Safeguarding the Guest Experience from Hotel Cyberattacks

By Emily Loupee Area Senior Vice President - Real Estate & Hospitality, Gallagher & Co. | April 14, 2019

Co-authored by Matt Gullickson, National Resource, Arthur J. Gallagher Risk Management Services, Inc.

The hospitality industry is designed to cater to the guest, and technology has only pushed the concept of providing the ultimate guest service further. From robots that deliver luggage to rooms to concierge chatbots that are available 24/7, there is an ever-increasing number of touchpoints between hotel guests and technology. While these offerings are meant to make a guest's stay more convenient, they also leave the hotel vulnerable to cybercrime that could put their guests' safety and privacy in jeopardy.

In this article, we will explore how the rise of the Internet of Things (IoT) and artificial intelligence (AI) has been an increasing trend in the hotel industry, and how the shift towards smart devices in hotel rooms is expected to soon become the norm. And while guests appreciate the ease and luxury of these devices, hotels face serious cybersecurity risks if these products are not secure. It is a hotel's responsibility to take the necessary actions to protect its guests' privacy and personal data, and that starts with understanding smart devices. Doing the research on any IoT or AI products for the hotel, talking to IT and cybersecurity experts and making knowledgeable, thoughtful decisions will go a long way in preventing cyberattacks.

Unfortunately, it is no longer a matter of "if" an IT network or system will be cyberattacked, but a matter of "when." The hospitality industry is particularly attractive to hackers becauseof the many ways it uses technology to improve the guest experience. Hotels also collect a wealth of personal and private data on their guests, from credit card and passport information to allergies and number of people in a room.

What makes AI and IoT products so difficult to protect against hackers is that they are often seemingly benign products like smart lighting, drapes and thermostats, which do not seem to possess any inherent threat. However, once they are connected to Bluetooth or the Internet, they all become potential gateways for hackers. Hotels, and the broader hospitality industry, must weigh the risks versus rewards of incorporating AI and IoT devices into the guest experience. Perhaps avoiding convenience technology altogether is the answer. But that's not how the hospitality industry works. Just check out any list of 2019 trends for hotels and technology is often at the top spot. Guests expect hotels to take advantage of the latest technology, or the hotels risk being considered antiquated or passe.

Even bed-and-breakfasts and boutique hotels understand that while guests might not stay at their hotels for a high-tech experience, they must at least offer guests complimentary Wi-Fi. This is an example of how guest expectations have shaped what was once a bonus amenity and way to stand-out from competition, into a standard and expected requirement.

Today, major hotel chains are beta-testing high-tech concept rooms built entirely around the IoT. Smart technology is embedded into almost everything, including the mirror, art frames, showers and faucets. Technology that knows when you're out of bed and turns on lights to create a path to the bathroom or sensors that can tell how many people are in the room and adjust the oxygen in the room accordingly are just a sampling of the new technological benefits in hotels.

Of course, there are many instances when technology improves security. One Gallagher client, a major hotel chain, has been rolling out digital keys at various locations. While a digital key does not exactly fall into the AI or IoT categories, it does represent the digitalization of a "traditional" item, the plastic hotel swipe key. The hotel believes digital keys will gain in popularity and even cites security as a benefit over the plastic swipe keys. For example, some magnetic key cards can be copied and read wirelessly. Physical theft is also a risk, as many guests keep their room numbers and keys together for convenience. A smartphone has a phone lock and the digital key app requires a separate login. From that perspective, the hotel doesn't view the digital key as an increased risk.

Nevertheless, tech security experts reportedly found ways to hack the digital keys. Using an antenna, they captured the transmission the phone app sends to the hardware lock to trigger the mechanism that unlocks door. Once they have that transmission it can be replayed later to unlock the door. Cyberattacks are increasingly sophisticated and will take advantage of any weakness. For example, there was a report of hackers who gained access to a casino's high-roller database by hacking the thermometer of a fish tank in the casino lobby. If something as innocuous as an unprotected aquarium thermometer can lead to a serious cybersecurity breach, how can hotels possibly protect themselves and their guests?

It begins with being knowledgeable. Cybersecurity experts advise that before making any AI or IoT upgrades, it is imperative to research the products' history and security capabilities. Understanding how AI or IoT products could be used as potential entryways for hackers is the first step toward preventing that threat.

Experts also advise taking inventory of all the AI and IoT products a hotel uses and put in place security measures for each of them. For example, it is highly recommended that AI and IoT devices are not on the same network as other critical systems, such as the reservation system. Putting in place a dedicated Wi-Fi channel or router for AI or IoT may not prevent a hacker from gaining access to those devices, but it will prevent those devices from being used as gateways.

In addition, while it may be tempting to cut costs when purchasing these devices, the least expensive options often have minimal or no security defenses. When hotels are planning to install AI or IoT devices, a significant security investment should be included in the budget.

Once the devices are selected, they should be tested prior to installation. Testing devices in an isolated environment will help hotels identify potential risks, areas of sensitivity and how the devices might interact with the hotels existing systems. Along with budgeting for costs, hotels should take into consideration the time it will take to properly install and test all devices before they go live.

Another area of investment for hotels is employee training on how to prevent cybersecurity breaches. Everything from how to avoid falling victim to an email phishing scam to mandatory password updates are critical to preventing cyberattacks. However, mistakes happen. For example, one Gallagher hotel client found themselves facing liabilities after an employee inadvertently sent a spreadsheet that included credit card numbers to a public-facing email listserv. While that was human error, there are also cases when employees purposefully steal private information. One such event occurred when a Gallagher hotel client learned that one of its employees was stealing guests' credit card information.

The scheme was uncovered when a guest notified hotel management that the employee behind the counter had asked for the person's zip code when running the credit card. The guest thought it was an odd and unnecessary request. Sure enough, when hotel management checked security footage it showed the employee taking photos of credit cards with a smart phone while chatting with the guests.

While this was not a cybercrime, it was still theft. It's also an example of why it's so important for hotels to have broad cyber insurance coverage that includes aspects such as privacy liability, which would cover malicious and negligent activities of employees. A hotel industry insurance professional can help hotels make informed decisions on the right policy for them.

It's also important to make sure cyber policies are regularly reviewed and updated. Technology evolves incredibly fast, and it can be a challenge to make sure current policies align with the latest tech offerings. It's no longer enough for cyber insurance to cover breaches that steal guests' personal information. Now, cyber insurance must be broad enough to cover exposures from chatbots, AI, IoT products and other smart devices.

With all the potential risks, it may seem like an obvious decision for hotels to invest in cybersecurity and cyber liability coverage. Hotels, however, often have at least three separate entities – an owner, a hotel management company and a hotel brand – that oversee different aspects of the hotel. With different parties to satisfy, it can become complicated discussing cybersecurity, which is not always easily understood. Take, for example, the viewpoint that the early adoption of AI is a differentiator for hotels and a way to stand out in a crowded market. Another viewpoint might be to wait and see if other early adopters experience any pitfalls from these AI products and learn from those mistakes.

Knowing it might be a challenge to come to a consensus on what a hotel's cybersecurity and cyber liability coverage looks like, it is important that those in the hotel industry take the time to understand exactly what they're providing their guests when it comes to AI and IoT devices. It all comes down to being knowledgeable about the products. With all this incredible technology and the exciting new ways to enhance a guest's experience, it is important not to lose sight of all the behind-the-scenes necessities –investing in cybersecurity, having cyber liability coverage in place, training employees – that makes using the technology as safe and secure as possible.

Mr. Gullickson This article was co-authored by Matt Gullickson. Mr. Gullickson is a member of the Cyber Liability Practice and serves as a national resource for Arthur J. Gallagher Risk Management Services, Inc. His sole focus is on Information Privacy, Network Security, Media, and Professional Liability exposures. Mr. Gullickson's primary goal is to help organizations effectively manage the threats specific to their industry and operations through close partnerships with client management teams. He works to educate and guide his clients through the risk-identification process in order to obtain tailored coverage solutions while also identifying opportunities to implement appropriate loss control measures. In addition, he helps clients navigate the claims process to ensure the appropriate steps are being taken to protect the organization. Mr. Gullickson started at Gallagher as an intern in 2011, officially joining the company full time in 2012. He has worked with clients across various industries including legal, finance, healthcare, retail and technology.  

Ms. Loupee Emily Loupee joined Gallagher & Co. in October of 2008 as an Account Executive in the Glendale office. She is part of a team of 20 professionals and is responsible for servicing existing accounts, developing new business accounts, and supervising Account Managers and Account Assistants. Ms. Loupee specializes in placing Professional and Management Liability for the Real Estate industry. Ms. Loupee is the Co-National Director for the Real Estate Practice for Management and Professional Liability and operates as a knowledge resource for the country for both clients and other Gallagher brokers. She leads the placements for Management and Professional Liability policies for public and privately-held companies, with expertise in negotiating policy language, structuring complex programs and tailoring policies to fit each client. She helped craft and launch the Gallagher Real Pro Plus product geared toward providing comprehensive, real estate specific Management and Professional Liability for real estate companies. Ms. Loupee can be contacted at 818-539-2300 or Please visit for more information. Extended Biography

HotelExecutive retains the copyright to the articles published in the Hotel Business Review. Articles cannot be republished without prior written consent by HotelExecutive.

Choose a Social Network!

The social network you are looking for is not available.


Hotel Newswire Headlines Feed  

Daniel Link
Tony Heung
Tim Peter
Brandon Billings
Suzanne McIntosh
Coming up in May 2019...

Eco-Friendly Practices: Corporate Social Responsibility

The hotel industry has undertaken a long-term effort to build more responsible and socially conscious businesses. What began with small efforts to reduce waste - such as paperless checkouts and refillable soap dispensers - has evolved into an international movement toward implementing sustainable development practices. In addition to establishing themselves as good corporate citizens, adopting eco-friendly practices is sound business for hotels. According to a recent report from Deloitte, 95% of business travelers believe the hotel industry should be undertaking “green” initiatives, and Millennials are twice as likely to support brands with strong management of environmental and social issues. Given these conclusions, hotels are continuing to innovate in the areas of environmental sustainability. For example, one leading hotel chain has designed special elevators that collect kinetic energy from the moving lift and in the process, they have reduced their energy consumption by 50%  over conventional elevators. Also, they installed an advanced air conditioning system which employs a magnetic mechanical system that makes them more energy efficient. Other hotels are installing Intelligent Building Systems which monitor and control temperatures in rooms, common areas and swimming pools, as well as ventilation and cold water systems. Some hotels are installing Electric Vehicle charging stations, planting rooftop gardens, implementing stringent recycling programs, and insisting on the use of biodegradable materials. Another trend is the creation of Green Teams within a hotel's operation that are tasked to implement earth-friendly practices and manage budgets for green projects. Some hotels have even gone so far as to curtail or eliminate room service, believing that keeping the kitchen open 24/7 isn't terribly sustainable. The May issue of the Hotel Business Review will document what some hotels are doing to integrate sustainable practices into their operations and how they are benefiting from them.