The hospitality industry was quicker than most to realise the value of customer data. Finding out as much as possible about guests’ preferences and expectations and then catering to them has helped hotels foster the sort of brand loyalty that banks, utilities and retail chains can only dream of. As with all good things, however, there are potential pitfalls. Hotels are sitting on huge amounts of information, some of it highly confidential, at a time when computer hackers have the upper hand over their targets. Reams of personal data sit on sprawling networks, often spanning multiple hotels in different countries and accessible through multiple devices, increasing the number of potentially vulnerable points and making it very hard to find rogue agents once they’ve gained access.

The problem is undoubtedly serious, but the industry response – or lack thereof – may have made things worse. Unlike the banking sector, for instance, which is used to dealing with terabytes of confidential data, many hotels are technologically and procedurally unprepared for a cyberattack.

There is also a widespread refusal to acknowledge the seriousness of the threat, with many operators fearful that even talking openly about the problem could create a negative association, or cause a breach of confidence, in the collective public mind.

The fact is that reputational damage is being done, whether or not operators choose to discuss the subject. The past 18 months have seen a series of high-profile cyberattacks on some of the biggest hotel operators in the business, including Starwood, Marriott, Hyatt, Trump Hotels and Kimpton.

In December 2015, Wyndham Hotels and Resorts reached a settlement with the Federal Trade Commission over the theft of the credit card data of 600,000 customers. Although Wyndham did not have to pay a fine or admit wrongdoing, its computer systems will come under mandatory oversight for the next 20 years.

Technical difficulties

Stewart Room, partner at consultancy PWC Legal and cybersecurity specialist, believes the time for denial is over. “Awareness levels are only going one way and we are rapidly approaching a tipping point at which entities will realise that they have no choice,” he says.

“They have to do much more to tackle the security and cyberrisks they face and to live up to the expectations that society places in them. If the full roll call of entities that have been humbled in the news is considered, the conclusion seems to be obvious: security and privacy issues are not being accorded the priority they deserve.”

Most hotels will have two networks, one administrative, and one for customers. Although there have been cases of hackers targeting individuals – often high-profile guests, as with the DarkHotel virus that has been striking Asian hotels since 2007 – most are aimed at the admin network that contains most of the sensitive data.

If the full roll call of entities that have been humbled in the news is considered, the conclusion seems to be obvious: security and privacy issues are not being accorded the priority they deserve.

Another trend, as seen in the attacks against Kimpton Hotels in July, is for operations aimed at the point of sale (POS), where hackers exploit vulnerabilities hotels’ payment networks by placing data-harvesting malware in the POS terminal.

Credit card data entered into a till or card machine is relayed off-site, often to an FTP server, where fraudsters line up to buy and exploit it.

To combat these attacks, admin and payment networks should enforce strict rules about which devices are authorised to gain access, and require multiple passwords to do so. This should be allied with the usual computer protections, such as virus and malware detection software.

Trevor Dowswell, CIO at Hotel Internet Services, believes that hotels are generally good at putting these measures in place. The problem is making sure the partners they hire to do it stick to their task. “Technology as a whole is widely misunderstood, so the implementation and upkeep of it is usually entrusted to people who tout themselves as professionals in that area,” he says.

“I think that most responsible hoteliers are trying to do the best they can by hiring people who have the recommendations, so I don’t think there’s negligence on their part. It’s the companies they hire that might not have everything up to snuff. Once they get that contract I’m not sure how proactive they are being.”

Seeing the wood for the trees

However, in the view of James Rashleigh, a director of PricewaterhouseCooper’s cybersecurity business, excessive focus on technology can blind a management team to the greater problems of organisational strategy and culture.

Hackers are increasingly targeting individuals within organisations; all it takes is for one person to click on a single dodgy link and a whole computer system is compromised. A hotel company needs to have a robust strategy in place to deal with cybercrime, starting at the top, and filtered through the organisation through extensive training.

“The organisations that are better at this have practised breaches,” Rashleigh says.” They’ve got the board in a room and done a crisis episode in which they’ve said, ‘We have just been hacked and have lost our most sensitive customer data. What are we going to do about it?’

“Organisations need to go through that in order to understand what their detailed response process would be.

“That is not common practice at the moment. When the inevitable breach does happen, there is often a lack of clarity, even on what the risk tolerance is in terms of protecting the brand.”

The need for such a strategy will only grow with the introduction of the General Data Protection Regulation by the European Union, set for 2018. This legislation will force companies to admit when they’ve suffered a data breach and allow for the imposition of hefty fines in cases where the privacy of the individual is compromised.

“Modest compensation” for low-level distress is expected to be a minimum of £1,000, with no upward limit. If the data of millions of customers goes missing, which is not unprecedented, the financial consequences could be ruinous.

“One of the dangerous things we see in organisations is that they bundle a cyberattack into the ‘major incident’ category,” says Rashleigh. “This means that, if asked, an organisation might say ‘we have that crisis covered because we have general crisis management’.

“However, a cybercrisis is very different. If a warehouse is on fire, all the facts are there: you can see the problem and figure out physically what you have to do. With a cyberbreach, you are operating in the absence of information. You don’t know what’s happened, who’s taken what and you are trying to piece together the facts in order to get your position sorted.”

With a cyberbreach, you are operating in the absence of information. You don’t know what’s happened, who’s taken what and you are trying to piece together the facts in order to get your position sorted.

Before they get to this point, many hotel companies still need to figure out what data they hold, and where on their sprawling network it’s located. They also have to keep a closer eye over third parties who might possess important information and make sure they have good security in place. The hackers who stole 40 million sets of credit card data from Target, the American retailer, in March 2014, first broke into the network using credentials stolen from Fazio Mechanical Services, a mid-sized refrigeration and HVAC provider, which had done some work in some of Target’s Pennsylvania-based stores.

Even if you have a comprehensive strategy in place and you’re technically up to date, a sufficiently tenacious hacker can still get through. In fact, in the words of Martin Libicki, a cybersecurity specialist with RAND Corporation, “It’s not even clear that sophisticated cyberdefences can keep up on [any] systems that are exposed to the internet.”

It therefore makes a big difference if hotel operators are open to sharing information about attempted breaches, creating a pool of knowledge that can be used to match hackers move for move.

When your best isn’t enough

“It’s unfortunate for the victim of the first break-in, as they wouldn’t have been able to do more than keep their systems up to date and have full security practice in place,” says Dowswell.

“But everyone else can then update their systems to stop that particular mode of attack.”

This level of cooperation doesn’t look like coming to pass, at least not over the short term. If the next 12 months brings as many high-profile breaches as the last, and the reputational damage continues to mount, however, something is sure to give.