Hotel industry fights constant hacker exposuresReprints
Travelers who check into hotels may run into some uninvited guests in the form of hackers looking to steal their financial information, analysts warn.
Hotel security breaches have made headlines recently. In July, Trump International Hotels Management L.L.C. said a data breach at a service provider compromised payment card details at 14 of its properties. The compromised information included payment card numbers and card security codes for some of the hotel chain's reservations processed through the central reservation system of service provider Sabre Corp.
The breach was part of a cyberattack on Sabre's systems disclosed in May. Saber's reservation systems are used by nearly 36,000 properties worldwide, according to Sabre.
The Verizon 2017 Data Breach Investigations Report said point-of-sale attacks are “absolutely rampant” in the hotel industry.
“Accommodation was the top industry for point-of-sale intrusions in this year’s data, with 87% of breaches within that pattern,” said the report, released in May.
“Every major hotel group has been compromised,” Robert E. Braun, a partner with law firm Jeffer Mangels Butler & Mitchell L.L.P. in Los Angeles, said Monday, “and it’s almost always a point-of-sale system, which is a third-party system. The problem is that hotels have a number of systems. If systems are connected in hotels, it means that unless you disassociate them, you have what they call in the food business cross-contamination.”
In order to prevent hackers from leaping from one system to another, Mr. Braun said many companies are decoupling their systems, creating moats or air gaps between different systems such as their legacy system and their POS system, but this is difficult to implement.
Wi-Fi demand ups the risk
Mr. Braun said the public’s demand for Wi-Fi services also can be challenging for hotels.
“The conundrum about hotel Wi-Fi is that it’s rapidly become one of the most very desired benefits or accoutrements of the hotel stay,” he said. “It’s right up there with having hot water.”
Hotel guests, Mr. Braun said, don’t want the Wi-Fi system to be complicated.
“People who travel don’t want to have to make it difficult,” he said. “They want it now and they want it free, which means the systems themselves tend to be very bare-bones. So there is very little, if any, security built into them, particularly the lobby Wi-Fis.”
Doug Jones, managing partner with JAG Insurance Group in Coral Gables, Florida, said the smaller hotel operations are also being targeted by hackers as well as the big hotel chains.
“The real problem right now is that we’re finding — and our clients are finding — that the little guys are targets,” Mr. Jones said. “They’re realizing there is no discrimination amongst these hackers. They’re now targeting the smaller companies because they know they don’t have infrastructure to protect themselves. If you can’t protect Targets,” he said of large retailer Target Corp., “you can’t protect a guy that owns two hotel chains.”
While larger hotel chains and businesses will recover from a cyberattack, Mr. Jones said the smaller hotel operators will likely go bankrupt once news of the attack goes public.
“Now you have a (public relations) issue,” he said, “now you have a black flag hanging outside your hotel. And in a market where I am — South Florida, Miami specifically — there’s options upon options upon options. When you become that one guy that gets attacked, your bookings slow down if not stop.”
The right insurance policy will have public relations covered, Mr. Jones said.
Mr. Braun said hotels should consider first-party costs, such as investigation, remediation, notification and compensation. These are in flux, he said, and the standards from a few years ago might not be adequate. Hotels should also ensure the business interruption portion of the policy is adequate in case a cyber event shuts the facility down.
“There are great variations between different policies, both in price and coverage,” he said. “Shop around for the best coverage.”