What Hoteliers Need to Know About The Cybersecurity Risks of Mobile-First Hotel Technology
By Suzie Squier President, Retail & Hospitality ISAC | February 2023
As we move into 2023, the majority of the pandemic's travel restrictions have been lifted, but many of the digital features that hotels implemented during COVID-19, such as mobile check-in, contactless payments, and app-based room keys are here to stay.
While these technological advances have improved the physical safety of guests, they are also an attractive target for cyber criminals, increasing the risk of cyber attack.
Cyber Attacks Targeting Hospitality
According to a recent report by Accenture, the hospitality and travel industry was the fourth most targeted for cyber incidents in 2021. This trend continued in 2022 with several high-profile attacks on well-known hotel chains.
Hotels are seen as a lucrative target for cyber-criminals due to their high volume of online transactions and the amount of personally identifiable information (PII) and payment data they store. They also rely on third-party vendors, such as travel booking sites, which results in a frequent transfer of sensitive data. Compromise of one of these third parties could result in the attacker gaining access to the networks of the hotel chains they partner with, widening the data pool and increasing potential profit.
Often, these attacks begin with some type of social engineering, such as phishing, in which an attacker sends an email containing malicious links, designed to introduce malware into the company network. From there, the attacker may exfiltrate data such as customer information and financial records for their own use, or to sell on the dark web, or they may deploy ransomware, in an attempt to extort the hotel. Ransomware cases usually involve not only the exfiltration of data, but the shut-down of company systems, preventing the organization from doing business.