The UK hospitality sector cannot afford to accommodate cybercriminals 

Like every industry, the hospitality industry is not immune to cyberattacks. Hotels hold large amounts of sensitive data from customers, including credit cards and home addresses, so it is vital that their cyberdefences are as strong as possible. Deryck Mitchelson, Global CISO at Check Point, urges the hospitality sector to take stock of its cybersecurity following a series of incidents.   

UK tourism has finally started to recover after the pandemic, with 37.5 million tourists visiting the shores in 2023. Unfortunately, the sudden surge in tourism has been met with an equal rise in ransomware activities as opportune cybercriminals use the resumption of travel activity as an avenue to elicit sensitive information. After claims that the notorious Hunters International group was able to breach the cybersecurity of the Dalmahoy Hotel and Country Club in Edinburgh, hotels and hospitality services need to be better equipped to deal with the cybersecurity threats targeting the sector.

This comes after a 2023 government survey that found food and hospitality businesses tend to regard cybersecurity as a lower priority than those in other sectors, with only 58% considering it a high priority, compared to 71% of businesses overall. This disparity becomes even more glaring when we consider that only 22% of food and hospitality businesses had a board member taking responsibility for cybersecurity. The breach earlier this year included 949.9GB of data from the Dalmahoy Hotel and Country Club in Edinburgh – it is clear that hotels and hospitality services need to be better equipped to deal with the cybersecurity threats targeting the sector.

Reputation is currency in the hospitality sector, and it requires a huge level of trust from the customer to willingly hand over sensitive data such as credit card information, home address and contact details. In most cases, we don’t know how that information is used, or what system it is being inputted into: it all comes down to blind faith. If a hotel does suffer a hack, that could leave guests exposed to potential breaches and a reluctance to use it in the future or recommend it to others. One of the most extreme instances of breaches within the hospitality sector occurred when the Information Commissioner’s Office fined Marriott Hotels £18.4 million for a breach that affected up to 339 million guests and had gone undetected between 2014-2018.

Business owners are confronting a multitude of threats, including phishing attacks, where employees unknowingly click on malicious links from a cybercriminal pretending to be a customer or a vendor. Point-of-sale attacks exploit vulnerabilities in hotel transaction systems, exposing guests’ financial data. Wi-Fi infiltration, popularised by the Dark Hotel Group, involves the targeting of high profile individuals through hotel networks. Denial-of-Service attacks (DDoS), increasingly common, disrupt hotel operations, while a ransomware attack involves the stealing of customer data using malware, followed by threats to release the data on the dark web if pay demands are not met.

To safeguard against cyberthreats, industry leaders and hotel management are urged to implement the following measures:

1. Regular security audits: You cannot rely on annual checks on your security posture. Conduct routine cybersecurity audits to identify vulnerabilities in real-time and assess the effectiveness of existing measures. Cyberthreats are constantly evolving, so a proactive approach can uncover a weakness before it is exploited by malicious actors. The frequency of your audits will depend on the size of your organisation but ideally you should have a third party perform an audit once a month or quarterly. By regularly reviewing and updating security policies you will develop a system based on continuous improvement.
2. Employee training: Your staff should not be your only line of defence, but they are an important barrier to entry. Technological solutions, such as firewalls, are important, but they are not foolproof. Educate staff about cybersecurity best practices, including recognising phishing attempts and understanding the importance of strong password management. Training should be an evolving process with informative material regularly updated and accompanied alongside simulated phishing exercises to reinforce what staff have learned by putting it into practice.
3. Secure payment systems: Your customers will expect payments to be protected. Implement secure payment processing systems, regularly update software and adhere to Payment Card Industry Data Security Standard (PCI DSS) guidelines. To ensure you are PCI compliant, regularly monitor and test your networks, perform risk assessments and create an internal information security policy, with strong access control measures.
4. Data encryption: Encrypt sensitive customer data to protect it from unauthorised access, both in transit and at rest. Effective encryption strategies cater to the entire data lifecycle, from creation to storage to eventual deletion. This involves encrypting data before it is stored, decrypting it only when necessary for authorised purposes and finally disposing of encryption keys and encrypted data when it is no longer required.
5. Incident response plan: Develop and regularly update an incident response plan to minimise damage in the event of a cyberbreach. This entails establishing clear roles and responsibilities for those on the response team, along with robust communication strategies for timely updates. The incident response plan will detail the steps and procedures for detecting, assessing and responding to different types of cyberthreats. When the threat is contained, your organisation can move towards the recovery and restoration of your operations.
6. Be aware of brand phishing: Phishing is commonly used to exfiltrate customer data and hospitality is a prime target for brand impersonation. Be aware of any campaigns circulating that may refer to your hotel chain and make it clear to existing and prospective customers to only trust legitimate emails. A recent example of brand phishing attacks includes the exploitation of booking.com, one of the world’s largest websites for holidaymakers. Hackers target individual hotels that use the booking.com portal and once they gain administrative control, they trick guests into paying money to them and not the hotel.

Whether independent or part of a chain, hotels are responsible for storing the personal identifiable information of employees and customers and can ill afford any weaknesses in their cyberdefences. To safeguard sensitive data and maintain industry integrity, hotels across the country should apply the same principles of physical security to their cybersecurity strategy, investing in the best technology, implementing access controls to limit exposure of confidential documents and mapping out an incident response plan to mitigate any losses.

In the world of hospitality, securing your digital doors isn’t just key, it’s the only way to ensure a five-star experience for guests and peace of mind for management.