Dive Brief:
- The transition to mobile and contactless services in the hospitality industry is making hotels more vulnerable to cyber threats, according to a report from Trustwave SpiderLabs.
- The report noted a surge in ransomware attacks on the industry, with 59 incidents since 2022. Meanwhile, 31% of hospitality organizations have reported a data breach in their company’s history, and 89% of those were affected more than once in a year.
- As hotel companies adopt new technologies and mobile-first amenities, hoteliers will need to evaluate the risks in order to prevent cyberattacks.
Dive Insight:
The hospitality industry’s reliance on third-party providers and franchises, as well as high turnover in its workforce, makes the sector an appealing target for cybercriminals. Guest turnover also has an impact on hotels’ vulnerability, as hospitality establishments welcome new internet users each day.
According to the report, “organizations within hospitality must operate under the assumption that their networks are highly susceptible to attacks due to the sheer number of users.”
“With unique considerations, such as the adoption of contactless technology and the steady turnover of customers and employees, the hospitality industry faces a complex security landscape with distinct challenges,” said Trustwave Chief Information Security Officer Kory Daniels, in a statement. “In an industry where guest satisfaction and reputation are paramount, staying secure while offering cutting-edge technology is a delicate balancing act.
The most common cyber crimes targeting hospitality include fake orders and extortion to collect personal data or money from victims.
Citing data from IBM, the report notes that the average cost of a hospitality breach, $3.4 million, is below the cross-industry average of $4.4 million. However, the impact of a breach can cause significant harm to a hospitality company’s bottom line due to the importance of reputation in the industry and high competition.
The report also notes threats associated with the growing use of generative AI and large language models. Increasingly popular technologies such as AI chatbots could potentially be used to collect and store large amounts of data about guests.
To mitigate risks from the usage of generative AI, the report suggests hotels evaluate their security solutions with generative AI in mind, choose security tools that can detect AI-generated threats and create robust internal policies and employee training for proper data usage.
The report also suggests hotel companies can work to prevent threats stemming from contactless technologies by executing regular vulnerability assessments, place all servers and devices within a firewall and deactivate internet connectivity for servers and devices that do not need it.
The report monitored threat groups and their methods, noting an increase in attacks by the Clop ransomware group, which exploited hundreds of victims via a vulnerability in the MOVEit file transfer software. Hotel companies were among those affected by the attacks.
Last year, cyber criminals targeted Marriott International, making out with 20 gigabytes of sensitive customer data including credit card numbers. Later in the year, InterContinental Hotels Group experienced a similar attack that downed its booking systems and apps.
