As a result of recent breaches, it is important for hotel companies to be perceived as a secure brand and to gain customer trust through having legitimate risk processes in place.
“Holidaymakers warned to protect phones and laptops when traveling to Europe.” “Cyberattack hits 1,000+ hotels in the United States.” “Large hotel chain discovers credit card breach again.” “Hotel hit by ransomware attack.”
These are only snippets of the headlines that have featured in the leisure news since a wave of cybercrime activity started to target large hotel chains in 2015.
Three years later and the leisure industry has woken up to the threat of cyberattacks, but they’re not the only ones speeding up. Hackers have become more sophisticated, better informed of the processes and systems in place, and are finding more ways to beat security systems. They are also sometimes not being detected until a few months after gaining entry into the system, allowing a prolonged time to steal customer information.
In order to combat cyberattacks and shield your business from risk, it is paramount to have an understanding of how you may be hacked. In essence, think like a hacker to beat them at their own game. How will they attack? When will they attack? What is their motivation?
Ransomware is a form of malicious software that, once it's taken over a computer, imposes threats on the individual, usually by denying access to data. The attacker demands a ransom and agrees to restore access to the data upon payment. This means that hackers actually want you to get your files back, as that will mean they receive their payment.
A ransomware attack could also potentially affect electronic door lock systems, stopping guests from accessing or exiting their rooms. Therefore, if the problem isn’t resolved, the business model doesn’t work. Ransomware attacks only require one employee to click on a malicious attachment for the floodgates to open.
Hackers can attach a circuit board on the keycard locks on the doors in a global hotel chain. Afterwards, it can then be unlocked without a keycard. Once inside, high-value goods are located and stolen.
Increased connectivity via Wi-Fi, Bluetooth and cellular, among others, provides additional attack surfaces for hackers. As more devices connect to the internet, opportunities will increase exponentially for hackers to come into the enterprise via other connections and third-party service providers.
Smaller organizations that possess highly valuable customer credit card data are vulnerable against hackers. Weaknesses in the infrastructure that protect this data make it easier for them to obtain information.
Successful hotel brands have a focus on providing an excellent customer experience. But what happens when hackers take advantage of the information that customer service agents will be willing to disclose to “go the extra mile” for customers?
Criminal groups continue to exploit insecure “Internet of things” devices as sources of attack traffic for denial of service attacks, leading to more and more extortion attacks.
Hackers know that it’s getting more difficult to hack a hotel’s systems directly, so they look to other avenues of entry. Third-party payment systems such as online reservation bookings, gift shops, spas, etc., could provide a more vulnerable point of access that might not have the same level of security as the hotel itself.
Loyalty programs are commonplace in the hotel industry and extremely important to the large global operators, with many brands now offering points and rewards in return for frequent and loyal customers. However, this could be compromised with a simple telephone hack, which would put both the customer’s data and well-earned rewards at risk.
Hackers use stolen credit card details to make a pre-paid reservation in your hotel under a fake name. The rooms are being sold in real time on the internet to other guests for a large discount who are unaware of the scam. You only find out about the scam when the guests have gone and the bank reverses the payment.
Preparing to hack: The approach
- To identify the vulnerabilities, hacktivists experiment with the hotel’s security systems. They’re creative and persistent in their approach, thinking curiously to expose the possible routes of entry.
- Scanning and testing all potential routes of access helps hackers decide which attack they carry out. They observe and apply critical thinking while they determine how to proceed.
- The access is planned by using the knowledge gained in the scanning and testing phases, with a focus on results in mind.
- In order to maintain access, hackers are willing to adapt their approach as necessary to stay inside.
- Money is made through deploying ransomware, or stealing information, reservations or assets from you.
The response plan: How to react in the event of data breach
The difference between a good and a bad response can have a significant impact on reputation, and potentially share price. With the revised EU General Data Protection Regulation (GDPR) taking effect on 25 May, companies that store, process and use customer data must rethink their data protection procedures.
Here are the steps you could consider taking in response to data breach:
- Prepare run books and rehearse them with your technical and leadership teams periodically in order to understand whether you would know when you are attacked and what you need to do.
- Evaluate the severity by considering what you know, and what you don’t know. Deliver clear, accurate and consistent messaging internally to the regulators and also to your customers.
- Immediately inform the people responsible for cybercrime. Apart from the COO, legal counsel, security, IT, marketing and PR departments all must be tightly involved in the response process to make sure the right coordinated actions are taken.
- Communicate appropriately and effectively where customers are affected and plan what relevant information is to be released to stop other information leaking out. Work with the PR and marketing teams to decide what is to be publically known to reduce panic and confusion with customers.
- Learn from the attack by reviewing security controls and consider what you know about this attack to mitigate it happening again in the future. Know what the threats were, conduct advanced planning and have the correct systems and staff in place.
Will Hawkley is U.K. and Global Head of Leisure & Hospitality at KPMG and has been with the company working with clients across the sector for 17 years.
Mark Thompson is Privacy Practice Leader for KPMG Privacy Advisory Practice, which helps clients build and embed pragmatic governance frameworks, processes and controls to address complex multijurisdictional compliance and risk management challenges.
Tina Haller, Senior Manager Deal Advisory KPMG Germany, has over 15 years of experience advising clients on hospitality and real estate projects.
The opinions expressed in this column do not necessarily reflect the opinions of Hotel News Now or its parent company, STR and its affiliated companies. Bloggers published on this site are given the freedom to express views that may be controversial, but our goal is to provoke thought and constructive discussion within our reader community. Please feel free to comment or contact an editor with any questions or concerns.