cyber security threats in tourism and hospitality industry

BreachSight

Vendor risk, trust exchange, product features, vendor risk assessments, security questionnaires.

• Security Ratings

Data Leaks Detection

• Integrations

AI Autofill

• Financial Services

eBooks, Reports, & more

Cybersecurity in the hospitality industry: challenges and solutions.

Hospitality is a broad field encompassing service organizations that provide lodging, food and beverages, travel and tourism, and entertainment and recreation. Since the COVID-19 pandemic hit the hospitality industry hard, it’s made significant steps toward recovery.

Hospitality businesses must remain vigilant to continue this recovery amid an evolving cyber threat landscape . With cybersecurity threats increasing in frequency and sophistication, every business in the hospitality industry must take steps to protect data with robust information security policies and procedures.

A data breach can destroy a hospitality business through loss of reputation, business disruption, the cost of remediation after a cyber attack , regulatory costs, and lawsuits. A cyber attack can lock guests out of their rooms, forcing them to make reservations elsewhere.

This post looks at how the hospitality industry is affected by cybersecurity threats and the steps hospitality businesses can take to prevent cyber attacks and be more resilient if one does occur.

Find out how UpGuard helps secure the hospitality industry >

Why is the Hospitality Industry Targeted by Cybercrime?

To compete in a yet again booming hospitality industry , businesses must deliver excellent customer experiences. One of the ways modern hospitality businesses achieve this is by collecting and analyzing sensitive customer data.

The hospitality industry can create customized experiences for individuals and groups using customer data. Hotels and restaurants can use data to optimize their offerings according to their target market, season, and location.

However, collecting, processing, and storing large amounts of customer data makes the hospitality business attractive to cybercriminals. Data processed by the hospitality sector tends to include large amounts of sensitive data . Hotel chains, for example, typically store sensitive information about each guest.

Personal data frequently processed by hospitality industry computer systems includes:

• Names of hotel guests
• Street addresses
• Email addresses
• Phone numbers
• Credit card data
• Dates of birth

Cybercriminals can sell guest information on the dark web , hold it for ransom via ransomware , or use the data to commit further crimes, including phishing attacks and identity theft .

Cybercriminals can use stolen data to create realistic communications with unsuspecting customers. With stolen personal data, cybercriminals can develop and distribute fake confirmations, updates on non-existent loyalty programs, and bogus transfer requests, intending to trick guests into sharing more data or performing financial transactions.

The industry also faces cyber threats from state-sponsored cyber espionage groups, such as the DarkHotel hacking group, a persistent cyberattack group that engages in highly targeted attacks, typically against C-level executives.

The name DarkHotel references their modus operandi of tracking targets’ travel plans and launching attacks via hotel wifi. They perform massive surveillance activity and use botnets to launch Distributed Denial of Service (DDoS) attacks.

Following are the top vulnerabilities of the hospitality industry.

Card Readers / Point of Sale (POS) Systems

POS systems provide convenient payment throughout the hospitality industry but also increase the potential risk of data breaches. POS devices not only process transactions but can also manage inventory and orders. Furthermore, cybercriminals launch attacks against business systems using POS applications as the entry point.

One area of weakness is when organizations use POS systems with unsecured wifi. It’s relatively easy for a hacker to gain unauthorized access to a device or the entire network this way. Doing so would allow cybercriminals to access customer information, such as payment card information, which could let them make fraudulent transactions.

The devices should have security settings, but POS systems can also have inherent software vulnerabilities that could facilitate a data breach.

Using the default passwords that come with devices like these makes organizations more vulnerable to cyber attacks, particularly considering that each device can typically connect to other POS devices on the network. It only takes one with a problem to increase the risk to the whole organization.

Sometimes, cybercriminals use malware that targets POS systems directly. Malicious software on these endpoints can help cybercriminals collect payment information from devices before the data is encrypted. Cybercriminals may also use tiny physical devices called skimmers to collect payment information.

Hotel Wi-Fi

Hotels typically offer hotel Wi-Fi to guests to provide convenience and enhance the customer experience. However, if the Wi-Fi network is unsecured, cybercriminals can access hotel guests’ phones or the hotel network, which could compromise servers containing personally identifiable information (PII) .

Hotel Wi-Fi also invites connections from unknown, unvetted client devices, introducing the risk of malware infection via this attack vector .

Internet of Things (IoT) Devices

Hospitality organizations, particularly in the hotel industry, are increasing their use of Internet of Things (IoT) innovations to improve customer experience and deliver efficiencies.

Examples of such innovations are:

• Interactive screens where guests can receive personalized greetings, weather, and local information
• LED lighting that responds to natural daylight
• Locks using facial recognition to enter buildings and rooms
• Smart thermostats to reduce energy costs

Even though many IoT applications are related to security enhancements, hoteliers and others in the hospitality industry must not implement IoT solutions without understanding their inherent vulnerabilities.

Every IoT device increases an organization’s attack surface by providing another endpoint that cybercriminals could exploit. Unvetted IoT technology can increase organizational risk in numerous ways, including the following:

• Added organizational complexity
• More entry points
• The use of unsecured wireless technology
• Potential onboard malware
• Outdated onboard security
• Unchanged default security settings

Hotel Websites

Customers expect modern businesses to maintain a presence online. Hotels typically provide up-to-date information and take bookings online to compete in the hospitality marketplace.

However, hotel websites are a potential vulnerability. Cybercriminals may target poorly secured websites to access the organization’s network, steal customer data, or cause business disruption.

In addition, DDoS attacks, in which a bad actor uses malware-infected computers to overload a server with requests, can render a hotel website inaccessible to customers. This could severely damage a business's reputation and revenue when timed to coincide with peak times in a day or even peak days of the season.

Examples of Cyber Attacks in the Hospitality Industry

Here are some examples of cyber attacks and data breaches in the hospitality sector in recent years. Some of the biggest cyber attacks in the hospitality industry include attacks against Starwood and Marriott, Hilton, and Wyndham hotels. It’s worth considering these attacks because they illustrate the potential impact of data breaches in the hospitality sector and the benefits of being prepared for cyber threats.

InterContinental Hotel Group

Recent cyber attacks in the hospitality industry include the attack on InterContinental Hotel Group (IHG) , impacting its Regent, Crown Plaza, and Holiday Inn hotels in 2022 . The breach started with the compromise of Starwood’s data and spread to the IHG group, which comprises over 6,000 hotels in over 100 countries. Compromised data included customers’ names and addresses.

Starwood and Marriott Data Breaches

Marriot has faced multiple data breaches over the years. It announced the compromise of one of its reservation systems in November 2018. The breach, discovered in September of that year, affected as many as 500 million hotel guest records, including credit card information and passport numbers.

Having spotted the threat via internal security systems, Marriott determined that its Starwood brand’s reservation systems had been compromised in 2014 — before Marriott acquired Starwood. Investigators discovered a trojan, probably installed after someone clicked a link in a phishing email, and a tool used to find combinations of usernames and passwords in system memory.

Later, Wall Street Journal reported that Starwood employers had typically found it difficult to secure their reservation system. This difficulty was exacerbated by the laying off information technology and security personnel when Marriott acquired Starwood in 2016.

Starwood’s malware went undiscovered for four years, which goes some way to explaining why remediating these data breaches is estimated to have cost Marriot more than $500 million. In July 2019, the UK’s Information Commissioner’s Office (ICO) fined the firm more than $120 million for GDPR violations and its failure to do due diligence on Starwood’s IT infrastructure. Furthermore, the firm is likely to have suffered billions in lost revenue.

Hilton Data Breaches

In January 2023, having initially denied being hacked, Hilton admitted that a cyber attack had impacted about half a million reservation records . Hackers claimed to have stolen a database from 2017 and that they had access to names, IDs, reservation data, and tier data regarding guests enrolled in the Hilton Hotel Honors program.

This comes after Hilton was fined $700,000 for two data breaches in 2015, compromising the credit card and other information of 350,000 customers. The fine reflected the fact that investigators discovered malware that targeted credit cards at the end of 2014, but Hilton neither warned its customers nor rectified the vulnerability until 2015.

The source of the attack was malware found in point-of-sale systems at various Hilton hotel restaurants and shops, including Hampton Inn and Suites, Embassy Suites, and Waldorf Astoria. Affected data included cardholder names, security codes, and card expiration dates.

Wyndham Hotels

While it’s not the most recent breach, Wyndham is often cited because it exemplifies how a relatively small data breach can have a massive impact on a business.

Striking three times between 2008 and 2010, cyber attackers compromised about 619,000 customer records, including credit card information. The data breach led to customers losing more than $1.6 million to fraud.

Despite relatively little data being stolen compared to some of the world’s biggest data breaches , the cost of working with regulators may have been just as high as if more data had been compromised.

Wyndham — operator of Days Inn, Super 8 motels, and Ramada — fought with regulators, making it a lengthy investigation. They spent five months gathering information and submitting responses to regulatory demands. There were also seven in-person meetings with the Head of Security. The arduous and no doubt costly investigation period was followed by lawsuits from regulators and private plaintiffs.

The hotel enterprise hired an independent cybersecurity firm to review its security upgrades following the investigation. According to Wyndham, the firm spent over $5 million in legal and vendor fees remediating the data breaches .

However, the real cost of this and other cyber attacks in the hospitality sector must include:

• Drops in stock price
• Terminations resulting from negligence
• Lost revenue
• Government investigations
• Regulatory fines
• Loss of reputation

Reducing the Risks of Cyber Attacks in the Hospitality Sector

Organizations in the hospitality industry can improve their security posture by focusing on preventing cyber attacks and mitigating data breaches should they occur.

As seen in the cases of significant hotels punished by regulators and lawsuits after mishandling data breaches, it is more cost-effective and morally sound to invest in preventative security measures than to rely on responding after an attack has occurred.

Given the current cyber threat landscape, organizations should prioritize prevention while ensuring that sound policies and procedures are in place to limit the cost and damage of successful cyber attacks.

Furthermore, the hospitality sector must appreciate that the cyber threat landscape is constantly evolving. Implementing best cybersecurity practices and continuous monitoring, assessment, and adaptation are essential.

Cybercriminals are constantly updating their techniques and tools, so any targeted industry must be at least equally flexible, alert, and willing to adapt.

How the Hospitality Industry Can Prevent Cyber Attacks

Here are some steps that hospitality businesses can take to minimize the impact and risk of cyber attacks:

Risk Assessments

Businesses wishing to develop or enhance their cybersecurity strategies, policies, and systems should start with risk assessments .

Businesses will have different cybersecurity priorities according to their sizes, locations, cybersecurity maturity, and other factors. It’s essential to start with information-gathering about the cyber threat landscape and the firm’s security posture to make accurate decisions about reducing cyber risks.

Cybersecurity risk assessments need to be performed regularly. Whatever the result of a risk assessment, the cyber threat landscape requires vigilant monitoring so that organizations can stay protected.

Follow Cybersecurity Frameworks

Using a cybersecurity framework can help a business in the hospitality industry develop a robust cybersecurity system to protect the organization, its staff, business partners, and customers.

Businesses frequently use NIST CSF to help establish their cybersecurity policies and procedures as it is comprehensive and adaptable. NIST Special Publication 1800-27 also contains specific guidelines for securing property management systems (PMS) that can help hospitality organizations improve their cybersecurity.

Cybersecurity Training for Staff

Most data breaches involve human error, whether an employee clicks on a phishing link. They either don’t recognize a potential scam or accidentally share their access credentials with a colleague because they didn’t realize this would be a cybersecurity risk.

While how the staff interacts with the system can be a vulnerability, cybersecurity training can make an organization’s staff a strong line of defense.

The first step to improving cybersecurity through staff training is to increase cybersecurity awareness. All staff must understand why cybersecurity is important, how people impact the firm’s security, and what they can do to enhance cybersecurity.

Training on cybersecurity best practices should vary according to the risk exposure of different personnel. All relevant personnel must be trained to use POS systems securely since this area of the hospitality industry is particularly vulnerable to cyber threats.

General cybersecurity training might include the following:

• Logging out of devices before walking away from workstations
• Using and updating strong passwords
• Keeping access credentials private
• How to respond to phishing emails and who to report them to
• Reporting suspicious activity

Development of a Cybersecurity Culture

Developing a cybersecurity culture takes training further and can deliver long-lasting, enhanced information security for participating organizations.

A cybersecurity culture begins at the C-suite level and trickles down. Someone appointed to lead culture change can then use various methods and resources to share information security messages throughout the organization.

In an organization with a mature cybersecurity culture, information security is a primary topic in meetings at all levels, with incentives and rewards, penalties, ongoing training, drills, and initiatives designed to express the importance of cybersecurity throughout the company.

Continuous Monitoring

Cybercriminals don’t schedule cyber attacks when it’s convenient. Organizations require continuous monitoring to spot threats as soon as they occur. With continuous monitoring, businesses are more likely to identify anomalies and unusual patterns that signify a potential data breach.

Updating Software and Hardware

Hardware and software must be kept up to date to remediate vulnerabilities. Regular software updates will ensure known vulnerabilities are patched as soon as possible.

Threat Intelligence

The hospitality industry can benefit from threat intelligence to ensure that businesses stay updated with the latest hacker activities and cyber risk trends. When the industry is targeted by professional cyber attack groups, such as DarkHotel hackers, investing in threat intelligence to counter targeted spyware, malware, and spear phishing activities is essential.

Access Control

Limiting access to sensitive data to only those who need it is an excellent strategy for protecting data. It reduces the channels through which cyberattackers might achieve unauthorized access and exfiltrate data.

Access control also helps firms identify the source of an attack and contain it since access control limits how it could have occurred.

End-to-End Encryption for POS systems

POS systems are a significant target for cyber attackers since they often have vulnerabilities that can help them access the device, connected devices, and the network itself. Encryption can help solve this problem by making transmitted data unreadable without the decryption key.

Encryption does not solve problems with vulnerabilities on physical devices, such as the possibility of someone hiding skimming hardware on a POS device, but it reduces the chance of the more likely attack, which is via the wireless network.

Strong Passwords

Password maintenance remains one of companies' best ways to improve their information security. A strong password is difficult for a cybercriminal to guess or crack with the help of AI. This means using combinations of alphanumeric characters, symbols, and numbers. A mix of capitalization and lowercase letters makes passwords more difficult to crack, as does using non-dictionary words.

Data Limitation

Data can’t be compromised if it does not exist. By collecting and retaining as little data as possible, an organization can significantly lower the impact of a data breach. Therefore, organizations should destroy data securely as soon as it is no longer needed.

Testing Cybersecurity

Cybersecurity is not a one-off activity. Since cybercriminals are working hard to find new ways to exploit systems and steal data, highly targeted industries like hospitality need to maintain their cybersecurity systems.

This means regularly testing the effectiveness of their technology and assessing it in the context of the evolving cyber threat landscape. Many organizations solicit help from external cybersecurity experts to audit their cybersecurity systems.

Supply Chain Risk Assessment

Businesses increasingly realize that their attack surface extends to their suppliers ( third-party risk ) and those who supply their suppliers ( fourth-party risk ). Identifying, assessing, and monitoring the entire supply chain can be challenging.

Each part of the supply chain carries inherent risk, which entails significant risk to all businesses that rely on others for manufacturing, products, and services. Assessing the supply chain and collaborating to mitigate or remediate risks is a good move for the whole industry.

Hospitality businesses can reduce the risk of data breaches by vetting third-party vendors and limiting the use of third-party apps, such as those for hotel management or online bookings.

How Hospitality Businesses Can Respond to Data Breaches

In most cases, avoiding a data breach is far cheaper than repairing one. However, data breaches are an increasingly common part of life in the hospitality industry, and an organization must have a plan for how it will respond. A prompt and effective response can save a business from significant financial losses, loss of reputation, or even failure.

Incident Response Team

If a cyber attack takes place, someone needs to lead the response. With an established incident response team, a business knows the stakeholders' roles, responsibilities, and contact details that will lead the mitigation effort.

Leading the team might be someone in a Chief Information Officer (CIO) or Chief Information Security Officer (CISO) role. The important thing is that staff knows which decision-makers are responsible for cybersecurity and where to go if something looks suspicious.

The response team should comprise executives and managers from multiple important parts of the organization to ensure a company-wide response. These stakeholders might include:

• Chief Information Security Officer (CISO
• Head of IT Security

A firm’s response to a cyber attack is critical. For example, while Wyndham Hotels faced significant penalties due to its aggressive stance and lack of self-reporting after the data breaches, the responsiveness of its board and its numerous meetings about the breaches went in its favor in court.

Incident Response Plan

An incident response plan documents a business's steps following a security incident. The document should include responses to various incidents as identified during risk assessments.

The document typically begins with the incident response team's roles, responsibilities, and contact details — the people leading the response. Each set of guidelines needs to be written with enough clarity and detail that anyone in the organization can follow the plan.

An incident response plan is vital because firms with incident response plans have significantly lower costs after a data breach. With a plan, a business can react more quickly and effectively to:

• Identify the problem
• Contain the breach
• Notify regulators, staff, and franchises
• Inform business partners
• Make an announcement to the press and customers, where required
• Work with local, state, or federal authorities to limit the cyber threat

All organizations should back up mission-critical data. It’s better to have backups and not need them than to need them and not have them.

An organization can restore business functionality via backups if a ransomware attack encrypts essential files. Using cloud-based providers for data backup means that this data can be stored offsite and on a different network, keeping it safe from attack and accessible from any location. If the business needs to relocate to remediate a cyber threat, it can restore its systems using cloud backups.

Event logging keeps track of who uses a network at any given time. When it’s time to analyze unusual network behavior or identify the attack vectors of a cyber attack, event logs provide cybersecurity professionals and digital forensics experts with valuable information.

Event logs help organizations respond more quickly to cyber incidents by helping the incident response team or cybersecurity experts identify, contain, and mitigate a breach.

Anti-Malware

Antimalware is an essential layer of defense against cyber attacks. Ensuring that antimalware databases are as up-to-date as possible is critical, so regular maintenance is essential.

Firewalls monitor and filter everything attempting to enter a network and all transmissions that attempt to leave it according to the organization’s network security policies. Along with malware, it is an essential component of network security.

Cyber Insurance

Cyber insurance , typically excluded from general liability insurance, covers a business’s liability in the context of a data breach involving the compromise of sensitive data. Financial assistance to cover the cost of data breach remediation, regulatory penalties, and lawsuits can help a business recover.

A hospitality business can attract lower premiums from cyber insurers by improving its security posture and lowering risk. The activities in this post's data breach prevention section can help an organization reduce cyber insurance premiums .

Reviewed by

Axel Sukianto

Ready to see upguard in action, ready to save time and streamline your trust management process, join 27,000+ cybersecurity newsletter subscribers.

Related posts

The top cybersecurity websites and blogs of 2024.

14 Cybersecurity Metrics + KPIs You Must Track in 2024

What are security ratings cyber performance scoring explained, why is cybersecurity important, what is typosquatting (and how to prevent it), introducing upguard's new sig lite questionnaire.

• UpGuard Vendor Risk
• UpGuard BreachSight
• Product Video
• Release notes
• SecurityScorecard
• All comparisons
• Security Reports
• Instant Security Score
• Third-Party Risk Management
• Attack Surface Management
• Cybersecurity

• Online Degrees
• Find your New Career
• Join for Free

Cybersecurity in the Hospitality Industry: Your 2024 Guide

The hospitality industry is vulnerable to data breaches and cyberattacks. Learn more about the importance of cybersecurity and the cybersecurity roles you could explore to help safeguard these businesses from cybercriminals.

The hospitality industry strives to provide an exceptional guest experience, and building and sustaining an impeccable reputation is critical. Integrating emerging technologies and relying on vast amounts of customer data to help improve the guest experience also leaves the industry vulnerable to bad actors.

Worldwide, a single data breach costs an average of $4.45 million in 2023, according to data from IBM [ 1 ]. Worse, it could have a lasting impact on the reputation of the restaurant, hotel, entertainment venue, or other hospitality-oriented business, underscoring cybersecurity's vital nature in the hospitality industry. 

Let’s examine the pivotal role cybersecurity plays in protecting consumer data and the revenue and reputation of hospitality-oriented businesses in more detail. Explore some of the threats these companies face in 2024 and the jobs you might consider pursuing to help keep the industry and its customers safe from cyberattacks. 

Why is cybersecurity important in the hospitality industry?

This sector collects and stores data on millions of travelers and patrons daily. The hospitality industry is home to businesses in various categories, including lodging, food and drink, recreation, and entertainment, all of which handle their guests’ sensitive information, including credit cards and personal identifiers like names and addresses. Given the broad array of businesses that fall under this umbrella, it's not surprising that the sector collects and works with vast amounts of data. Notably, the sector continues growing at an impressive rate, with Reportlinker estimating it will reach a market value of more than $6.7 billion by 2026, with a 10.2 percent compound annual growth rate (CAGR) [ 2 ]. 

Safeguarding that data in a market that continues growing is vital. A single cyberattack or data breach could cause a ripple effect that leads to a loss of trust and significant damage in terms of both the brand’s reputation and the resulting revenue losses. 

Let’s examine a few compelling reasons driving the need for cybersecurity in the hospitality industry.

Protect guests’ data and information.

Guests expect hotels and other hospitality businesses to protect their sensitive data. That includes names, addresses, dates of birth, and credit card information—all of which cybercriminals could use to steal guests’ identities or sell their information on the dark web.

Mitigate financial losses

Research from cybersecurity service provider Trustwave in its 2023 Hospitality Sector Threat Landscape report shows that 31 percent of hospitality businesses have experienced a data breach. Among them, 89 percent experienced repeat breaches, with the per-breach cost averaging $3.4 million [ 3 ].

Prevent business disruptions and damaged reputations.

Financial costs related directly to the attack or breach are only the beginning of the potential implications. Phishing, distributed denial of service (DDoS), spoofing, and ransomware also can disrupt operations. Worse, they can erode public trust and tarnish the brand’s reputation, leading to potentially significant revenue losses and recovery challenges in the form of lawsuits and fines. 

Prepare for the future.

Cybercrime is already a significant threat and continues growing as hotels and other hospitality businesses embrace emerging technologies. Globally, cybercrime will continue wreaking havoc. According to predictions from Cybersecurity Ventures, it will increase by 15 percent annually from 2020 through 2025, with cybercrime-related costs totaling an estimated $10.5 trillion in 2025, compared to $6 trillion in 2021 [ 4 ]. Implementing robust measures is critical to protect the business from the ripple effects that can create widespread damage after a breach. 

Types of cybersecurity threats expected in the hospitality industry

To avoid and reduce the risk of cyberattacks, you must first understand the threat landscape. Hospitality businesses collect various data types, including guests’ names, addresses, email addresses, passport information, dates of birth, and credit card details. Additionally, they have many vulnerabilities, including the need for more staff training, the rise of contactless check-ins, and the use of third parties. 

Some typical types of cybersecurity threats the hospitality industry faces include the following:

DDoS: During a DDoS attack, attackers overrun a system with connection requests. Because the volume exceeds the system’s capabilities, it causes lagging responsiveness and interruptions in service that can severely impact the customer experience.  

Phishing: This sneaky form of a cyberattack often occurs through emails that appear to come from a trustworthy sender, such as a manager or hotel CEO. The goal of these emails is to trick the recipient, which could be an unsuspecting guest or employee, into clicking a link or divulging personal details.

Network breaches: Hotels, restaurants, and entertainment venues often provide guests with wireless internet service. Additionally, hospitality businesses rely on the internet and connected devices like interactive in-room screens and smart thermostats, leaving the company and its guests vulnerable to bad actors breaching the network. In turn, it opens the possibility of malware and rogue access points (also sometimes called “spoofing”) that allow criminals to steal information. 

Ransomware: During this type of cyberattack, criminals deploy malware to infect systems and files, essentially locking staff and businesses out and preventing them from accessing them. In these cases, cybercriminals typically contact the company and demand a ransom, threatening to otherwise exploit or destroy the information. 

What it's like to work in cybersecurity in hospitality

To reduce cyber threats and minimize the potential effects of a cyberattack in the hospitality industry, cybersecurity professionals can anticipate performing several duties, including conducting routine risk assessments to identify weaknesses and monitor threats. Additional tasks may include the following:

Develop cybersecurity procedures and policies.

Work with other staff and team members to minimize risks.

Train staff to increase awareness regarding threats and improve employee responses in the event of an attack

Contribute to the business-wide development of a cybersecurity-focused company culture.

Create frameworks and systems to limit access to sensitive or protected information and data.

Provide continual monitoring and regular updates to hardware and software.

Remain up-to-date on evolving and emerging threats for more effective, dynamic threat protection.

Perform cybersecurity tests to ensure protective measures guard against current threats.

Cybersecurity careers: salary and job outlook information 

A 2022 study conducted jointly by Coleman Parkes Research and Rackspace Technology surveyed more than 1,400 IT decision-makers worldwide in various industries, including hospitality. Among the respondents, 59 percent indicated that cybersecurity was a top concern for their C-suite executives, citing protecting critical data, managing risks, and mitigating threats as some of the top priorities [ 5 ].

The company’s 2024 IT Outlook Report, conducted jointly with VMWare and Dell Technologies, revealed that 41 percent of companies surveyed struggle to hire skilled cybersecurity experts [ 6 ]. Combined with the US Bureau of Labor Statistics’s prediction that jobs in information security will grow by 32 percent between 2022 and 2032 [ 7 ], it becomes clear that the job outlook for cybersecurity careers should remain positive for years to come. 

Although your salary will vary depending on various factors, including your experience level and employer, the average salary for an information security analyst is $119,693.51, according to data from Lightcast™ [8].

Essential skills needed

The pervasive skills gap across all industries is another vital factor driving demand for skilled cybersecurity professionals. Technological research firm Gartner anticipates that the lack of talent will drive more than half of cybersecurity incidents by 2025 [ 9 ]. Additionally, Cybersecurity Ventures points out that cybersecurity vacancies have increased exponentially. In 2013, global vacancies totaled approximately one million. The company predicts the number will continue growing exponentially, likely totaling 3.5 million in 2025 [ 10 ].

For those with the relevant skills, job opportunities are bountiful. The list below shows the various technical and workplace skills worth cultivating to help drive your success.

Workplace skills

Being able to ask the right kinds of questions, think on your feet, and communicate your findings to others are among the critical skills you will need to succeed in hospitality cybersecurity roles. Others include:

Critical thinking

Collaboration and teamwork

Communication

Presentation skills

Problem-solving

Technical skills

Although workplace skills are also critical, your technical skills will differentiate you from the crowd and help you be effective in your organization’s fight against cybercrime. Some of the technical skills you need include:

Coding expertise and familiarity with languages such as Java, C#, PHP, and Python

Knowledge of operating systems and point-of-sale (POS) systems

Experience with cybersecurity frameworks

Familiarity with threat modeling and assessments 

Understanding of network infrastructure and ethical hacking

Application development and cloud security 

Basic vulnerability testing experience

Knowledge of access management and data storage systems

How to gain the skills you need for cybersecurity in the hospitality industry

Cybersecurity offers a varied career path within the hospitality industry and across all sectors. Regardless of whether you opt to get a degree or not, building a sharp skill set and committing to ongoing learning to keep those skills fresh in the face of evolving threats is critical. 

Let’s look at several ways you can build your skills.

Although only some employers require a degree, it can offer an excellent starting point, particularly if you want to build a robust foundation of knowledge. A bachelor’s degree in a field like information security or computer information systems can offer a valuable combination of theoretical and practical knowledge. Suppose you’re deciding on whether to get a degree or not. In that case, it may be helpful to know that, according to data from Zippia, 61 percent of cybersecurity analysts have a bachelor's degree, with 15 percent having a master's and 19 percent getting their associate degree [ 11 ].

Work experience

Employers value hands-on experience. Becoming familiar with working with tools, including penetration testing platforms and intrusion detection systems, can help gain a role within hospitality cybersecurity. Although some entry-level jobs will require a bachelor’s degree, others, including cybersecurity roles like junior penetration testers and cybersecurity specialists, may be open to you regardless of your degree status. 

If you are shifting careers, entering cybersecurity without a degree, or interested in expanding your skills, a bootcamp can be an efficient way to do so. These accelerated learning programs typically offer a focused, skills-based curriculum designed to get you career-ready in a relatively short time. Bootcamps are intensive programs that usually include a mix of preparation for certifications and hands-on experience, with program durations spanning a few months up to two years. 

Certifications

Whether you have foregone your degree entirely or are switching careers from another area of IT or another field, getting relevant cybersecurity certifications can boost your resume. Some of the top options available include the following:

Certified Information Systems Security Professional (CISSP)

CompTIA Security+

Certified Ethical Hacker (CEH)

Getting started with cybersecurity careers

Cybersecurity careers, including those within hospitality industry job roles, may be virtually future-proof options. Given the growing demand, a widening skills gap, and the continual evolution of technology, the future for those with the skills and knowledge remains promising. Start preparing with online courses, which make exploring issues within hospitality and cybersecurity easy. 

For example, you can build a foundation in hospitality-related history and current problems with a course like Introduction to Hospitality Management in the 21st Century . This course from Starweaver helps guide learners through hospitality principles and the industry’s leading challenges and opportunities. You can also immerse yourself in building cybersecurity skills with the beginner-friendly Google Cybersecurity Professional Certificate , which can help you achieve your career goals. You’ll find these programs and more on the Coursera learning platform. 

Article sources

IBM. “ Cost of a data breach 2023 , https://www.ibm.com/reports/data-breach.” Accessed March 14, 2024.

GlobeNewswire. “ Hospitality Global Market Report 2022 , https://www.globenewswire.com/news-release/2021/12/29/2358663/0/en/Hospitality-Global-Market-Report-2022.html.” Accessed March 14, 2024.

Trustwave. “ 2023 Hospitality Sector Threat Landscape , https://www.trustwave.com/hubfs/Web/Library/Documents_pdf/2023_Trustwave_Hospitality_Sector_Threat_Landscape_Executive_Summary_Infographic.pdf.” Accessed March 14, 2024.

Cybercrime Magazine. “ Cybercrime to Cost the World $10.5 Trillion Annually by 2025 , https://cybersecurityventures.com/hackerpocalypse-cybercrime-report-2016/.” Accessed March 14, 2024.

Rackspace Technologies. “ Cybersecurity Annual Research Report 2022 , https://www.rackspace.com/sites/default/files/2022-09/Cybersecurity-Annual-Research-Report-2022.pdf.” Accessed March 14, 2024.

Rackspace Technologies. “ The 2024 IT Outlook Report , https://www.rackspace.com/resources/2024-it-research-report.” Accessed March 14, 2024.

US Bureau of Labor Statistics. “ Occupational Outlook Handbook: Information Security Analysts , https://www.bls.gov/ooh/computer-and-information-technology/information-security-analysts.htm.” Accessed March 14, 2024.

Lightcast™ Analyst. “Occupation Summary for Information Analysts.” Accessed March 14, 2024.

Gartner. “ Gartner Predicts Nearly Half of Cybersecurity Leaders will Change Jobs by 2025 , https://www.gartner.com/en/newsroom/press-releases/2023-02-22-gartner-predicts-nearly-half-of-cybersecurity-leaders-will-change-jobs-by-2025.” Accessed March 14, 2024.

Cybercrime Magazine. “ Cybersecurity Jobs Report: 3.5 Million Unfilled Positions in 2025 , https://cybersecurityventures.com/jobs/.” Accessed March 14, 2024.

Keep reading

Coursera staff.

Editorial Team

Coursera’s editorial team is comprised of highly experienced professional editors, writers, and fact...

This content has been made available for informational purposes only. Learners are advised to conduct additional research to ensure that courses and other credentials pursued meet their personal, professional, and financial goals.

An official website of the United States government

Here’s how you know

Official websites use .gov A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS A lock ( Lock A locked padlock ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

https://www.nist.gov/blogs/cybersecurity-insights/essential-cybersecurity-hotel-tech-community

Cybersecurity Insights

a NIST blog

Essential Cybersecurity for the Hotel Tech Community

In recent years criminals and other attackers have compromised the networks of several major hospitality companies, exposing the information of hundreds of millions of guests. [1] A hotel property management system (PMS) is a prime target for attackers – it serves as the information technology  operations and data management hub of a hotel and could give a criminal access to a trove of valuable data. To address these challenges, NIST’s National Cybersecurity Center of Excellence (NCCoE) collaborated with the hospitality business community and cybersecurity technology providers to demonstrate how to strengthen the cybersecurity of these systems and protect the data they process.

The NCCoE collaborated with leading hospitality organizations and technology vendors to develop an example solution demonstrating how hotels can secure its PMS and its connections to internal and external third-party systems such as electronic room-key systems, onsite vendor technologies like restaurant and banquet cash registers, guest  Wi-Fi , and smart rooms.

This project’s goal is to share best practices for protecting a PMS ecosystem by applying the modular example solutions presented in Securing Property Management Systems , using commercially available technology that hospitality property owners and managers can implement.

Practitioners will find value in the featured cybersecurity approaches, which include the tenets of zero trust security, moving target defense, tokenization of credit card data, and role-based authentication to help reduce the risk of a network intrusion compromising the PMS. This guide describes risk reduction in terms found in the NIST Cybersecurity Framework and offers a brief exploration of the NIST Privacy Framework .

The draft practice guide covers how to:

• ensure only personnel with a business need are able to access the PMS
• increase overall PMS security situational awareness, and
• limit PMS exposure during incidents in systems that interface with it

According to Morphisec’s Hospitality Guest Threat Index, approximately 70 percent of consumers don’t feel confident about hotels’ current investments in cybersecurity. Proactively addressing this challenge is an investment that will assist in earning the trust of the most valued part of your business – your customers.

The team that created the guide is interested in receiving feedback on whether the topics and solutions proposed are useful to you and your hotel's security team. Share your thoughts during the project’s public comment period; and join our hospitality-nccoe [at] nist.gov (Community of Interest) where hospitality industry professionals share business insights, technical expertise, challenges, and perspectives to help guide NCCoE projects.

[1] https://www.hotelnewsnow.com/Articles/50937/Timeline-The-growing-number-of-hotel-data-breaches

About the author

Marisa harriston.

Marisa Harriston is a Senior Communications and Outreach Strategist for the MITRE Corporation. She has worked with NIST staff at its National Cybersecurity Center of Excellence on projects in the areas of hospitality, mobile device security and finance. She has more than 10 years of digital communications experience in support of the nonprofit and public sectors.

Add new comment

• No HTML tags allowed.
• Web page addresses and email addresses turn into links automatically.
• Lines and paragraphs break automatically.

A Complete Guide to Cybersecurity in the Hospitality Industry

As technology becomes more advanced so does cybercrime. And that means cybersecurity in the hospitality industry has never been so critical. 

It’s a hard truth that hotels are slow when it comes to technological advancement. This is beginning to change, however, as hoteliers realize the dangers of cybercrime. The impacts of a data breach or payment card fraud, for example, are far-reaching, damaging, and costly. It’s not only your pocket that takes a hit but also your reputation. 

Understanding cybersecurity, the risks associated with cybercrime, and the technology at your fingertips is your best bet to avoid becoming a victim.

What Is Cybersecurity & Why Is It Important to the Hotel Industry?

Hotels sit on a mountain of sensitive guest data. This data could be useful for criminals looking to steal identities, passwords, and ultimately money. 

Unfortunately, most hotels and businesses have multiple weak spots for fraudsters to take advantage of, whether it be your technology, passwords, or employees. Human error is one of your greatest risks. 

The term cybersecurity, then, encompasses all the steps you take to keep your guest and client information secure and encrypted. 

One of the best ways of protecting guest and client data is maintaining Payment Card Industry Data Security Standard (PCI DSS) compliance. This is a requirement for all businesses that handle payment card data and comprises a set of rules and regulations. 

Unfortunately, many hotels are not PCI compliant without knowing it. Perhaps they are still using paper authorization forms , or maybe they have a weak password policy (for example, not using two-factor authentication). 

Protecting your guest and client data is imperative, not only to avoid breaches and penalties but to improve your guest experience. Fifty-six percent of travelers say they are somewhat concerned about the privacy and security of their data provided to hotels. Twenty percent said they were very concerned.

9 Cybersecurity Threats To Watch Out For  

Cybercrime can come from all directions which is why it’s important to familiarize yourself — and your staff — with each type. Knowing the signs could help you stop cybercrime in its tracks and protect your business (and guests).

1. PDF Authorization Forms Emailed Back & Forth 

PDF authorization forms are still used today but they’re not PCI DSS compliant. This means that should a breach occur while you’re using PDF forms, you’ll be liable and could have to pay a hefty penalty. 

PDF forms can pose a serious security risk, especially if they are not properly secured and stored. Say a hotel guest fills out a PDF form containing their payment information and sends it to your hotel over email. That email is then intercepted by a fraudster who steals the credit card information. You’d be in a lot of hot water. 

The best way to avoid instances like this is to employ a digital solution . Canary’s Digital Authorizations, for example, allows your guests to enter their credit card information via a secure PCI Level-1 form. 

Want to reduce fraud & chargebacks with Canary’s Digital Authorizations solution? Book a demo today!  

2. social engineering .

Cybercriminals use social engineering to manipulate individuals — like your employees — into giving away sensitive information. For hotels, this could look like someone posing as hotel staff member or tricking guests into revealing their information or clicking malicious links.

Here are a few social engineering examples:

• Phishing: Phishing is a very common social engineering attack and occurs mainly via email. These are emails that seem to come from a trusted source, like your CEO, to trick you into clicking a link, transferring money, or providing personal information. 
• Baiting: Baiting is where a cybercriminal offers something of value — like a gift — to lure someone into clicking a malicious link.
• Watering hole attacks: In a watering hole attack, cybercriminals compromise your hotel website by injecting malware. This means that when guests use the website their devices could be infected too.
• Pretexting: In this example, a cybercriminal could pose as an IT technician to gain access to a secure network. 
• Tailgating: A cybercriminal could follow a hotel guest or employee into a secure area of the hotel and gain access to sensitive information or systems. 

3. Insider Threats

Cybercrime can originate from your employees or contractors, believe it or not. Insiders with authorized access can steal sensitive guest information or trade secrets. Here are a few ways cybercrime could occur from the inside:

• Negligent behavior: An employee could accidentally leave their computer unlocked or fail to follow security procedures, resulting in a security breach.
• Employee theft: An employee could steal credit card information for personal gain or sell some to a third party.
• Malicious insiders: An employee with malicious intent could intentionally cause harm to your hotel’s systems by installing malware or deleting important files. 
• Third-party contractors: Third-party contractors could pose a risk especially if they do not follow security protocols. 

4. Payment Card Fraud

Payment card fraud is where cybercriminals make unauthorized purchases or withdrawals. There are a few ways they can achieve this:

• Point-of-Sale (POS) malware: Cybercriminals could install a malicious piece of software on your POS system. They can then steal payment information as payments are processed. 
• Man-in-the-Middle (MITM) attack: This is where a cybercriminal intercepts and alters the communication between your hotel and your payment processor. They can then steal payment information.
• Phishing: Cybercriminals use phishing to trick employees or guests into handing over their payment card information, or clicking a link to a fake website.
• Skimming: Skimming is where cybercriminals use a small electronic device to steal payment details. All they need to do is place this device on a card reader to get the data. 

5. Insecure Wi-Fi Networks 

Every hotel nowadays offers free Wi-Fi to guests, but these networks may not always be secured properly. An unsecured network can lead to cyberattacks, primarily targeting your guests. There are a few ways insecure Wi-Fi networks could lead to cybercrime:

• Rogue access points: A cybercriminal could set up what’s called a “rogue access point”. This is what looks like a legitimate hotel Wi-Fi network, except when a guest tries to connect the cybercriminal steals their sensitive data. 
• Malware infections: Unsecured Wi-Fi networks can also be used as a vector to distribute malware to unsuspecting guests, infecting their devices and potentially stealing their personal information.
• Man-in-the-Middle (MITM) attack: In this case, a MITM attack could entail a cybercriminal intercepting unencrypted Wi-Fi traffic to steal personal details. 

6. Ransomware 

Ransomware is a type of malware that is designed to encrypt a victim's data and demand payment in exchange for the decryption key. Here are a few examples of ransomware attacks in the hospitality industry: 

• Rosen Hotels & Resorts: In 2016, Orlando, Florida-based hotel chain, Rosen Hotels & Resorts experienced a ransomware attack. The cybercriminals demanded a ransom of $2,000 but the company refused to pay. The breach resulted in the theft of guest credit card information.
• Marriott International: In 2020, Marriott International suffered a major data breach which exposed the personal information of over 5 million guests. This was a result of a ransomware attack that targeted their third-party vendor.
• Romantik Seehotel Jaegerwirt: In 2017, the Austrian hotel, Romantik Seehotel Jaegerwirt was locked out of its computer systems as a result of a ransomware attack. Their keycard system was disabled, preventing guests from accessing their rooms, and their reservation system was taken offline. In this case, the hotel paid the ransom of $1,500 to recover access to their systems. 

7. Employee turnover 

The hospitality industry experiences extremely high turnover rates and this can pose a cybersecurity threat for hotels. 

Employees could take sensitive data with them when they leave, or retain access to hotel systems and data. To avoid data breaches or other security issues, hotels must take steps to mitigate risk when employees leave. This could mean creating a common procedure for disabling access to systems, providing extensive training, or monitoring access to systems and data. 

8. Human Error 

Human error is a widespread issue in the hospitality industry (or any industry for that matter!). Examples could be an employee accidentally misconfiguring a system, falling for a phishing scam, or sharing guest information. 

But what are the most common reasons for human error?

• Lack of training: Cybersecurity training is essential to avoid breaches but many employees are undertrained in this area.
• Weak passwords: Employees might use weak or easily guessable passwords. Ensure they understand how to create strong passwords.
• Misconfigured systems: Hospitality companies may use complex IT systems to manage guest data, reservations, and payments. If these systems are misconfigured or not properly secured, they can be vulnerable to cyber-attacks.

9. DDoS (Distributed Denial of Service)

In a DDoS attack, a large number of internet-connected devices are used to flood a target website or network with traffic, making it inaccessible to legitimate users. This can result in service disruptions and damage to the reputation of the targeted company.

The hospitality industry is particularly vulnerable to DDoS attacks due to its reliance on online reservations, payments, and customer feedback. If these services are unavailable or slow, it can negatively impact the customer experience and damage the reputation of the business.

How To Prevent Data Breaches in the Hospitality Industry

Maintain pci dss compliance .

PCI compliance is critical in the world of cybersecurity. There are many tasks that go into becoming and staying compliant , including:

• Replace paper/PDF authorization forms with a digital solution
• Create an internal data security policy 
• Create a cyber incident response plan
• Perform risk assessments
• Implement a security awareness program

Physical Security Measures 

Physical security measures play an important role in preventing data breaches in your hotel. This is so that cybercriminals cannot just walk into secured areas and steal information.

It’s essential to protect all of your devices and systems that store and transmit sensitive information. You can do this by:

• Limiting physical access to certain areas
• Securing all devices with cable locks, security plates, or secure cabinets
• Installing security cameras: Security cameras in the areas where sensitive information is stored or processed (such as your front or back offices) can deter attackers and give you evidence should a breach occur 

Swap Paper/PDF Forms for a Digital Solution 

Paper or PDF authorizations are not secure (as we’ve mentioned). Replace them with a digital solution like Canary Digital Authorizations to protect your guests’ sensitive information.

With this technology, you can also track all authorizations in a dashboard and retrieve vital information in the case of a chargeback. 

Recurring Employee Training 

It's not enough to train employees on cybersecurity once and then be done with it. Employees should receive training at least once per year to ensure information remains fresh in their minds and that they are aware of any new developments in cybercrime or cybersecurity. 

Go a step further and provide your workforce with resources such as ebooks, videos, and a help center so they can learn how to report suspicious behavior or breaches. 

Internal Security Policy 

On top of recurring employee training, it’s important to create an internal security policy. This is where you can provide guidelines and procedures for your employees to follow. 

A good internal security policy helps you define roles and responsibilities for your staff and creates security-first culture at your property.

Final Thoughts

The dangers — and prevalence — of cybercrime mustn't be understated. It’s a serious issue within the hospitality industry and hotels must take the appropriate steps to protect themselves and their clients.

Methods to avoid breaches include maintaining PCI DSS compliance, implementing physical security measures, swapping paper or PDF authorization forms for a digital solution, creating a cybersecurity training program for employees, and implementing an internal security policy.

Next up, find out why digital check-in is so important to hotels and their guests.

Learn How Canary Can Help Your Properties Thrive

Hospitality Technology Trends: 10 Advancements to Watch in 2024

As we look ahead to the future of hospitality, one thing is crystal clear: technology will continue to shape the industry in profound ways. See the latest top trends here.

13 Creative Ways Hotels Can Cut Costs Without Sacrificing Guest Experience

Any cost-saving strategy should depend on your specific hotel and thoughtfully considered. Here are some creative ideas that cut costs but don't affect the all important guest experience.

Check-in Redefined: Unleash the Power of Automated Hotel Check-in

Automated hotel check-in is the future of hospitality. Enhance efficiency and customer satisfaction and unlock valuable data insights with smart check-in. Learn how here.

Hotel Expenses: 10 Clever Ways To Control Costs

Hotel operating costs are challenging, but there are ways to exceed guest expectations while controlling expenses. Learn how here.

25 Hotel Payment Options to Offer Guests More Flexibility

For hoteliers, staying up to date with what’s happening in hotel payments is crucial. Knowing what payment methods are available is key to modern guest experiences.

• Work & Careers
• Life & Arts

Hotels in hackers’ sights as technology replaces personal touch

• Hotels in hackers’ sights as technology replaces personal touch on x (opens in a new window)
• Hotels in hackers’ sights as technology replaces personal touch on facebook (opens in a new window)
• Hotels in hackers’ sights as technology replaces personal touch on linkedin (opens in a new window)
• Hotels in hackers’ sights as technology replaces personal touch on whatsapp (opens in a new window)

Alice Hancock

Simply sign up to the Cyber Security myFT Digest -- delivered directly to your inbox.

Hotels and hospitality businesses are now the third most targeted by cyber attackers of all industry sectors. Despite being bricks-and-mortar enterprises — set up for physical enjoyment of their amenities — they have become a rich mine of data for hackers with nefarious intentions.

Before Covid-19 forced hotels into a two-year period of on-off closures, they were the victims of 13 per cent of cyber compromises, according to Trustwave’s 2020 Global Security Report — ranking just a little lower than retail and financial services companies.

And with hotels facing a difficult pandemic recovery and acute staff shortages, the increased use of technology to replace face-to-face services such as check-in and on-site payments has only raised this risk.

“Historically, hospitality has been a personal service but I think they have started to realise that technology can facilitate a lot of that,” says Tristan Gadsby, chief executive of hospitality consultancy Alliants.

What would previously, for example, have been an in-person chat or phone conversation, Gadsby notes, is now more often a virtual chat exchange. “We are seeing three times as many messages being sent post-Covid, compared to pre-Covid, per guest.”

In a sign of the times, the US commerce department last year issued its first set of guidelines for how hotels should secure customer data and critical software systems.

Meanwhile, authorities monitoring Covid’s spread have also required more data from hotels — including guests’ contact details and health status.

Thomas Magnuson, founder of Magnuson Hotels, an umbrella company for hundreds of independent establishments, says his company tries to take minimal information from guests as “sometimes, when you travel, you feel like it is the biggest data grab of all time”.

Hackers see international hotel chains, which process a huge volume of transactions, as easy pickings. Hotel groups also run valuable loyalty schemes with millions of members, who give up their data in order to earn points and improve their stays.

One of the most high-profile cyber incidents in recent times was the breach of Starwood’s database in 2014, before the group was bought by Marriott, the world’s largest hotel chain. That hack, which was only discovered after the deal, exposed the data of about half a billion customers, Marriott said, when it revealed the impact in 2018.

In a test case for Europe’s then relatively new General Data Protection Regulation (GDPR), Marriott was subsequently fined £18.4mn by the UK data regulator , acting on behalf of the EU — much less than the £99mn penalty originally threatened.

The volume of data that [hotels] have is legend, therefore their data retention procedures need to be really up to scratch Fedelma Good, PwC

Marriott — which says in its privacy statement that it collects 15 different types of data throughout a guest’s stay, from email addresses to passport information and preferred languages — has since “redoubled” its efforts “to detect and respond to threats”, according to Arno Van der Walt, its chief information security officer.

The company sped up planned investment into data security and improved technology, such as software that detects suspicious cyber behaviour in real time, Van der Walt adds.

Yet hotels can be vulnerable to a range of cyber attacks, from ransomware to more specific intrusions, such as DarkHotel, a type of hack that targets high-level business guests through a hotel’s WiFi network.

Luxury hotels are a particularly tantalising pool for criminals. In August 2020, scammers hacked into London’s Ritz hotel’s restaurant reservation system in an effort to convince guests to pass over their valuable payment details.

“The volume of data that [hotels] have is legend, therefore their data retention procedures need to be really up to scratch,” stresses Fedelma Good, co-lead of PwC’s data protection practice.

As cloud computing services have expanded, hotels have pushed more data storage towards external holders such as Amazon Web Services or Oracle — a move that at least means systems are being overseen by software experts, executives say.

Many hoteliers additionally employ third-party agencies to manage credit card details and keep different forms of data separate: “At the press of a button, I can tell what time [a guest] checked in, what time he left, what time he had lunch,” says Sean McKeown, company secretary of Irish hotel group Dalata. “I have CCTV, but it’s not all in one place.”

However, staying safe does not come cheap for already cash-strapped hotels. Gadsby says running just one penetration test to find vulnerabilities in computer systems can cost up to $25,000.

Training staff is crucial. Several hotel executives point out that it is when staff are handling customer details that information is most likely to slip out.

“You wouldn’t dream of appointing an executive head chef who didn’t understand hygiene, so why would I appoint a head of marketing who didn’t have an acute understanding of data protection?” asks McKeown. He says Dalata has spent tens of thousands on upgrading information security systems and training employees.

GDPR has forced companies to adopt much higher standards when it comes to data protection. But Good points out that, for hotel groups with large cross-border footprints, making sure they comply with regulations in every jurisdiction is “a real challenge”.

Magnuson believes hotels should simply demand less data and not monetise it in vast loyalty programmes, as the big global chains do. Hilton, for example, raised $1bn during the pandemic just by selling advance loyalty points to its credit card partner American Express.

“They talk about their millions of rewards owners and number of associated points and those are specifically valued assets,” Magnuson observes.

And with guests demanding an increasingly personalised and individually-tailored service, particularly from the well-known hotel brands, data is likely to remain a precious commodity in need of protection.

As Marriott expands online services — from phone notifications about when your room is ready, to using your mobile to unlock your door — Van der Walt says the company remains “laser focused” on the increasingly complex cyber environment: “This is a race that doesn’t really have a finish line, hacks remain a threat.”

Promoted Content

Follow the topics in this article.

• US & Canadian companies Add to myFT
• Cyber Security Add to myFT
• Retail & Consumer industry Add to myFT
• Technology sector Add to myFT
• UK companies Add to myFT

International Edition

• Board Of Directors
• Organisation Chart
• Achieving Quality Tourism
• Legislation
• Corporate Governance
• Invest in Tourism
• ASEAN Economic Community
• Media Releases
• Corporate Publications
• Newsletters
• Statistics & Market Insights Overview
• Tourism Statistics
• Industries Overview
• Arts & Entertainment
• Attractions
• Dining & Retail
• Integrated Resorts
• Meetings, Incentives, Conventions & Exhibitions
• Tourist Guides
• Travel Agents
• Assistance and Licensing Overview
• Tourism Sustainability Programme (TSP)
• Singapore Visitor Centre (SVC) Network Partnership
• Grants Overview
• Licensing Overview
• Tax Incentives Overview
• Other Assistance & Resources Overview
• SG Stories Content Fund Season 2
• Marketing Partnership Programme
• SingapoReimagine Marketing Programme
• Singapore On-screen Fund
• Hotel Licensing Regulations
• Data College
• Trade Events and Activities
• Trade Events Overview
• SingapoReimagine Global Conversations
• SingapoRediscovers Vouchers
• Made With Passion
• Joint Promotion Opportunities
• Procurement Opportunities for STB's Overseas Regional Offices
• Product And Industry Updates
• Rental of F1 Pit Building
• Singapore Tourism Accelerator
• Sponsorship Opportunities
• STB Marketing College
• Tourism Innovation Challenge
• Harnessing Technology to Emerge Stronger Post COVID-19
• Tourism Transformation Index (TXI)
• New Tourism Development in Jurong Lake District
• International Trade Events
• Singapore Familiarization Trips
• EVA-Ready Programme
• Tourism Industry Conference
• Expo 2025 Sponsorship and Partnership Opportunities
• Virtual Influencer Open Call for Collaboration
• Students & Fresh Graduates
• Professionals
• Attractions Operator
• Business/Leisure Event Organiser
• Media Professional
• Tourist Guide
• Travel Agent

The 4 biggest cybersecurity threats facing the tourism industry in 2022

There’s no sector technology  hasn’t  disrupted — and tourism is no different. Advances in IoT and contactless solutions when it comes to mobility, hospitality and more mean better customer experiences for travellers than ever before.

But advances in tech also open up new opportunities for hackers to exploit victims, and steal personal customer data. In 2021, the Cyber Security Agency of Singapore (CSA) received  1,238 reports of cybersecurity incidents  from businesses, and other organisations, an increase from the 972 reports it received in 2020.

This has also been made far worse by Covid-19; although travel came to a standstill during lockdown, people spent more and more time online, allowing hackers to perfect their craft.

“Cybercriminals capitalised on the widespread anxiety and fear wrought by the pandemic to conduct phishing campaigns and ransomware attacks for financial gain,”  writes  David Koh, Commissioner of Cybersecurity and Chief Executive of the CSA.

So what are the cybersecurity challenges threatening the global tourism industry in 2022? We dive into four of the biggest, and define some steps you can take to protect your business and customers. Keep in mind, these steps need not involve costly systems, but rather boosting education and awareness amongst your staff and putting in place regular checks and a clear strategy.

QR code hacks

Quick response (QR) codes are nothing new, but they’re becoming more widely adopted as a contactless solution. They work similarly to a URL shortening service; once scanned via a smart device, a user is instantly granted access to information, such as a webpage or WiFi password.

But they’re also a new point of exploitation for hackers. “QR code technology is safe in itself, but as reliance on it grows, cybercriminals are taking note,”  says  Anna Chung, Principal Cybersecurity Researcher at Palo Alto Networks. “These codes could offer an entryway to potential cyberattacks because they don’t provide visibility into the webpage, application, etc behind them. Instead, they automatically redirect users to web pages, app stores to download apps, make payments and more which provides cybercriminals with opportunities to insert themselves into the process.”

Hackers can use  several methods  to exploit QR codes:

• They could hack into a business’s website, and replace the QR code with a different, similar-looking one. Once scanned, a user could be tricked into providing user credentials, which could give a hacker access to email or a social media account, or get them to download a malicious app.
• They could create a “honeypot”, whereby a hacker sets up an unsafe “free” WiFi network, accessible via a QR code. Once scanned and connected, a hacker can intercept data being shared via the smart device, such as online banking credentials or payment information.

To protect their customers, tourism business owners should regularly carry out integrity checks on their websites and apps, to make sure the code and links they provide are correct. 

“They can do this by regularly scanning the code to check if the link within the QR code is correct,” says Chung. “They need to check both the web and mobile browser version, as cybercriminals have been known to only compromise the latter to reduce the chance of detection.”

Users and customers can avoid being scammed by avoiding QR codes from strangers and installing mobile security in the form of online protection software. 

Beware malware

Malware is the term for any program made to hack or damage a device such as a computer virus or ransomware. Ransomware is one of the most harmful forms, as the only way to remove it is to pay a ransom to the scammer controlling it.

Both are big business for fraudsters — organisations in Singapore hit by ransomware attacks pay an average ransom of nearly  $1.5m . However, while paying up may get hackers off your systems for a short while, 56% of organisations that pay ransoms are hit a second time within 4 to 7 days.

Ransomware attacks on travel companies, in particular, are on the rise, with the CSA reporting a 154% increase from 2019 to 2021, largely due to Covid-19. Security professionals report criminals are upping their game, and launching increasingly sophisticated technical attacks.

“Ransomware is no longer a sporadic nuisance, affecting a handful of machines,”  says  Koh. “It has been transformed into a massive, systematic threat affecting entire networks of large enterprises.”

For example, Carnival, one of the largest cruise operators in the world, was  hit by a ransomware attack in 2020 . The company said hackers were able to access the customer data as part of an IT system for one of its cruise line brands. 

So what can you do to protect your business? 

Prevention is key. Organisations need to put in place stringent protective measures, such as readying a backup and recovery plan for data, backing up data regularly, storing that data offline and disconnected from an organisation’s network.

CSA also suggests organisations adopt industry best practices, which include enforcing segmentation between information technology (IT) and operational technology (OT) networks, using anti-virus software and mitigating risks when it comes to system and software vulnerabilities. 

IoT security vulnerabilities

IoT — or the  ‘internet of things’  — sums up all devices connected to each other by the internet. It’s created new opportunities for travellers, who are able to control more appliances and services through mobile applications, and companies that are able to gather and store customer data from IoT-enabled devices.

For example, a traveller returning to the same bed & breakfast every summer could have their air conditioning preferences tracked and recorded. The potential is huge, especially in the luxury sector.

A real-life example  is the Walt Disney World MagicBand, a wristband that pairs with the My Disney Experience app. It allows visitors to enter the theme park, access their hotel room, make contactless purchases and more via RFID technology (radio frequency identification, a form of wireless comms). 

But new opportunities for personalisation means new opportunities for hackers, as they operate in an open environment. Some IoT devices can’t be patched easily, meaning they are more easily compromised, and they’re also often not in compliance with security standards like data encryption.

When it comes to privacy, all personal data stored via an IoT device is at risk of being breached.

In order to fully harness IoT’s potential, businesses need to pay attention to secure data collection and storage, and ensure their IoT systems communicate between one another effectively.

The  Singapore Tourism Board  recently wrote about  how to create impactful connections with IoT . Based on these insights, here are a few questions any travel company should be asking a technology partner include: 

• Do you have established security protocols? What protection measures are in place?
• Are you open about privacy risks? Are you being transparent about what data is being collected? How is it being managed, and is it anonymised?
• Will the deployment scale as the project expands?

Go phish  

Phishing is when scammers send emails under false identities, such as reputable companies, to get people to reveal personal information and data. 

This type of scam is on the rise in the tourism sector; hackers are increasingly posing as tourism businesses online using their logo and branding to lure potential customers into false purchases.

While this negatively affects customers and travellers in the form of stolen passwords and credit card details, it also has a hugely negative effect on a businesses’ reputation. If a hacker poses as a known travel brand and manages to phish a customer’s personal information, it will create negative press for the business and make potential customers think twice about booking with them.

“Any company that does business through a website requiring a login could be at risk,”  says  Dr. Sal Stolfo, Founder of Allure Security, and Professor of CS at Columbia University. “That's why businesses must create a proactive, multipronged strategy to help protect customers' data from inevitable attempts at stealing it.”

So how can you stop a phishing scam from negatively affecting your business? 

Stolfo says businesses should first understand how they work in order to be able to detect and mitigate them, this includes educating employees and staff. 

Filtering out and blocking malicious emails that hackers may send to employees is a start, but it only addresses part of the problem. Businesses should also be able to detect spoof URLs. 

“One way to improve detection is to embed snippets of tracking code into your company’s real website,” he says. “When a hacker attempts to copy that site, they replicate that code along with a website’s images and text. It’s invisible to the hacker but not to your security team.”

Once a phishing site is detected, companies should alert customers to ensure they don’t fall prey. This could not only stop a customer from having their information stolen, but it also helps build trust.

Cybersecurity threats are continuously evolving, but so are the tools and methods businesses can use to protect themselves. Remember: prevention is key, so be sure to have a stringent cybersecurity strategy in place which is reviewed and updated every six months. 

About the Organisation

What industry does your organization fall within, what best describes the key intent of the project that your organisation is seeking funding for, is your organisation a singapore-registered legal entity, is your organisation an association, is the project able to achieve one or more of the following outcome.

• Increase no. of sailings to/from Singapore
• Increase no. of foreign cruise passengers to Singapore through sailings to/from Singapore
• Increase no. of pre/post nights for cruise passengers sailing to/from Singapore
• Increase capability of industry players via cruise-specific industry training programmes
• Strengthen the potential/ attractiveness of cruising in Singapore and/or Southeast Asia

Is the project able to achieve one or more of the following?

• Improve visitor satisfaction (especially foreign visitors)
• Increase footfall
• Increase revenue
• Significant branding and PR value

Is the project able to attract foreign visitors and contribute to foreign visitors' spend?

Who will be the main target audience of your project, is your project innovative and/or a new event in singapore with tourism potential, what best describes your project, does the event have proven track records in singapore or overseas, and/or growth in tourism value such as growing foreign visitorship, and/or enhancement of precinct vibrancy etc, does the project have a clear tourism focus (e.g. tourism-related trainings, tourism companies taking on capability development initiatives or technology companies creating technology products and services for the tourism businesses), what best describes your market feasibility study project.

Based on your selection, the following STB grant/s may be applicable for your project:

Please note that projects that have commenced prior to Singapore Tourism Board's offer may not be eligible for grant support. Examples where projects are deemed as having commenced include:

• Applicant has started work on the project e.g. tender has been called.
• Applicant has made payment(s) to any supplier, vendor or third party.
• Applicant has signed a contractual agreement with any supplier, vendor or third party.

Top Cyberthreats for Hotels

Rh-isac reviews five of the most common cyber threats to hotels and how companies can mitigate these risks..

• Posted on March 10, 2022
• Natalie Paskoski, RH-ISAC Manager of Marketing & Communications

As travel restrictions ease in 2022, hotel InfoSec departments are preparing for an influx of customers as well as an increase in cyber attacks. Hotels secure a large amount of sensitive customer data and have a broad attack surface, so they are common targets for threat actors.

Here are five of the top cyber threats facing the hotel industry.

Hospitality has the highest phish-prone-percentage score of any industry at 48%, 10% higher than the next industry, construction, at 38%. It is no wonder then that in a recent Ironscales survey, 90% of hospitality IT professionals ranked phishing as one of their top concerns.

Hotels began seeing a rise in phishing attacks at the onset of the pandemic with threat actors using COVID-19 and its severe impact on the hospitality industry as an in. Employees unknowingly clicked on malicious links and attachments from threat actors posing as concerned customers or vendors offering safety solutions. However, even before the pandemic, hotels have been a lucrative target for phishing attacks because of their volume of customer data, large employee base, and frequent use of third-party vendors have provided motive and means for threat actors. For example, a major phishing attack in 2019 infiltrated hotel networks by posing as a vendor requiring payment. Opening the fake invoice executed PowerShell scripts and installed a trojan, leading to compromise of the system.

Point-of-Sale Attacks

Hotels process a high volume of transactions through point-of-sale (POS) systems at their physical locations, online through their websites, as well as through third-party vendors. This huge attack surface, spread out over great geographical distances, leaves hotels extremely vulnerable to point-of-sale attacks. Threat actors will take advantage of known vulnerabilities and predictable peak seasons when software updates may be delayed to install data scraping malware that can sometimes remain for months undetected. During that time, the credit card and personal information about the hotels’ guests may be exposed, allowing threat actors access to a treasure trove of funds, particularly when attacking luxury hotels with wealthy clientele.

Wi-Fi Infiltration

DarkHotel is a cyberattack group known for using hotel Wi-Fi networks to gain access to specific targets of relevance which most often includes high-level business executives or political figures. They will preemptively infiltrate the hotel’s Wi-Fi, then use social engineering tactics, including spear-phishing and software download prompts, to install malware on the target’s machine and then siphon information. This is a short-lived attack, and there is a high potential for discovery, so attackers must work quickly to obtain the sensitive information they’re after, but even a short-lived intrusion can be damaging.

DDoS Attack

Between January 2020 and March 2021, DDoS attacks increased by 55%, according to F5. The hospitality industry is regularly one of the most targeted industries for bot attacks, particularly through the use of browser impersonation. DDoS attacks can be extremely costly for hotels that rely on networks for everything from reservations, to payment, to the services such as entertainment they provide to guests.

These days no industry is safe from the threat of ransomware. According to Fortinet, ransomware grew 1070% between July 2020 and June of 2021. Hotels are at an increased risk of being the victim of ransomware due to their high revenues and susceptibility to some of the threats previously discussed. Ransomware is often deployed by way of malware downloaded from phishing emails. Ransomware groups are also now leaning on methods such as DDoS attacks and data leaks as additional methods of extortion. Guarding against these threats will help hotels reduce their likelihood of being a ransomware victim.

Combating Threats

RH-ISAC assists our hospitality members in defending against these threats through exclusive access to resources, events, and threat intelligence sources. Members receive daily intelligence reports, as well as quarterly trends analysis reports, and reports from industry partners, which provide insights into the types of malware and phishing scams peer companies are seeing. RH-ISAC also provides training resources such as webinars during Security Awareness Month which can be used to educate your employees on topics like phishing, password policies , and multi-factor authentication. Plus, working groups focused on areas such as ATO prevention, incident response, and security awareness give members a platform for collaboration with other companies facing similar threats. Learn more about RH-ISAC membership.

Subscribe to the Blog

Receive news and RH‑ISAC updates for cybersecurity practitioners from retail, hospitality, and other customer-facing companies, straight to your inbox.

Subscribe Now

More Recent Blog Posts

Three Essential Strategies for ECommerce Companies

Effective online security in ecommerce is crucial not just for protecting against data breaches, but also for building and maintaining trust between businesses and consumers.

The Challenges of and Solutions for Enterprise-Wide Adoption of Generative AI Models

The Path Taken In the 10 or so years since artificial intelligence (AI)-dependent tools have become an integral part of the business ecosystem, retail organizations

Trustwave Threat Intelligence Briefing: The 2023 Retail Services Sector Threat Landscape

The holiday shopping season is teed up for its annual explosion of spending. Retailers know this, consumers know this, and, unfortunately, cybercriminals know this. They

• About RH-ISAC
• Core Members
• Associate Members
• Member Benefits
• Sharing Channels
• Threat Intelligence
• Career Growth
• Benchmarking
• Tech Marketplace
• Working Groups
• Associate Membership
• Common Questions
• Join RH-ISAC
• Regional Workshops
• Member Exchange Live!
• Event Types
• Call for Presentations
• Sponsor an Event
• Member Portal
• Become a Member

• Business Management

Data Security in Hospitality: Risks and Best Practices

December 02, 2018 •

4 min reading

Information security is a pivotal aspect of many industries, not least the hospitality industry due to the nature of the data collected by companies operating within hospitality. Hotels, motels, resorts, and rented apartment complexes all gather and electronically store a range of sensitive personal guest data, such as names, phone numbers, addresses, and credit card details.

From the perspective of cybercriminals, hospitality appears to offer an ideal target vector for conducting crimes such as identity theft and credit card fraud due to the existence of multiple databases and devices containing both Payment Card Information (PCI) and Personally Identifiable Information (PII) .

This article focuses on five of the biggest data security concerns in the hospitality industry and highlights some best practices for protecting hospitality data.

Data Security Concerns in Hospitality

Complex ownership structures.

Restaurants, hotels, and other companies in the hospitality sector often have complex ownership structures in which there’s a franchisor, an individual owner or group of owners, and a management company that acts as the operator. Each of these groups may use different computer systems to store information, and the information can also frequently move across those systems.

A case in point was the Wyndham Worldwide breaches of 2008 and 2010 . Hackers gained access to the systems of an individual operating company through easily guessed passwords, and the attack easily proliferated through the entire corporate network, with the result that 619,000 customers had their information compromised.

Reliance on Paying By Card

The nature of the hospitality industry is such that it is extremely reliant on cards as a form of payment. Restaurants and hotels alike often require credit card details for reservations, and final payment is also frequently made by the same card.

Cybercriminals use this reliance on cards to infect point-of-sale (POS) systems with malware that steals credit and debit card information by scraping the data. In fact, it was reported in 2017 that out of 21 of the most high-profile hotel company data breaches that have occurred since 2010, 20 of them were a result of malware affecting POS systems.

Because this malware can often proliferate or move between POS systems run by the same operator, multiple individual and groups of hotels can be afflicted by these types of attacks, and they can go unnoticed for months.

High Staff Turnover

A vital part of protecting data is training staff to securely gather and store personal information. Well-trained staff also know how to recognize social engineering attempts and they understand an organization’s compliance requirements. The risk is that the hospitality industry involves lots of seasonal work in which people might move on after only a few months, or they might be transferred. In the U.K., for example, the job turnover rate in hospitality is as high as 90 percent.

The high level of turnover and high degree of staff movement between different locations makes it a real challenge to maintain teams of well-trained staff. All it takes is one person who isn’t familiar with the importance of data security for a cybercriminal to exploit a hospitality company’s systems and gain access to sensitive data.

Data security risks in the hospitality industry extend far beyond the reputation hit that a hotel can take if guests’ data is compromised. Industry and political regulators are becoming stricter in governing how organizations process and store personal data.

The GDPR regulation was introduced by the EU in May 2018 as a landmark legislation that aims to return control over personal information to individuals while simultaneously enforcing stricter rules for organizations in protecting such information during any period in which they possess it.

While GDPR protects individual data within the EU and EEA, its ramifications have rippled through industries globally, and organizations are realizing the need to put greater compliance measures in place.

PCI DSS is another important global regulation that protects credit card data, and fines for non-compliance begin at $500,000 per incident. The risk here is not just to data security but to the future survivability of hospitality companies, many of which would not be able to absorb the substantial losses resulting from non-compliance fines.

Insider Threats

This type of data risk is more subtle and it involves employees selling data to third parties without the knowledge of the organization that employs them. Such insider threats typically occur to data on customer preferences and behavior, which hospitality companies can collect at multiple touchpoints, from interactions with their website, to form data on booking systems, to review data.

This data could be potentially lucrative when it ends up in the hands of those who know how to use it to gain a competitive advantage.

Best Practices for Data Security in Hospitality

Best practices for companies in the hospitality sector to protect data include:

• Always encrypt payment card information.
• Operate a continuous training program in cybersecurity to maintain a well-trained workforce.
• Always adhere to relevant regulations, such as PCI DSS.
• Use cybersecurity measures such as firewalls, network monitoring, anti-malware, and traffic filtering to protect against common threats.
• Conduct tests against your organization’s cybersecurity defenses in which you mirror the behavior of an actual hacker.
• Know where your data is and enforce the principle of least privileges to limit access to sensitive information.

With a full understanding of the main data security risks and some best practices for mitigating those risks, organizations in the hospitality sector are better placed to implement a comprehensive information security strategy that entails the necessary procedures, processes, and people to improve cybersecurity.

GrapeCity content contributor, technical writer, and editor at Agile SEO

Keep reading

Inspirational leaders: Who they are & How can you become one? A guide

May 31, 2024

Gen Z customer experience strategy - Dealing with younger generations

May 28, 2024

Are you trapped by the similarity effect in your hiring decisions?

May 23, 2024

This is a title

This is a text

• Bachelor Degree in Hospitality
• Pre-University Courses
• Master’s Degrees & MBA Programs
• Executive Education
• Online Courses
• Swiss Professional Diplomas
• Culinary Certificates & Courses
• Fees & Scholarships
• Bachelor in Hospitality Admissions
• EHL Campus Lausanne
• EHL Campus (Singapore)
• EHL Campus Passugg
• Host an Event at EHL
• Contact our program advisors
• Join our Open Days
• Meet EHL Representatives Worldwide
• Chat with our students
• Why Study Hospitality?
• Careers in Hospitality
• Awards & Rankings
• EHL Network of Excellence
• Career Development Resources
• EHL Hospitality Business School
• Route de Berne 301 1000   Lausanne 25 Switzerland
• Accreditations & Memberships
• Privacy Policy
• Legal Terms

© 2024 EHL Holding SA, Switzerland. All rights reserved.

• Products & services
• WHY HOTELBEDS

• Become a client
• List your property

Cybersecurity: The Top Threats To Look Out For

4 June 2024

The issue of cybersecurity attacks is not a new phenomenon. Cyber threats have been prevalent since the inception of the internet, but in recent years, their frequency and severity have grown significantly. The projected global costs of cybercrime are expected to skyrocket to $10.5 trillion by 2025, a sharp increase from the $3 trillion recorded in 2015. As a result, it is imperative for businesses to enhance their security measures to combat the ever-evolving landscape of cyber threats.

Cybercrime can have a significant impact on various sectors and industries, with the travel and tourism sector being particularly vulnerable. The vast amount of secure and personal data handled by the travel and hospitality industry makes it a prime target for cyber attacks. Therefore, it is crucial for travel providers to prioritise cybersecurity measures to safeguard sensitive information and protect both their businesses and their customers. 

As the digital ecosystems of the travel and tourism industry continue to expand, they will also become increasingly susceptible to cybercrimes. It is crucial for companies within the travel and tourism chain to prioritise cybersecurity awareness, strategies, and safeguarding in order to ensure the utmost security of their data.

Why is the travel industry susceptible to cybercrime?

As a global industry with many – literal – moving parts, the travel industry is often targeted by cybercriminals. Analysis of data breaches and cyberattacks have identified numerous reasons for this, such as:

• The industry’s huge fragmentation
• The complexity of the travel booking and payment networks/platforms
• The existence of many travel agents and third-party service providers
• Poor security systems when it comes to IT and point-of-sale (POS)
• Human error
• The millions of travellers all interacting with travel providers within cyberspace 

How can travel businesses mitigate cyber-attacks?

Human error was identified as one of the biggest threats to cybersecurity in 2023, so many common cyberthreats may be avoidable with the right education.

It’s estimated that, by 2025, around 99% of data breaches will be caused by a misconfiguration within settings or installation by an end user. So, this suggests that with proper education, and a thorough cybersecurity strategy, travel providers will be able to mitigate the impact and severity of many common cyberthreats.

What a good cybersecurity strategy should involve:

• Contingency planning
• Immediate actions outlined – for varying types of breach or attack once discovered
• Post-breach responses  
• An understanding of current cyber risks

Here is where consolidating your tools and resources, and leveraging third-party expertise to manage complexities and augment capabilities can give you a leg-up when it comes to protection against those more common threats. 

As cyberattacks continue to evolve and grow more sophisticated, it is clear that implementing frequent company-wide training can be an effective strategy in mitigating the risks associated with data breaches. The alarming statistics on data breaches underscore the importance of staying updated on the latest threats and taking proactive measures to safeguard sensitive information.

But for now, let’s look at some of the most common cybersecurity threats and what shape they take, to help you as travel providers improve your awareness.

Social Engineering

Social engineering is widely recognized as one of the most common and hazardous tactics used by cybercriminals. This is mainly due to the fact that social engineering, in its many forms, exploits human mistakes rather than technical weaknesses. It is much simpler to deceive or influence individuals than it is to penetrate a security system, and it is apparent that cybercriminals are well aware of this fact. Research indicates that over 85% of all data breaches stem from human interaction or error.

Throughout the year 2023, social engineering techniques played a crucial role in cybercriminals gaining access to employee data and credentials for the purpose of carrying out cyberattacks. Among these techniques, phishing stands out as a leading cause of data breaches, with more than 75% of targeted attacks originating from deceptive emails. It is important to note that these tactics are continuously adapting to leverage emerging trends and technologies in order to stay ahead of security measures.

What can phishing attacks look like?

• Spear phishing – this targets specific individuals or organisations, hence the term ‘spear’, most typically using malicious emails. The goal of these emails is to obtain sensitive data such as login credentials, or to infect the users’ device with malware (which we will explore later).
• Whaling – a type of attack that targets senior or C-level executive employees, with the aim of stealing money or information on the business, or to gain access to their devices to carry out further attacks.
• Vishing – the use of fraudulent phone calls or voice messages, often masquerading as a legitimate business, to convince individuals to share sensitive, private data such as bank details and passwords.
• SMiShing – the use of fraudulent text messages, in much the same way as ‘Vishing’, to steal sensitive, private data. This can often take the shape of your bank, or a shipping service. 

Other social engineering techniques can involve:

• Business email compromise (BEC) - a prominent technique in which attackers assume the identities of trusted email addresses – often internal business users – to trick other employees or clients of the business into sharing data that could compromise the business, or make payments, amongst other goals.
• Pretexting – here cybercriminals gain access to a system or a user account using a false scenario that gains the victims trust through manipulation. Attackers could pose as a HR employee, or an IT specialist, for example.
• Disinformation campaign - these spread false information, usually with the goal of amplifying fake narratives using bots and fake accounts on social media networks. 

Among these techniques, travel providers are most likely to encounter business email compromise attacks, primarily due to the extensive chains of internal communication. Once attackers gain access, they typically send phishing emails to employees or clients of the business in order to obtain more sensitive data or prompt financial transactions. They may also utilise the compromised account to launch attacks against other employees or the businesses' systems.

Business email compromise attacks can be carried out in multiple ways, including:

• Phishing – as explained above, this type of attack often using emails to trick employees into sharing sensitive data and are usually from a ‘trusted’ source. Social engineering techniques are then used to prompt the recipient into action.
• Malware – this is the use of malware – malicious software - to infect a user’s computer and therefore gain access to their email accounts. Once installed, this malware can steal other sensitive data from this computer.
• Social engineering – often, this type of attack (closely linked to phishing), tricks employees into divulging sensitive information or grant access to their email accounts. Usually, this involves impersonation to gain trust.
• Manipulation of weak passwords – if employees use ‘weak’, reused, or easily guessable passwords, cybercriminals can obtain access to internal email systems by guessing these passwords. 

How can travel providers protect against business email compromise?

• Train employees on how to identify and avoid phishing emails  
• Insist employees use strong passwords and two-factor authentication  
• Keep software and cybersecurity systems up to date  
• Implement email cybersecurity measures, such as spam filters 

Third-Party Security Treats

Throughout 2023, there was a noticeable rise in third-party breaches as numerous companies globally transitioned to independent contractors to carry out work previously done by full-time staff. Consequently, this surge led to a larger pool of less-secure networks that had access to the main target, all of which were associated with these third parties. These less-secure networks are exploitable by hackers, as seen in the memorable attack on the U.S’s Colonial Pipeline in 2021, by obtaining compromised credentials, accessing a VPN without multi-factor authentication, and demanding a $5 million Bitcoin payment to regain access.

As the trend towards remote or hybrid work increases, with over 50% of businesses showing more willingness to hire freelancers, the rise in remote or dispersed workforces brings about ongoing challenges in third-party security threats for travel businesses of all sizes.

Cloud Vulnerabilities

With many more businesses adopting cloud-based systems, the growth of cloud-based cyberattacks likewise grows. It’s estimated that cloud security is the fastest growing cybersecurity market, growing around 41% from 2020 to 2021. 

In today's fast-paced environment, with cloud-based systems taking on more corporate workload, businesses are turning to 'zero trust cloud architecture' for enhanced security. This approach, designed to assume a system has been compromised, requires additional verification before granting access to recognized devices, or any device within the perimeter of the network.

Keeping on top of cloud security practices is critical, and can include:

• Monitoring access to sensitive resources  
• Enforcing strict password requirements  
• Implementing a sound data backup plan  
• Leveraging data encryption  

What are the most common cloud-based threats?

Commonly referred to as the ‘egregious eleven’ by security professionals, these are the most ‘popular’ access points:

• Data breaches
• Misconfiguration and inadequate change control
• Lack of cloud security architecture and strategy
• Insufficient identity, credential, access and key management
• Account hijacking
• Insider threat
• Insecure interfaces and APIs
• Weak control plane
• Metastructure and applistructure failures
• Limited cloud usage visibility
• Abuse and malicious use of cloud services 

Supply Chain Attacks

A recently emerging tactic, supply chain attacks involve the breach of supply chain technology, such as Application Programming Interfaces (API systems), commonly found in the travel industry. This infiltration allows access to source codes, build codes, and other software components. The attackers then exploit these legitimate platforms and applications to disseminate malware throughout the supply chain systems.

Considering how often supply chain systems are used within the travel and tourism industry – particularly through API integration – it’s important to know how to reduce the risk of this kind of attack.

In the modern travel industry, travel APIs are a powerful tool that many businesses utilise. By allowing different systems to communicate seamlessly, they create a unified platform where customers can easily access all travel products in one place. These API systems are highly effective in helping travel providers create user-friendly systems that stay ahead of hospitality tech trends. It also means travel providers can enhance their business success by increasing their distribution through API integration, offer customised tour packages or itinerary planning, provide quotes, or display availability and booking options.

However, these systems are also vulnerable to attacks. But hope is not lost! There are many ways to protect against supply chain threats, including:

• Use endpoint monitoring tools to spot and stop suspicious activity  
• Stay current with all system patches and updates  
• Implement integrity controls to ensure users are only running tools from trusted sources  
• Require admins and other users to use two-factor authentication 

While certainly not a new threat, ransomware attacks have become significantly more expensive in the last few years – with costs expected to reach $265 billion by 2031 - and so continue to present considerable challenges to businesses of all sizes. 

Ransomware, in essence, is a form of malicious software that restricts access to computer systems until a ransom is paid. This involves utilising malware to seize control of computer systems, retrieve data, files, or sensitive information, and then requesting payment in exchange for restoring access to the original user.

Of course, before the ransomware attack can take place, hackers must obtain access to their targets’ systems. The most common methods of infiltration include:  

• Remote Desktop Protocol (RDP) and credential abuse - wherein hackers use ‘brute-force’ or purchase credentials with the goal of logging into systems to distribute malware.
• Exploitable software – such as unpatched or out-of-date software. 

Modern endpoint detection and response (EDR) technology can often protect against ransomware attacks, by stopping the execution of malicious software in the first place. Many businesses also benefit from the setting of cybersecurity parameters, to keep employees from straying too far from safe browsing locations on their corporate devices. 

The Internet of Things

In the realm of technology, physical objects, the 'Things' in 'Internet of Things, are evolving to be more intelligent by integrating sensors, software, and other advanced technologies. As we continue to depend on these interconnected Things to communicate and exchange information online, their vulnerability to cyber threats also increases.

While there are multiple ways that smart devices and objects connected to an online network, some of the most common methods are: 

Default passwords : Hackers can exploit default passwords often supplied for smart devices, or easily guess reused and weak passwords or access codes for individual or business devices. These are then used to gain access to the device, its data, and facilitate further attacks.

Unsecured Wi-Fi networks: public Wi-Fi networks are often unsecured or use weak encryption, and these can be exploited to intercept data. 

Fortunately, there are ways to protect your devices, including:  

• Having users select secure passwords  
• Staying current with Operating System (OS) and software updates
• Encouraging clients to encrypt their data
• Installing antivirus or anti-malware protection
• Changing default passwords  
• Avoiding unsecured Wi-Fi networks  
• Being cautious of suspicious emails or links 

Financial and reputational loss

The repercussions of a cybersecurity breach can have widespread and severe implications for businesses, regardless of their size. Small businesses may never fully bounce back from an attack, and larger businesses could be subjected to penalties, legal action, a decrease in clientele or staff, as well as tarnishing their reputation.

For many travel providers, one of the key consequences will be the loss of reputation, which – should the business recover – will involve a long and detailed strategy to recover this reputation both for existing and potential customers. After all, how many people are going to choose a company that, from an external perspective, hasn’t protected its customers?

Another main consequence is the disruption to operations following a breach or attack, the consequence investigation that must take place, and the change to business practices after the resolution of the attack.  

Ensuring that your business has strong cybersecurity protection and awareness at all levels is essential to defend against the common cyber attacks mentioned earlier. Seeking expert training and advice from security professionals will help keep your business practices, cybersecurity strategies, and overall understanding of cyber threats current and effective.

Similar post

• Privacy Policy
• Cookies policy
• Compliance & Ethics Helpline
• Legal Notes
• Large Chains
• Tour Operators
• Partner Extranet
• Why Hotelbeds
• Properties portfolio
• Experiences Portfolio
• Mobility Portfolio
• ©HOTELBEDS.COM 2024

Find Out The Critical Ways Cybersecurity Could Impact Your Hotel

1. phishing attacks.

Phishing refers to the sending/receiving of emails that appear to be from a genuine source. A criminal using it intends to convince the recipient that he/she should share information. That is often passwords and financial information; this scam is one of the oldest on the internet.

In recent years, this threat has become increasingly sophisticated, with attacks targeting those in authority. The aim is to take over a user’s email account to send bogus emails to colleagues. These emails often attempt to persuade recipients to authorize transactions, which are ordered from above.

Try the most secure event diagramming solution

Get Started Now

2. Ransomware

The most famous of recent ransomware attacks simultaneously attacked countries and businesses all over the world. The latest ransomware, WannaCry, posed a real threat by taking information and certain systems hostage. The purpose of this attack was to gain financially from those who paid the demanded figure to free their data/systems.

As a hotelier, you are at high risk from cybersecurity failings that allow this type of attack to occur. Hotels that have fallen foul to this crime have in the past paid more than $17,000 to be able to let guests into their rooms and create electronic keys.

Another nasty form of attack used against hotels across the world is DDoS.

Called a distributed denial of service attack, you may be familiar with it concerning the web. However, it is also a hack of choice for those looking to target the wide array of systems hotels use. Every day regular items such as sprinkler systems to security cameras are vulnerable to hijack. After which, entire computer systems can be made to come crashing down. Cybersecurity for hotels should always include a process to mitigate any compromised systems should they go down in a DDoS attack.

4. Point of sale/ payment card attacks

Point-of-sale attacks pose the biggest threat to the hotel industry as a whole. Rather than attacking the hotel itself, they are a third-party crime, meaning they attack the vendor. And that means somewhere there is a weakness in the system which has been revealed by human error.

Cybersecurity issues of this nature, often result in customers being out of pocket, and the media getting involved. Which, of course, means bad press for a hotel. Furthermore, there could be financial implications for the business. One example of this is MasterCard billing an unnamed establishment for $1.4-million, and Visa around $500,000.

Third party crimes mean there’s a weakness in the system which is revealed by human error. Click To Tweet

5. DarkHotel hacking

Not familiar with the term DarkHotel? It is a relatively new one, which sees criminals use a hotels Wi-Fi to target business guests.

The attacks use forged digital certificates to convince victims that a software download is safe. To enable this to happen criminals upload malicious code to a hotel server, and can then target specific guests. The first instance of DarkHotel hacking was first seen in 2007 and originated via peer-to-peer networks and spear-fishing scams. If you have guests that are concerned about DarkHotel hacking, encourage guests to use virtual private networks (VPN) if they plan on conducting business with sensitive data.

6.  Customer data/ i dentity theft 

Protecting the identity and information of a customer is paramount to the success of any business and hotels ar eno exception.

One of the biggest risks hoteliers report is the amount of hacking surrounding guest information. As such, network security / cybersecurity is important. Especially when there are criminals from all over the world trying to steal identities, and credit card data.

Unfortunately, for hoteliers, this crime is forever changing. Which means that when it comes down to cybersecurity for hotels, an almost perpetual arms-race to secure both data and networks. Up next, discover must-have secure hotel software tools to maximize groups and meetings business , or see event venue security tips .

Keep event date in one secure place, no stress

Don’t take our word on cybersecurity for hotels: tell us what you do to secure your networks on Twitter .

• Free Planner Tools
• Event Seating Software
• Event Check-In Software

Venue Tools

• Event Diagramming Software
• Interactive Floor Plans
• Photo-Realistic 3D
• Lead Capture Tools
• Event Planning
• Guides & Webinars
• Customer Stories
• Contact Sales: +1 (877) 973-2863
• About Cvent
• Cvent Community
• Help & Support
• Training & Certification
• Status & Uptime
• Terms of Service
• Privacy Policy
• Your Privacy Choices
• +1 (877) 973-2863 - Option 1
• [email protected]

Copyright 2024 Cvent Inc. All rights reserved.

Cybersecurity in Hospitality Industry

With the invention and widespread use of new technologies, many processes related to the hospitality industry are reliant on the use of internet and electronic devices. Keep reading to learn how you can keep your business safe while keeping up with the technology.

As of today, we can book a hotel room, specify our needs regarding the stay (e.g. extra towels, room service, airport shuttle etc.) and even pay for it using only our smartphones. Moreover, the hotel owners can process our request, send us an e-voucher and confirmation, tell us about the details of our stay, inform us about the facility or keep up with their management processes using only their smartphones or computers. Isn’t it very convenient for both parties?

On the flip side of the coin comes vulnerabilities. Internet of things, implementation of electronic devices and similar conveniences also pose serious threats regarding the security of our sensitive information . That is why cyber security practices gain much more importance in the hospitality industry. In this article, we will discuss what kinds of threats await your organization and how you can ensure your protection. Keep reading to learn!

What is cyber security?

The term cyber security is used to refer to the methods and practices that aim to defend devices, networks, servers, electronic systems and all kinds of data from ill intended attacks.

In today’s business environment, information is the most important asset. That is why many hackers and attackers aim to steal your information and they might even shut you out of your devices and systems while doing so. Cyber security professionals aim to keep such malicious intended individuals away from your systems.

Cyber security practices often involve the use of a tool or software such as antivirus programs , firewalls, anti malware software and such. In accordance with the needs and vulnerabilities of your organization, various cyber security solutions can be employed and configured. You can opt for getting professional help and/or hiring a team of cyber security professionals for this task.

What kinds of threats target hospitality industry?

In the past years, we have witnessed many hotels being victims of cyber criminals. Such incidents lead serious data leakages and hurt the reputation of the organization. After all, we would never revisit a facility that failed to keep sensitive information (e.g. names, surnames, ID numbers, credit card information, addresses etc.) regarding its customers safe from hackers.

If you want to keep your organization safe from attacks and ensure the strength of your security posture , take a closer look at the various threats targeting the hospitality industry.

Customer Data/Identity Theft: When booking a hotel room, we share some of the most sensitive pieces information regarding us: Our name, address, payment information. That is why most hackers try to steal customer information from the hotels using malware, computer viruses and social engineering methods .

Phishing: The term phishing refers to the techniques used to deceive and convince professionals to leak information . The most popular phishing techniques include fake web pages, phone calls, text messages and e-mails.

Darkhotel hacking: This technique involves hacking the hotel WiFi and steal information from the visitors.

How to protect your organization

If you want to protect your organization from cyber threats , first you need to inform your employees. They must be able to distinguish a phishing call from a genuine one. Moreover, they must know that they shouldn’t visit shady websites or click on the suspicious links on business computers. In addition, they need to know when to alert your IT professionals regarding a suspicious incident.

Secondly, you must invest in some bullet-proof cyber security software including but not limited to antivirus, antimalware and firewalls. You must also hire a team of IT specialists to ensure that your organization is protected 24/7.

In addition, you can also consider incorporating top notch cybersecurity solutions like SIEM and SOAR . Feel free to contact us to learn more.

Logsign Team

RELATED TAGS

A vast library of integrations and free services on demand

See logsign unified so platform in action, related blog posts.

What is the Difference Between MSSP and MSP?

When it comes to the security of your organization, you should not take any risks.

How to Maintain Service Oriented Architecture Security

SCADA Cybersecurity Frameworkransom

SCADA stands for Supervisory Control and Data Acquisition. It is a control system architecture that comprises computer systems, networked...

This website uses cookies

We use cookies to personalise content and ads, to provide social media features and to analyse our traffic. We also share information about your use of our site with our social media, advertising and analytics partners who may combine it with other information that you’ve provided to them or that they’ve collected from your use of their services.

Cybersecurity in Tourism & Hospitality: the urge of protecting customer data

Organizations in tourism and hospitality have massive databases of personal data nowadays as they ask their consumers to leave their data for better and optimized services. This could be in hotels for example, provide data for loyalty programmes such as preferences of pillows, favourite breakfast and date of birth. However, important information such as e-mail addresses, passport numbers and even creditcard details are being given in order to complete the reservation. Next to that, new technologies also enable guests to check in more efficiently, for example with a mobile application which holds a lot of personal data in order to be able to have a fast check-in. However, according to HotelNewsNow (2018), hackers are often attacking the hospitality industry on the search for secured data. Therefore, managers in tourism and hospitality, but also all other employees in the different departments in the sub-sectors should be aware of the high risks those hacks bring along.

This blog, written by key partner CEHAT , focuses on the importance of cyber security and what skills should be taught to all workers in tourism and hospitality in order to ensure the protection of all the valuable personal data of their guests. In this line, CEHAT collaborates with ITH as the technological arm for the dissemination of this information through international events such as Fiturtech Y, technical conferences throughout Spain and communication through ITH’s newsletter.

What is cybersecurity and how does it differ from general security?

Cybersecurity is defined as the area related to computing and telematics that focuses on protecting the computer infrastructure and avoiding all types of threats, which put at risk the information that is processed, transported and stored in any device.

A distinction must be made between general security and cyber security:

Security is the general concept that encompasses all measures and processes designed to protect information and data of value to your organization. This is done through risk reduction and threat control. It encompasses both physical and digital information. On the other hand, cyber security is limited to the protection of digital information that is in an organization’s systems, including attack practices and securing cloud storage. What makes cybersecurity so valuable is its ability to attack and combat threats to information that is processed, transported and stored on interconnected  .

Professionals in the hotel sector may not be aware of the real importance of cyber security, which can range from manipulating video surveillance cameras, to opening doors without consent, through the theft of sensitive information for the company itself. The news article of HotelNewsNow (2018) shows a data breach timeline, highlighting the latest data attacks on hotels such as Marriott International, Radisson Hotel Group and InterContinental Hotel Group, where personal data of millions of guests was hacked. Cyber security can become a criterion for the client’s choice of hotel, in addition to the fact that tourism is the third most hacked sector after administration and banking, as within this sector there is a lot of valuable data to be found in those organizations such as creditcard and passport details (Clark, 2019).

Cyber security is essential when it comes to generating in the client a feeling of tranquillity and trust towards the establishment in which he or she is staying. Cyber security is also important to encourage the guest to choose an establishment again for a repeat visit. Hotels handle an enormous amount of data: identity documents, credit cards, personal addresses, etc., which the hotels are forced to protect and manage to ensure the identity of the clients.

Due to the increase of data breaches, companies are being forced to work on their cybersecurity skills and how these should be managed. The accommodation industry is beginning to be aware of the relevance of this topic: if hotels do not manage this issue properly, they lose the opportunity to give the clients the reliability and security they need. Trade associations are working on the dissemination of European legislation in order to be sure that all hoteliers accomplish with the law. The NTG project is assessing the digital skills necessary to provide professionals so they can assume this responsibility for cyber security.

Pitfalls of cybersecurity

In many cases, it is the employees themselves who fall into errors that expose the security of the hotel and the privacy of their clients through a lack of cyber security. Incorrectly shared passwords, professional accounts that link to personal devices or the dissemination of internal company information are some of the mistakes employees make. In order to correct these errors and ensure that they do not happen again, training and awareness-raising are the keys. Next to that, Clark (2019) also states that many hotel owners prefer to spend their budgets on tangible products such as new carpets, things that customers can actually see. This is due to the thin margins in hotels, which may result into a messy technological ecosystem where the protection of for example the guest’s WiFi is lacking.

Importance of cybersecurity training in organizations

Employees must be informed at all times about the correct practices to be followed, thus avoiding making mistakes that in most cases have terrible consequences, both for the hotel and for the customers themselves. For example, there have been cases where clients’ data has been hacked through the hotel’s Wi-Fi network and the cyber criminals have been able to steal all the personal data of hotel clients including their ID, billing information (HotelNewsNow, 2018). It is not only professional malpractice that is the problem. In some cases, how hotels do not invest enough in the configuration of good cyber security that allows them to avoid cyberattacks (Clark, 2019).

Some advice that can be given to companies in the sector to navigate safely are:

• Use an antivirus and update it.
• Use a secure password. Change it “sometime”.
• Do not open files or links from unknown sources in emails.
• Do not download files from dubious sites.
• Restrict the information we share on social networks. It is advisable to remove the public profile.
• Ensure that public WiFi is secure.
• Delete browser cookies frequently.
• Do not give bank/card details over the Internet: Never by email. Only on pages known HTTPS://

Optimal security assessment to ensure digital safety for guests

The hotel must be aware of the importance of protecting devices as well as protecting personal data and privacy to avoid cyberattacks. To do this, ensuring the privacy of customers through training and awareness by hotels is essential.

For the peace of mind of the guests, the hotels should complete constant intrusion tests to evaluate the state of the systems, auditing their security from the point of view of possible external attacks. In order to make an optimal security assessment, it is best to carry out controlled attacks on the systems.

In conclusion, every company should invest in cybersecurity. No matter what type of company or size, anyone could be faced with a potential cyber attack and lose information, be unable to meet their commitments in time, be unable to offer customers the services they have contracted for, or simply be unable to access their own workers.

Follow the efforts of the Next Tourism Generation via our website, Facebook, Twitter | #NTGskillsalliance or via LinkedIn

Bibliography

Clark, P. (July 4, 2019). Hotels Face Increasing Risk of Security Breach by Cyber Hackers). Retrieved from: https://skift.com/2019/07/04/hotels-face-increasing-risk-of-security-breach-by-cyber-hackers/

HotelNewsNow. (November 30, 2018). Timeline: The growing number of hotel data breaches . Retrieved from: http://www.hotelnewsnow.com/Articles/50937/Timeline-The-growing-number-of-hotel-data-breaches

Sanger, E., Perlroth, N., Thrush, G., Rappeport, A. (n.d.). Marriott Cyber Attack : Hotel Data Breach That Hit 500 Million Guests Linked to Chinese Spy Agency. Retrieved from: https://www.independent.co.uk/life-style/gadgets-and-tech/marriott-cyber-attack-starwood-hotel-data-breach-china-spy-agency-guests-a8679006.html

No Comments

Save my name, email, and website in this browser for the next time I comment.

This site uses Akismet to reduce spam. Learn how your comment data is processed .

Cybersecurity in Travel and Tourism: A Risk-Based Approach

• Living reference work entry
• First Online: 28 March 2020
• Cite this living reference work entry

• Alexandros Paraskevas 5  

681 Accesses

1 Citations

6 Altmetric

As the travel and tourism sector is embracing emerging technologies to redefine products, services, and consumer experiences, their cyber ecosystems become increasingly vulnerable to security risks related with these technologies, the huge amount of financial transactions they carry out, and the valuable customer data they store. Over the last few years, several high-profile organizations in the sector made negative headlines because they did not pay appropriate attention to these risks and took an approach to cybersecurity that was fragmented, technology-focused, and compliance-oriented. It is evident that a step change is needed, and this chapter presents a more comprehensive, business-driven, and risk-based approach to building cybersecurity capability in an organization. The chapter starts with the business case for a cybersecurity strategy and then unfolds the components of a risk-based approach to cybersecurity.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Institutional subscriptions

Ablon L (2018) Data thieves: the motivations of cyber threat actors and their use and monetization of stolen data. The RAND Corporation https://www.rand.org/content/dam/rand/pubs/testimonies/CT400/CT490/RAND_CT490.pdf . Accessed 30 May 2019

Book   Google Scholar  

Air Canada (2018) Notice to Air Canada mobile app users https://www.aircanada.com/ca/en/aco/ home/book/travel-news-and-updates/2018/notice-air-canada-mobile-app-users.html . Accessed 22 July 2019

Akamai Technologies (2018) Summer 2018 – state of the internet/security: web attack. https://ww w.akamai.com/uk/en/multimedia/documents/state-of-the-internet/soti-summer-2018-web-attack -report.pdf . Accessed 25 July 2019

Alberts CJ, Dorofee A (2002) Managing information security risks: the OCTAVE approach. Addison-Wesley Longman Publishing Co Inc, Boston

Google Scholar  

Ashford W (2018) Radisson hotel group could be GDPR test case. Computer Weekly, 2 Nov. https://www.computerweekly.com/news/252451870/Radisson-hotel-group-could-be-GDPR-test-case . Accessed 24 July 2019

BBC News (2016) Poland surveillance law approved by president. BBC News, 5 Feb. https://www.bbc.co.uk/news/world-europe-35501677 . Accessed 14 May 2019

Biesiada J (2017) How to not fall victim to fraud. Travel Weekly, 22 Sept. https://www. travelweekly.com/Travel-News/Travel-Agent-Issues/Insights/Ways-to-not-fall-victim-to-fraud Accessed 22 July 2019

Bilefsky D (2017) Hackers use new tactic at Austrian hotel: locking the doors. New York Times, 30 Jan. https://www.nytimes.com/2017/01/30/world/europe/hotel-austria-bitcoin-ransom.html . Accessed 24 June 2019

Bing C (2018) Exclusive: clues in Marriott hack implicate China. Reuters, 6 Dec. https://www.reut ers.com/article/us-marriott-intnl-cyber-china-exclusive/exclusive-clues-in-marriott-hack-implic ate-china-sources-idUSKBN1O504D . Accessed 7 July 2019

Bischoff P (2018) How much are stolen frequent flyer miles worth on the dark web? Comparitech. https://www.comparitech.com/blog/information-security/how-much-are-stolen-frequent-flyer-miles-worth-on-the-dark-web/ . Accessed 22 July 2019

Bone J (2017) Cognitive hack: the new battleground in cybersecurity… the human mind. Auerbach Publications, New York

Bridge M (2017) Russians buy life of luxury with stolen UK air miles. The Times, 21 Nov. https://www.thetimes.co.uk/edition/news/russians-buy-life-of-luxury-with-stolen-uk-air-miles-psrkhqsfs . Accessed 23 May 2019

Bright P (2011) “Operation Shady RAT”: five-year hack attack hit 14 countries. Ars Technica, 3 Aug. https://arstechnica.com/information-technology/2011/08/operation-shady-rat-five-year-hack-attack-hit-14-countries/ . Accessed 30 May 2019

Brook C (2018) Vulnerability affects oracle MICROS POS systems, business data. Digital Guardian, 1 Feb. https://digitalguardian.com/blog/vulnerability-affects-oracle-micros-pos-systems-business-data . Accessed 2 June 2019

Cision (2019) Pierce Bainbridge files class action on behalf of travelers worldwide in the Marriott data breach, 11 Feb. https://www.prnewswire.com/news-releases/pierce-bainbridge-files-class-action-on-behalf-of-travelers-worldwide-in-the-marriott-data-breach-300793327.html . Accessed 12 June 2019

Cybenko G, Giani A, Thompson P (2002) Cognitive hacking: a battle for the mind. Computer 35(8):50–56

Article   Google Scholar  

de Bruijne M, van Eeten M, Gañán CH, Pieters W (2017) Towards a new cyber threat actor typology. Delft University of Technology. https://www.wodc.nl/binaries/2740_Volledige_Tekst_tcm28-273243.pdf . Accessed 28 June 2019

Delta (2018) Statement on [24]7.ai cyber incident https://news.delta.com/updated-statement-247ai-cyber-incident . Accessed 28 May 2019

Elliott C (2019) Hackers are targeting airlines in record numbers. Here’s what that means for you. Forbes, 25 Feb. https://www.forbes.com/sites/christopherelliott/2019/02/25/hackers-are-targeting-airlines-in-record-numbers-heres-what-that-means-for-you/ . Accessed 22 May 2019

Field M (2018) WannaCry cyber attack cost the NHS £92m as 19,000 appointments cancelled. The Telegraph, 11 Oct. https://www.telegraph.co.uk/technology/2018/10/11/wannacry-cyber-attack-cost-nhs-92m-19000-appointments-cancelled/ . Accessed 3 May 2019

Gallagher S (2016) Checking in with spear phishing, criminals check out with hotel credit card data. Ars Technica, 5 Oct. https://arstechnica.com/information-technology/2016/05/hotels-face-increasingly-targeted-attacks-on-customer-data/ Accessed 30 May 2019

Gartner Inc (2018) Gartner forecasts worldwide information security spending to exceed $124 billion in 2019. https://www.gartner.com/en/newsroom/press-releases/2018-08-15-gartner-forecasts-worldwide-information-security-spending-to-exceed-124-billion-in-2019 . Accessed 18 Aug 2018

Gopalakrishnan C (2019) Biometrics gaining ground as a password alternative. SC Magazine, 25 July. https://www.scmagazineuk.com/biometrics-gaining-ground-password-alternative/article/1592139 . Accessed 25 July 2019

Greif B (2018) Lufthansa data leak: what a single URL can reveal about you. CliqZ Magazine, 29 Aug. https://cliqz.com/en/magazine/lufthansa-data-leak-what-a-single-url-can-reveal-about-you . Accessed 23 July 2019

Hertzfeld E (2019) G6 Hospitality upgrades to advanced tech platform. Hotel Management, 23 May. https://www.hotelmanagement.net/tech/g6-hospitality-upgrades-to-advanced-hospitality-tech-platform . Accessed 22 July 2019

Hill M (2018) Danish railway company DSB suffers DDoS attack. InfoSecurity Magazine, 14 May. https://www.infosecurity-magazine.com/news/danish-railway-ddos-attack/ . Accessed 26 May 2019

IBM (2018) 2018 IBM X-Force threat intelligence index. https://www.ibm.com/security/security-intelligence/qradar/insider-threat . Accessed 15 May 2019

Joseph A (2019) How to address the multi-cloud security conundrum. CSO Online, 5 Aug. https://www.cso.com.au/article/664942/how-address-multi-cloud-security-conundrum/ . Accessed 7 Aug 2019

Kaspersky Lab (2018) Damage control: the cost of security breaches. https://media.kaspersky.com/pdf/it-risks-survey-report-cost-of-security-breaches.pdf . Accessed 22 July 2019

Katz E (2018) 2018 Travel website password power rankings. Dashlane Blog, 2 May. https://blog.dashlane.com/travel-password-power-rankings-2018/ . Accessed 12 June 2019

Kaushik S (2019) Cyberspace danger: can we really prevent internet fraud? Financial Express, 29 Apr. https://www.financialexpress.com/opinion/cyberspace-danger-can-we-really-prevent-internet-fraud/1561909/ , Accessed 15 May 2019

KPMG (2015) FEEL FREE cyber security dashboard. http://kpmg.co.uk.s3-website-eu-west-1.amazonaws.com/email/06Jun14/OM020788A/index.html . Accessed 15 May 2019

Krebs B (2015) Credit card breach at mandarin oriental. KrebsOnSecurity, 4 Mar. https://krebsonsecurity.com/2015/03/credit-card-breach-at-mandarian-oriental/ . Accessed 15 June 2019

Krebs B (2016) Data breach at Oracle’s MICROS point-of-sale division. KrebsOnSecurity, 8 Aug. https://krebsonsecurity.com/2016/08/data-breach-at-oracles-micros-point-of-sale-division/ . Accessed 15 June 2019

Kumar A (2019) F-Secure talks up threat-hunting to stay ahead of cyberattacks in APAC. Computer Weekly, 25 July. https://www.computerweekly.com/news/252467332/F-Secure-talks-up-threat-hunting-to-stay-ahead-of-cyber-attacks-in-APAC . Accessed 31 July 2019

LaCroix K (2018) Chinese hotel company hit with data breach-related securities suit. The D&O Diary, 9 Oct. https://www.dandodiary.com/2018/10/articles/securities-litigation/chinese-hotel-company-hit-data-breach-related-securities-suit/ . Accessed 15 June 2019

Marriott International (2019) Marriott International appoints Margaret McCarthy to board of directors. 20 Mar. https://news.marriott.com/2019/03/marriott-international-appoints-margaret-mccarthy-to-board-of-directors/ Accessed 14 June 2019

Mayers C (2018) Ransomware in the UK: one year on. Citrix, 26 Feb. https://www.citrix.com/blogs/2017/06/06/ransomware-in-the-uk-one-year-on/ . Accessed 14 June 2019

Maxwell M (2019) How breach and attack simulation (BAS) can help businesses get ahead of phishing and other cyber-threats. SC Magazine, 8 Aug. https://www.scmagazineuk.com/breach- attack-simulation-bas-help-businesses-ahead-phishing-cyber-threats/article/1591352 . Accessed 9 Aug 2019

McCue TJ (2019) From airports to the library: 5 steps to protect yourself on free public Wi-Fi. Forbes, 28 Jun. https://www.forbes.com/sites/tjmccue/2019/06/28/from-airports-to-the-library-5-steps-to-protect-yourself-on-free-public-wifi/ . Accessed 22 July 2019

Morgan L (2015) Polish airline forced to ground planes after “IT attack”. IT Governance, 22 June. https://www.itgovernance.eu/blog/en/polish-airline-forced-to-ground-planes-after-it-attack . Accessed 10 June 2019

Morris C (2019) Chinese hackers infiltrated eight major tech providers for years with ‘devastating’ impact: report. Fortune, 26 June. https://fortune.com/2019/06/26/cloud-hopper-china-hacking/ . Accessed 15 July 2019

Masters G (2016) Ghost Squad hackers hit Trump sites with DDoS attacks. SC Magazine, 4 Apr. https://www.scmagazine.com/home/security-news/ghost-squad-hackers-hit-trump-sites-with-ddos-attacks/ . Accessed 30 July 2019

Olson P (2019) Marriott faces $124 million fine over Starwood data breach. The Wall Street Journal, 9 July. https://www.wsj.com/articles/marriott-faces-123-million-fine-over-starwood-data-breach-11562682484 . Accessed 19 July 2019

Palmer D (2017) Hackers are using hotel Wi-Fi to spy on guests, steal data. ZDNet. https://www.zdnet.com/article/hackers-are-using-hotel-wi-fi-to-spy-on-guests-steal-data/ . Accessed 20 July 2019

Park S-S, Lee H-S (2016) Asiana Airlines’ customer database leaked on internet. The Korea Times, 18 July. http://www.koreatimes.co.kr/www/news/biz/2016/07/123_209639.html . Accessed 22 July 2019

Perez R (2017) Travel trade body ABTA suffers data breach, 43,000 affected. SC Magazine. https://www.scmagazineuk.com/travel-trade-body-abta-suffers-data-breach-43000-affected/article/1475030 . Accessed 15 June 2019

Positive Technologies (2019) Vulnerabilities and threats in mobile applications 2019. https://www.ptsecurity.com/ww-en/analytics/mobile-application-security-threats-and-vulnerabilities-2019/ . Accessed 20 June 2019

Pulkkinen AJ, Vainio VV, Leino SP, Anttila JP (2018) Modelling of digital extended enterprise. In: International dependency and structure modelling (DSM) conference, Trieste, 15–17 Oct 2018, pp 139–152

PwC South Africa (2018) Hotels outlook report 2018–2022. https://www.pwc.co.za/en/assets/pdf/hotels-outlook-18-2022.pdf . Accessed 11 May 2019

Robinson T (2014) Shareholder sues Wyndham board members over data breaches. SC Magazine, 7 May. https://www.scmagazine.com/home/security-news/shareholder-sues-wyndham-board-members-over-data-breaches/ . Accessed 15 July 2019

Sabre (2017) Sabre update on cybersecurity incident. https://www.prnewswire.com/news-releases/sabre-update-on-cybersecurity-incident-300483654.html . Accessed 12 July 2019

Schaal D (2019) Marriott CEO tells senators passport changes being considered after data breach, Skift, 7 Mar. https://skift.com/2019/03/07/marriott-ceo-tells-senators-passport-changes-being-considered-after-data-breach/ . Accessed 12 July 2019

Schwab K (2017) The fourth industrial revolution. Penguin Random House, London

Schwartz MJ (2018) British Airways faces class-action lawsuit over data breach. Bank InfoSecurity, 10 Sept. https://www.bankinfosecurity.com/british-airways-faces-class-action-lawsuit-over-data-breach-a-11478 . Accessed 12 July 2019

Seon (2018) We tried to buy travel tickets on the dark web: here’s what we found. https://seon.io/resources/2018/08/02/dark-web-travel-industry-fraud/ . Accessed 22 July 2019

Sheridan (2018) For $14.71, you can buy a passport scan on the dark web. DarkReading, 4 Oct. https://www.darkreading.com/vulnerabilities---threats/for-$1471-you-can-buy-a-passport-scan-on-the-dark-web/d/d-id/1332970 . Accessed 28 May 2019

Sheridan (2019) Destructive malware attacks up 200% in 2019. DarkReading, 5 Aug. https://www. darkreading.com/endpoint/destructive-malware-attacks-up-200–in-2019/d/d-id/1335444 . Accessed 6 Aug 2019

Smith L, Read B (2017) APT28 targets hospitality sector, presents threat to travellers. FireEye. https://www.fireeye.com/blog/threat-research/2017/08/apt28-targets-hospitality-sector.html . Accessed 22 May 2019

Statista (2019) Online travel booking worldwide. https://www.statista.com/outlook/262/100/online-travel-booking/worldwide . Accessed 16 July 2019

Stokel-Walker C (2019) A simple fix could have saved British Airways from its £183m fine. Wired, 8 July. https://www.wired.co.uk/article/british-airways-data-breach-gdpr-fine . Accessed 22 July 2019

Taylor I (2019) Online travel giants named in Facebook data-security breach. Travolution, 4 Jan. https://www.travolution.com/articles/109903/online-travel-giants-named-in-facebook-data-security-breach . Accessed 30 July 2019

Trustwave (2016) New Carbanak/Anunak Attack Methodology, 14 Nov. https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/new-carbanak-anunak-attack-methodology/ Accessed 22 July 2019

Trustwave (2019) 2019 Trustwave global security report. https://www.trustwave.com/en-us/resources/library/documents/2019-trustwave-global-security-report/ . Accessed 12 July 2019

Verizon (2018) Data breach investigations report 2018. https://enterprise.verizon.com/resources/reports/DBIR_2018_Report.pdf . Accessed 6 July 2019

Wall M (2018) Firms buy insurance ’in mad panic’ as cyber-attacks soar. BBC News, 16 Jan. https://www.bbc.co.uk/news/business-42687937 . Accessed 23 May 2019

Whitehead J (2018) Booking.com targeted by hackers with email scam asking customers for payment details. The Independent, 4 June. https://www.independent.co.uk/travel/news-and-advice/travel-website-hackers-cyber-crime-phishing-holidays-a8382771.html . Accessed 23 May 2019

Wilczek M (2019) The DDoS landscape: where we are, and where we’re going. Information Age, 14 Jan. https://www.information-age.com/the-ddos-landscape-123478142/ . Accessed 23 July 2019

Winder D (2019) Security systems of major hotel chains exposed by huge data breach. Forbes, 31 May. https://www.forbes.com/sites/daveywinder/2019/05/31/security-systems-of-major-hotel-chains-exposed-by-huge-data-breach/ . Accessed 12 July 2019

World Economic Forum (2018) Regional risks for doing business 2018. http://www3.weforum.org/docs/WEF_Regional_Risks_Doing_Business_report_2018.pdf . Accessed 16 July 2019

Wueest C (2019) Two in three hotel websites leak guest booking details and allow access to personal data. Symantec, 9 Apr. https://www.symantec.com/blogs/threat-intelligence/hotel-websites-leak-guest-data . Accessed 15 May 2019

Download references

Author information

Authors and affiliations.

London Geller College of Hospitality and Tourism, University of West London, London, UK

Alexandros Paraskevas

You can also search for this author in PubMed   Google Scholar

Corresponding author

Correspondence to Alexandros Paraskevas .

Editor information

Editors and affiliations.

Department of Hospitality and Tourism Management, Virginia Polytechnic Institute and State University, Blacksburg, VA, USA

Zheng Xiang

Department of Tourism Studies and Geography, Mid Sweden University, Östersund, Sweden

Matthias Fuchs

Annenberg School for Communication and Journalism, University of Southern California, Los Angeles, CA, USA

Ulrike Gretzel

Department of Business Informatics, University of Applied Sciences Ravensburg-Weingarten, Weingarten, Germany

Wolfram Höpken

Section Editor information

The Howard Feiertag Department of Hospitality and Tourism Management, Virginia Polytechnic Institute and State University; Pamplin College of Business, Blacksburg, VA, USA

Rights and permissions

Reprints and permissions

Copyright information

© 2020 Springer Nature Switzerland AG

About this entry

Cite this entry.

Paraskevas, A. (2020). Cybersecurity in Travel and Tourism: A Risk-Based Approach. In: Xiang, Z., Fuchs, M., Gretzel, U., Höpken, W. (eds) Handbook of e-Tourism. Springer, Cham. https://doi.org/10.1007/978-3-030-05324-6_100-1

Download citation

DOI : https://doi.org/10.1007/978-3-030-05324-6_100-1

Published : 28 March 2020

Publisher Name : Springer, Cham

Print ISBN : 978-3-030-05324-6

Online ISBN : 978-3-030-05324-6

eBook Packages : Springer Reference Business and Management Reference Module Humanities and Social Sciences Reference Module Business, Economics and Social Sciences

• Publish with us

Policies and ethics

• Find a journal
• Track your research

TechRepublic

Managing Cloud Security Posture: Continuous Monitoring and Hardening for Visibility and Compliance

Account Information

Share with your friends.

Your email has been sent

Cloud adoption is not slowing down, and neither is the cloud threat landscape. Among many other benefits, the cloud offers increased productivity and flexibility, as well as reduced infrastructural costs.

However, despite delivering many goodies, API endpoints hosted in the cloud can be susceptible to at least 12 security issues. These issues can come in different forms, tackling them requires diverse approaches and concepts. Experts argue that one solution to such cloud security challenges is having a comprehensive cloud security posture management in place.

Franklin Okeke , writing for TechRepublic Premium, looks at the best practices for an effective CSPM, emphasizing how organizations can achieve cloud visibility and compliance through continuous monitoring and cloud hardening.

Featured text from the download:

CLOUD SECURITY THREAT LANDSCAPE: THE COMPELLING CASE FOR CSPM

Human error

IT teams are also prone to human error, which can introduce cloud security risks to company infrastructure. These errors may be unintentional actions or lack of actions on the side of an employee or user. CrowdStrike noted that 60% of container workloads observed in their cloud risk report lacked properly configured security protections. More than one-third (36%) of detected misconfigurations had insecure cloud provider default settings, all due to human errors.

It is important to note that the majority of cloud security providers operate on a shared security responsibility model, which means that the cloud provider’s responsibility ends with their infrastructure. Everything else you bring into their cloud environment is your responsibility. This led to Gartner stating that by 2025, about 99% of cloud security failures will be the customer’s fault.

Boost your cloud security knowledge with our in-depth 12-page PDF. This is available for download at just $9. Alternatively, enjoy complimentary access with a Premium annual subscription. Click here to find out more.

TIME SAVED: Crafting this content required 22 hours of dedicated writing, editing and research.

Subscribe to the TechRepublic Premium Exclusives Newsletter

Save time with the latest TechRepublic Premium downloads, including customizable IT & HR policy templates, glossaries, hiring kits, features, event coverage, and more. Exclusively for you! Delivered Tuesdays and Thursdays.

Resource Details

* Sign up for a TechRepublic Premium subscription for $299.99/year, and download this content as well as any other content in our library. Cancel anytime. Details here .

Create a TechRepublic Account

Get the web's best business technology news, tutorials, reviews, trends, and analysis—in your inbox. Let's start with the basics.

* - indicates required fields

Sign in to TechRepublic

Lost your password? Request a new password

Reset Password

Please enter your email adress. You will receive an email message with instructions on how to reset your password.

Check your email for a password reset link. If you didn't receive an email don't forgot to check your spam folder, otherwise contact support .

Welcome. Tell us a little bit about you.

This will help us provide you with customized content.

Want to receive more TechRepublic news?

You're all set.

Thanks for signing up! Keep an eye out for a confirmation email from our team. To ensure any newsletters you subscribed to hit your inbox, make sure to add [email protected] to your contacts list.

Billing Information

Payment information.

Your total Single Purchase Charges

• USD $ 99.00 Subtotal
• USD $ 0.00 Tax, GST, or VAT
• USD $ 0.00 Discount

Upgrade To A Subscription And Save

• USD $ 299.00 Subtotal

A credit card or PayPal account is required for purchase. You will be billed the total shown above and you will receive a receipt via email once your payment is processed.

A credit card or PayPal account is required to activate your subscription. You will be billed $299.00/year and you will receive a receipt via email once your payment is processed. You may cancel your subscription with at least 10 business days notice prior to the expiration of your current subscription by accessing the Premium tab in your TechRepublic Profile and selecting "Cancel Subscription."

TechRepublic Premium is the fastest, smartest way to solve the toughest IT problems. Subscribe to access our full library of resources and gain benefits from:

Quick access to expert analysis from IT leaders, original research and surveys, comprehensive guides on hot topics, and eBooks from TechRepublic.

Ready-to-go policies and initiatives, downloadable templates and forms you can customize, and hundreds of time-saving tools, calculators and kits.