Dive Brief:

• The transition to mobile and contactless services in the hospitality industry is making hotels more vulnerable to cyber threats, according to a report from Trustwave SpiderLabs. 
• The industry has seen a surge in cyberattacks, with 59 incidents since 2022. Meanwhile, 31% of hospitality organizations have reported a data breach in their company’s history, and 89% of those were affected more than once in a year.  
• As hotel companies adopt new technologies and mobile-first amenities, hoteliers will need to evaluate the risks in order to prevent cyberattacks.

Dive Insight:

The hospitality industry’s reliance on third-party providers and franchises, as well as high turnover in its workforce, makes the sector an appealing target for cybercriminals. Guest turnover also has an impact on hotels’ vulnerability, as hospitality establishments welcome new internet users each day. 

“Organizations within hospitality must operate under the assumption that their networks are highly susceptible to attacks due to the sheer number of users,” Trustwave SpiderLabs found. 

“With unique considerations, such as the adoption of contactless technology and the steady turnover of customers and employees, the hospitality industry faces a complex security landscape with distinct challenges,” said Trustwave Chief Information Security Officer Kory Daniels, in a statement. “In an industry where guest satisfaction and reputation are paramount, staying secure while offering cutting-edge technology is a delicate balancing act.” 

The most common cyber crimes targeting hospitality include fake orders and extortion to collect personal data or money from victims. 

Citing data from IBM, the report notes that the average cost of a hospitality breach, $3.4 million, is below the cross-industry average of $4.4 million. However, the impact of a breach can cause significant harm to a hospitality company’s bottom line due to the importance of reputation in the industry and high competition. 

The report also notes threats associated with the growing use of generative AI and large language models. Increasingly popular technologies such as AI chatbots could potentially be used to collect and store large amounts of data about guests.  

To mitigate risks of generative AI, the report suggests hotels evaluate their security solutions with generative AI in mind, choose security tools that can detect AI-generated threats and create robust internal policies and employee training for proper data usage. 

Hotel companies can work to prevent threats stemming from contactless technologies by executing regular vulnerability assessments, place all servers and devices within a firewall and deactivate internet connectivity for servers and devices that do not need it, the report said.

There was a particular increase in attacks by the Clop ransomware group, which exploited hundreds of victims via a vulnerability in the MOVEit file transfer software, Trustwave SpiderLabs found. Hotel companies were among those affected by the attacks. 

Last year, cyber criminals targeted Marriott International, stealing 20 gigabytes of sensitive customer data including credit card numbers. Later in the year, InterContinental Hotels Group experienced a similar attack that downed its booking systems and apps.