Data Security for the Hospitality Industry – Risks and Best Practices

Data Security for the Hospitality Industry – Risks and Best Practices

Information security is a pivotal aspect of many industries — including that of hospitality, due to the data collection by companies operating within hospitality. Hotels, motels, resorts, and rented apartment complexes all gather and electronically store a range of sensitive personal guest data, such as names, phone numbers, addresses, and credit card details.

From the perspective of cyber criminals, hospitality appears to offer an ideal target for conducting crimes, such as identity theft and credit card fraud, due to the existence of multiple databases and devices containing both Payment Card Information (PCI) and Personally Identifiable Information (PII).

Data Security Concerns in Hospitality

Here are five of the biggest data security concerns in the hospitality industry:

1. Complex Ownership Structures

Restaurants, hotels, and other companies in the hospitality sector often have complex ownership structures in which there’s a franchisor, an individual owner or group of owners, and a management company that acts as the operator. Each of these groups may use different computer systems to store information, and the information can also frequently move across those systems.

A case in point was the Wyndham Worldwide breaches of 2008 and 2010. Hackers gained access to the systems of an individual operating company through easily guessed passwords, and the attack proliferated through the entire corporate network, compromising the personal and financial information of  619,000 customers.

1. Reliance on Paying By Card

The nature of the hospitality industry is extremely reliant on credit cards as a form of payment. Restaurants and hotels alike often require credit card details for reservations, and final payment is also frequently made by the same card.

Cybercriminals use this reliance on cards to infect point-of-sale (POS) systems with malware that steals credit and debit card information by scraping the data. In fact, it was reported in 2017 that out of 21 of the most high-profile hotel company data breaches that have occurred since 2010, 20 of them were a result of malware affecting POS systems.

Because this malware can often proliferate or move between POS systems run by the same operator, multiple individual and groups of hotels can be afflicted by these types of attacks, and they can go unnoticed for months.

1. High Staff Turnover

A vital part of protecting data is training staff to securely gather and store personal information. Well-trained staff also know how to recognize social engineering attempts, and they understand an organization’s compliance requirements. The risk is that the hospitality industry involves a great deal of of seasonal work in which people might move on after only a few months, or they might be transferred.

In the United Kingdom, for example, the job turnover rate in hospitality is as high as 90 percent. All it takes is one person who isn’t familiar with the importance of data security for a cybercriminal to exploit a hospitality company’s systems and gain access to sensitive data.

1. Compliance

Data security risks in the hospitality industry extend far beyond the reputation hit that a hotel can take if guests’ data is compromised. Industry and political regulators are becoming stricter in governing how organizations process and store personal data.

The General Data Protection Regulation was introduced by the European Union in May 2018, as a landmark legislation that aims to return control over personal information to individuals, while simultaneously enforcing stricter rules for organizations to protect such information when  they possess it.

While GDPR protects individual data within the European Union (EU) and European Economic Area (EEA), its ramifications have rippled through industries globally, and organizations are realizing the need to put greater compliance measures in place.

1. Insider Threats

This type of data risk is more subtle, and it involves employees selling data to third parties without the knowledge of the organization that employs them. Such insider threats typically occur to data on customer preferences and behavior, which hospitality companies can collect at multiple touchpoints to review data, from interactions with their website, to form data on booking systems.

Best Practices for Data Security in Hospitality

Best data-protection practices for companies in the hospitality sector include…

• Always encrypting payment card information.
• Operating a continuous training program in cybersecurity to maintain a well-trained workforce.
• Always adhering to relevant regulations, such as PCI DSS.
• Use cybersecurity measures such as firewalls, network monitoring, anti-malware, and traffic filtering to protect against common threats.
• Conduct tests against your organization’s cybersecurity defenses in which you mirror the behavior of an actual hacker.
• Know where your data is and enforce the principle of least privileges to limit access to sensitive information.

With a full understanding of the main data security risks, and some best practices for mitigating those risks, organizations in the hospitality sector are better placed to implement a comprehensive information security strategy that entails the necessary procedures, processes, and people to improve cybersecurity within the hospitality industry.