been noticed.

Examples of a hotel data security breach

Some of the world’s largest companies have fallen prey to data breaches, costing millions of dollars in damages. In 2013 Yahoo was attacked and three billion user accounts were compromised. In the same year eBay had almost 150 million customer accounts accessed illegally.

Hotels and bed and breakfast properties have also been key targets of data breaches for many years – and there is one main reason for this: credit card payments. The security breach happens online, because that’s where your guests are making their bookings, or where your front desk staff are making bookings on their behalf. Unfortunately, going ‘off the grid’ isn’t a feasible solution to the issue – the online space is too big to ignore and credit card usage continues to grow.

Seeing as hotels process countless credit card payments every day, it’s important to protect all the transaction details of each payment. If the correct systems aren’t in place, there is potential for a security breach to occur.

Hotels aren’t unique in being attacked by hackers; other travel companies can be affected. Expedia-owned Orbitz admitted its systems may have leaked the personal information of people that made purchases between January 1 2016 and December 22 2017, affecting about 880,000 payment cards.

And while not a strict data breach, Booking.com paid about 10,000 customers who fell victim to a scheme which conned customers out of data.

However, a casual look at a timeline of incidents suggests the hotel industry has been more vulnerable than most. The incidents may have the side effect of deterring customers from trading data with the hotels in exchange for potential benefits of personalised services, a major commercial goal for hotel managers and owners.

Marriott data breach

In 2018 Marriott announced that hackers had attempted to access its Starwood Hotels & Resorts Worldwide guest reservation database. Further investigation revealed unauthorised access to the system as far back as 2014, two years before Marriott acquired Starwood.

A valuable lesson here is that businesses should always scrutinise the cybersecurity and data handling of other companies before they enter into any type of deal. Even though the hack happened before the acquisition, it’s still Marriott’s reputation that is compromised. The same principle should be applied when a company acquires new infrastructure, applications, and systems. While these seem like assets, they should also be treated as potential liabilities.

Estimations said up to 500 million guests, including 327 million guests whose data includes “some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest (“SPG”) account information, date of birth, gender, arrival and departure information, reservation date and communication preferences, may have had their information at risk in the period between 2014 and 2018. Marriott also confirmed some compromised guest data includes payment card numbers and expiration dates.

IHG data breach

Front desk cash registers at more than 1,200 hotels in the InterContinental Hotels Group, which includes the Holiday Inn and Crowne Plaza brands, were infected with malware that stole customer debit and credit card data between September 29, 2016 and December 29, 2016. The company has a network of more than 5,000 hotels in over 100 countries so that could mean more than one-fifth of its hotels were affected.

The malware stole information read from the magnetic stripe of a payment card as it travelled through the affected hotel’s server. That information could have included the cardholder’s name in addition to card number, expiration date, and internal verification code.

The company suggests that anyone who stayed at one of its properties during the time period the malware was present review their payment card statement for any unauthorized activity and report the charges to the credit card issuer.

Hilton data breach

In 2017 BBC News reported Hilton was fined $700,000 for mishandling data breaches in 2014 and 2015.

The company discovered the first breach in February 2015 and the second in July 2015, but first went public with the breaches in November 2015. US federal investigators said Hilton “had taken too long to warn customers and lacked adequate security measures.”

Wyndham data breach

Wyndham Worldwide were involved in a lawsuit after failing to properly safeguard customer information, in a case arising from three data breaches affecting more than 619,000 customers.

The Federal Trade Commission wanted to hold Wyndham accountable for breaches in which hackers broke into its computer system and stole credit card and other details from customers, leading to over $10.6 million in fraudulent charges.

Under the order, Wyndham established a comprehensive information security program designed to protect cardholder data including payment card numbers, names and expiration dates.

Expedia security breach

Expedia subsidiary Orbitz disclosed that about 880,000 payment cards had been impacted by a security breach that potentially exposed customers’ information to hackers.

The travel booking site said an investigation determined that an attacker may have accessed personal information of people who made purchases between January 1 2016 and December 22 2017.

The personal information potentially exposed includes credit card information, addresses and phone numbers of customers. The information attackers “likely accessed” included people’s names, dates of birth, email addresses, street addresses, and genders, Orbitz said.

Guest manager app is the best to improve the hotel reputation. It will manage your hotel on-the-go by bringing all your daily hotel operations at your fingertips.