Hospitality & Cybersecurity Awareness Month #besmarterthanahacker. Hospitality is a potential goldmine for Cyber Criminals. A huge amount of sensitive guest data can be harvested with a successful breach.
Prompted by the Covid pandemic Hospitality organisations (as with many others) have invested heavily in digital technology to become more efficient and in hospitality’s case increase guest satisfaction. This includes things like advanced online reservation and check in technology, smart key cards, smart HVAC systems, smart TV’s, Digital billboards, smart anything…along with public Wi-Fi, sharing data with Online Travel Agents such as Booking or Airbnb.
If hotels and other hospitality organisations are hit with anything that takes systems down the financial hit can be huge, and depending on the circumstances reputational damage can occur.
According to Trustwave SpiderLabs 2023 Hospitality Sector Threat Landscape Report 31% of all hospitality organisations have reported at least one data breach with 89% of those being hit more than once a year. Their research highlighted that a multitude of exposed ports, services and applications are publicly available on the internet – most usually network devices, property management systems, back up controllers, power distribution systems, phone systems,, smart energy systems and IP Cameras but also RDP sessions, HVAC controls and more. Many of these support operations and if compromised would have a significate financial and potentially reputational impact.
Three attack types common to hospitality are
- DDOS attacks: The hospitality industry is regularly targetted, particularly though the use of browser impersonation. They are often very costly with operations severely impacted.
- DarkHotel: A cyber attack group that targets high net value individuals through hotel Wi-Fi. They also use DDoDS to achieve their aims.
- Phishing attacks increased by 51% after the pandemic and hospitality is particularly vulnerable to Covid linked information.
More information on how DarkHotel achieve their objectives in this Kaspersky article…
Factors unique to Hospitality
- Seasonal and often less cyber aware workforce.
- High user turnover… guests and to some extent staff.
- Networks which can be accessed by many people (guests, customers).
- Vulnerable to walk in attacks.
- The Franchise models mean there can be different practices adopted within the same umbrella organisation.
A couple of Hospitality Breach examples
- Marriot Hotels… two in 2022, and breached in 2020 and 2018! They were fined nearly £20m after the 2018 breach but it’s also fair to say their reputation has been hit. The 2018 breach began in 2014 in Starwood Hotels. Not noticed in 2 years before Marriott bought Starwood in 2016 and then had access to all systems for another two years. If acquiring another organisation do your Cybersecurity due diligence along with everything else.
- Wendy’s Restaurants in 2015 (fined $50m). Cyber Criminals installed malware on the companies point-of-sale systems. Setting up a secure network with strong configuration would have saved them a lot of money.
Fraud
It’s not just breaches that the Hospitality sector are vulnerable to. SMS Fraud cost the sector more than $6.7 billion in 2021. Hospitality often uses SMS for enrolling customers in loyalty programmes, sharing special offers and for sending out booking confirmations.
Hospitality & Cybersecurity Awareness Month #besmarterthanahacker. WatchGuard solutions are well suited to the Hospitality sector and an organisation with all solutions from network to endpoint gains SIEM like intelligence. Cyber & Data Protection are WatchGuard Gold Partners. We supply and support Hospitality Organisations.