Data Security in Hospitality: Risks and Best Practices
December 5, 2018 10:17am
By Limor Wainstein
Information security is a pivotal aspect of many industries, not least the hospitality industry due to the nature of the data collected by companies operating within hospitality. Hotels, motels, resorts, and rented apartment complexes all gather and electronically store a range of sensitive personal guest data, such as names, phone numbers, addresses, and credit card details.
From the perspective of cybercriminals, hospitality appears to offer an ideal target vector for conducting crimes such as identity theft and credit card fraud due to the existence of multiple databases and devices containing both Payment Card Information (PCI) and Personally Identifiable Information (PII).
This article focuses on five of the biggest data security concerns in the hospitality industry and highlights some best practices for protecting hospitality data.
Data Security Concerns in Hospitality
Complex Ownership Structures
Restaurants, hotels, and other companies in the hospitality sector often have complex ownership structures in which there’s a franchisor, an individual owner or group of owners, and a management company that acts as the operator. Each of these groups may use different computer systems to store information, and the information can also frequently move across those systems.
A case in point was the Wyndham Worldwide breaches of 2008 and 2010. Hackers gained access to the systems of an individual operating company through easily guessed passwords, and the attack easily proliferated through the entire corporate network, with the result that 619,000 customers had their information compromised.
Reliance on Paying By Card
The nature of the hospitality industry is such that it is extremely reliant on cards as a form of payment. Restaurants and hotels alike often require credit card details for reservations, and final payment is also frequently made by the same card.
Cybercriminals use this reliance on cards to infect point-of-sale (POS) systems with malware that steals credit and debit card information by scraping the data. In fact, it was reported in 2017 that out of 21 of the most high-profile hotel company data breaches that have occurred since 2010, 20 of them were a result of malware affecting POS systems.
Because this malware can often proliferate or move between POS systems run by the same operator, multiple individual and groups of hotels can be afflicted by these types of attacks, and they can go unnoticed for months.
High Staff Turnover
A vital part of protecting data is training staff to securely gather and store personal information. Well-trained staff also know how to recognize social engineering attempts and they understand an organization’s compliance requirements. The risk is that the hospitality industry involves lots of seasonal work in which people might move on after only a few months, or they might be transferred. In the U.K., for example, the job turnover rate in hospitality is as high as 90 percent.
The high level of turnover and high degree of staff movement between different locations makes it a real challenge to maintain teams of well-trained staff. All it takes is one person who isn’t familiar with the importance of data security for a cybercriminal to exploit a hospitality company’s systems and gain access to sensitive data.
Data security risks in the hospitality industry extend far beyond the reputation hit that a hotel can take if guests’ data is compromised. Industry and political regulators are becoming stricter in governing how organizations process and store personal data.
The GDPR regulation was introduced by the EU in May 2018 as a landmark legislation that aims to return control over personal information to individuals while simultaneously enforcing stricter rules for organizations in protecting such information during any period in which they possess it.
While GDPR protects individual data within the EU and EEA, its ramifications have rippled through industries globally, and organizations are realizing the need to put greater compliance measures in place.
PCI DSS is another important global regulation that protects credit card data, and fines for non-compliance begin at $500,000 per incident. The risk here is not just to data security but to the future survivability of hospitality companies, many of which would not be able to absorb the substantial losses resulting from non-compliance fines.
This type of data risk is more subtle and it involves employees selling data to third parties without the knowledge of the organization that employs them. Such insider threats typically occur to data on customer preferences and behavior, which hospitality companies can collect at multiple touchpoints, from interactions with their website, to form data on booking systems, to review data.
This data could be potentially lucrative when it ends up in the hands of those who know how to use it to gain a competitive advantage.
Best Practices for Data Security in Hospitality
Best practices for companies in the hospitality sector to protect data include:
With a full understanding of the main data security risks and some best practices for mitigating those risks, organizations in the hospitality sector are better placed to implement a comprehensive information security strategy that entails the necessary procedures, processes, and people to improve cybersecurity.
ecole hôtelière de lausanne,
Limor Wainstein is a GrapeCity content contributor, technical writer, and editor at Agile SEO, a boutique digital marketing agency focused on technology and SaaS markets. She has over 10 years' experience writing technical articles and documentation for various audiences, including technical on-site content software documentation, and dev guides. She specializes in big data analytics, computer/network security, middleware, software development and APIs.
General Managers: Bridging the Gap Between Hotel Owners and Operators
2019 Top 10 Hospitality Trends
Marriott Provides Update on Starwood Database Security Incident
INTERVIEW: Christian Clerc, Director of Worldwide Hotel Operations, Four Seasons Hotels
Will Marriott Data Breach Herald the Death of Personalization?
Three Reasons Why LVMH’s Acquisition of Belmond Is a Smart Move
Testing Guest Interactions With Robots
Restaurant Staff: To Tip or Not to Tip?
Agree to Agree: Aligning Hotel Owners’ and Operators’ Goals
Sustainability and Water Efficiency: Lessons From Down Under
How Important Is Strategic Management Accounting to Hotel Managers?
Marriott Inherits a Mess of Historical Proportions
Avoiding Hotel Data Breaches With a Risk Assessment Audit™ – Lessons From the Marriott International “Glitch”
How Involved Are Hotel Owners in Property-Level Decisions?
Airbnb Pricing: What’s the Reason for Discrepancies?
Finding Meaning in Travel
The Value of Teamwork in Service
The Future of Private Equity and Private Markets
Online Customer Reviews: Their Impact on Restaurants
The Need for Big Data and Quantitative Skills Training In Hospitality
Please login or register to post a comment.