Can You Pass That Data, Please?
Given the frequency at which data breaches are being reported in the hospitality industry, it is time to tighten the grid
By Pradeep Suvarna
Data breaches in the hospitality industry are unfortunately turning out to be a regular affair and not many are surprised by this turn of affairs. For the longest time, hotels and resorts have been in the crosshairs of cybercriminals and hackers because they have a gold mine of information that they gather from their guests. This is right from their personal data to credit card details.
What’s more, many of these guests are not just your plain Joe and Jane, but high-profile people and their personal information can be the proverbial El Dorado for the paparazzi. Is it any surprise then that hotels are always the soft target for cyber attacks?
Talking about this, Amit Bhattacharjee, IT manager at Bengaluru Marriott Hotel Whitefield said that the main motive for cyber criminals and hackers to target hotels is to that it is easier f them to extract confidential information without being identified. “With the existing business expansions, we see a huge number of corporate travellers staying in hotels for various reasons like meetings, events or project planning. These business executives make enticing targets for hackers as they can get all the required information regarding the corporate assets with a simple malware packet disguised as genuine software, which is sent to their device through the internet. Once installed, these software are capable of scanning through the system and sending the data back to the originator, which can then be used in anyway desired.”
Anisha Ghosal, VP, brand and marketing, Daiwik Hotels believed that after retailers began strengthening their security in 2014, these nefarious characters focused on the hospitality segment for easy pickings. In her opinion, the industry needs to invest more time and money on developing stronger security systems in order to protect guest information. Extensive use of credit cards in hotel transactions across various point of sale makes hotels most susceptible to security threats. She felt that credit card fraud is probably the biggest threat faced by the hospitality industry as cyber criminals try to steal guest identities and credit card details by intruding into hotel networks.
“Hotels are exposed to cyber attacks such as phishing, spams and Advanced Persistent Threats (APT), which can breach the hotel’s security system. Free WiFi networks generally have weak security systems and place guest data at a high risk. Computer viruses may also enter through weak security systems, slowing down or causing breakdowns in computers, servers and programmes running on the same network,” Ghosal added.
EVOLUTION OF THREATS
As the digital landscape changed and wireless connectivity became the de facto standard, security threats have burgeoned in the industry. The evolution of technology has compounded matters, and with the Internet of Things, guests insist on accessing data from their personal devices on the hotel’s network.
According to Bhattacharjee, this shift come with a risk of data leaks as cyber criminals are often lying in wait to cherry pick on their targets. “These criminals can get the entire information of a guest by accessing the hotel’s reservation database. The same goes for external systems, like an integrated credit card system on a POS terminal, which will directly communicate with the bank’s server. If the terminal is tampered with, then all the information can be obtained by the external sources that are scanning the networks,” he rued.
Edwin D’Souza, IT manager of Sofitel Mumbai BKC noted that another common data security threats is phishing, wherein a user receives an email from a genuine source with the expectation for sharing passwords or financial information. Another hazard is Distributed Denial of Service (DDoS) attack.
“For this, a hotel should always include a process to mitigate any compromised systems if they are under a DDoS attack. Other threats that the property may face include not adhering to security guidelines and policies, such as browsing through unknown websites or opening unknown emails through hotel computers. Furthermore, attacks to software like Opera becomes one of our biggest threats as it may bring hotel operations to a standstill and may also affect guest information privacy,” he added.
In addition to phishing, Kush Kapoor, AGM of Roseate Hotels & Resorts pointed out to another cyber challenge that hotels have increasingly face – ransomware attacks. Since 2015, cyber crooks have attacked many hotels and taken the control of data by encrypting them and later asked for a ransom amount to provide the decryption keys. Wanna Cry was the latest attack that happened and hotels that fell foul to this attack paid more than $17,000 to let guests into their rooms and create electronic keys.
“Furthermore, there are instances like DarkHotel hacking, where criminals use a hotel’s WiFi to target a guest. They forge a digital certificate that is sent to guest to download as a software update. When the guest does this, they end up giving control of their system,” he cautioned.
BAD FOR REP, BAD FOR REV
Every time a hotel battles a security breach, it finds itself staring at a significant financial risk and the impact depends on how much its systems have been affected. The fiscal costs could involve IT forensic investigations, customer notifications and legal costs towards lawsuits. However, Ghosal pointed out that such breaches adversely affect public perception of the brand jeopardising the trust and patronage of loyal guests. “This negatively impacts sales and loss of market share. Guests affected by breaches may never do business again with the brand,” she added.
Bhattacharjee pointed out that legal and regulatory problems can bring their own range of issues and locking horns with regulators and litigants is the last thing that a business needs in today’s competitive world.
It is, therefore, imperative that hotels secure themselves and their guests on a continual basis. Sumit Sharma, IT manager, Eros Hotel Nehru Place recommended starting with the basis i.e. implement proper security devices like firewall, antivirus, USB/new hardware blockage and proper administration access setup. “A managed network is the key to secure your network. Also, do not allow any external devices or free remote software on to your hotel IT setup as it is easy to hack if you are using trail version or free products in your hotel premises,” he suggested.
Ghosal recommended getting a risk assessment done periodically specific to guest privacy policies and data security by technical cyber-security experts to know where the system is vulnerable, what safeguards to implement and whom to make responsible. “With the help of experts build necessary firewalls, data encryption and other safeguards and get insurance risk coverage against cybercrimes. Educate and train the employees about such breaches/risks and develop a specific crisis response plan that will take the necessary steps to ensure business continuity, notification of guests, vendors, employees, government agencies and communicate effectively with the public and media,” she pointed out.
D’Souza suggested securing all billing systems first to secure protect guests personal and financial information. “Secondly, hotels need to think about multiple endpoints and remote connections they rely on to run the property’s operations. Electronic door locks, HVAC controls, alarms devices can fall under the control of cybercriminals aiming to disrupt normal operations. Thirdly, the antivirus systems should be updated regularly. An outdated antivirus can result in patches that can act as gateways for hackers to attain confidential guest information,” he suggested.
The best laid security plans are often laid to waste because the IT heads do not have a holistic vision for security and privacy, which is crucial. Bhattacharjee stated that another equally important thing that hotels need to do is apply regular security updates as recommended by the vendors and internal security teams, which help in reducing the risk of data breaches. “Users who handle the data also play a vital role in protecting information from various sources. They should be trained on important topics like Information Protection and Privacy, which impart essential knowledge for using the different applications and also communicating with people,” he added.
Dalvi stated that keeping data sensitivity into consideration, data can be secured using highly secured firewall at the root level, using anti-spam based corporate anti-virus with updated definition and also avoid piracy to have updated patches on the system. At the same time, he recommended training the people who will be interfacing with guests, as well as associates at the backend of the business.
Kush Kapoor agreed with him and said that the staff has to be well educated about the perils of cyber threats, so that they, in turn, can use a modicum of caution while interacting with guests. “Hotels keep their network fairly open to guests, so that they can access the internet. This allows cyber criminals to take advantage by making zombies of any of the guest system as an entry point to the hotel network, availability and access of multimedia,” he warned.
Security at a hotel has to go beyond installing the latest technology; it should also encompass training employees so that they do not inadvertently give hackers access to the network. The ideal way to do this is by creating a standard operating practice manual outlining the hotel policies on responsible technology usage and ensuring that it is followed.
“Employees can be restricted from downloading or installing software on company computers. Further, the web surfing can be limited, and the employees well trained to recognize, delete, and report suspicious emails or links, and teach them to create strong passwords. Most importantly, it is important to create a culture of accountability, so employees know they are responsible for protecting hotel data as well,” D’Souza advised.
A well-defined policy, once implemented and then regularly monitored, goes a long way in mitigating several data security challenges and can thwart many an online miscreant. Ultimately, what matters most is to have a clear vision about the holistic security of the IT network and have a contingency plan for any loopholes from the privacy perspective.