The Biggest Risks to Hotel Cyber Security

Posted 27/02/19

We understand that a cyber attack or data breach can have a detrimental impact on any business in any industry.

However, these types of crimes can be even more damaging in the hotel industry because your hotel is likely to run and be dependent on technological systems, handling everything from your cash flow to the occupancy of the premises. Also, as a hotel owner, you process large quantities of sensitive and personally identifiable data. Not only do you collect this data, but it is also collected at various different ‘touch points’ throughout your business, meaning there are even more areas that are vulnerable to attack.

You collect payment details and personal information at these different touch points, in your premises (bars, restaurants, spas, gyms, concierge and check-in desks to name just a few), at events, in contact centres, and online too. Each of these data collection points has its own unique vulnerabilities, meaning that there is a larger and more broad risk unique to your sector.

TBecause of these unique, and potentially very damaging vulnerabilities, we detail in this post the importance of being prepared with the appropriate insurance, together with risk management to cover these risks. This includes making you aware of the vulnerabilities in your industry, as well as the costs involved should you fall victim to a cyber incident if you’re not covered - and who will be liable when it comes to picking up the bill.

Your online presence

As a hotel owner, it’s likely you have some form of online booking system, whether this is on your own website, or on a third-party booking site like Trivago or Booking.com. This is your first ‘weak spot’, as these booking systems can be intercepted by a cyber criminal, or maliciously breached by an employee who has access.

A breach can cause reputational damage, and your customers may no longer trust your online systems, you could face fines and end up with legal costs to pay for losses and compensation as a result of this data being compromised. Also, if a breach happens to a third-party website, while this is their fault, it’s likely you’ll still have to pick up the slack if it involves customers of your hotel. This includes handling customer complaints, queries, booking errors and managing knock-on reputational damage and loss of business while the booking site is down.

Ultimately, as a third-party passes on data to your business, you’re also responsible for handling and storing it safely and securely. So, for example, if a criminal accesses customers’ financial information, they could hold it ransom, leak it to malicious websites or sell private details (such as of VIP guests) to the highest bidder. If you are deemed to be the ‘controller’ or ‘handler’ of this data and it is compromised in your care, then you will be liable. This could see you face fines due to the recent implementation of GDPR, and so it’s important that you’re covered for these risks.

Hackers steal credit card details from hotel booking sites

“Luxury hotel chains are notifying guests that their personal and financial information may have been stolen after Paris-based software company Fastbooking, suffered a breach on June 14 2018.”

Inside your hotel

The vulnerabilities within your hotel are three-fold. There is your hotel reception, the main point of contact for all guests. Then there is the other facilities you may offer, such as bars, restaurants, gyms and spas. Thirdly, there is your team of staff. But how do each of these pose a risk?

Your front desk is where payment details are processed and stored, along with authenticating room key-cards and checking customers into the hotel with their personal information. Your various other amenities then also process payments, or draw on the payment details stored at reception to add all costs guests incur to their overall bill. As these systems interlink, just one of these systems could be hacked and all of them could suffer downtime.

This means revenue is lost not just from your hotel bookings and reputational damage you suffer, but from every pay point in the premises too. This could be even more harmful if it resulted in your hotel being unable to service customers as normal.

Your staff can also become a threat as they have access to huge amounts of data and various systems. According to IBM, insider threats account for 60% of all cyber attacks. Whether a disgruntled member of staff carries out a malicious attack like cloning payment details or they obviously increase the level of risk by checking personal emails, you could be held responsible for their actions.

The Impact of a Cyber Attack or Breach

Business Interruption

Business operations such as checking guests in, providing them access to their rooms, processing their payments could all suffer interruption. This would result in a loss of overall income for you, as well as the extra expense involved with putting things right following the criminal incident (whether in the form of vouchers, compensation and reputation restoration).

First-Party Cyber Loss or Damage

If the hotel systems were to suffer from a virus, a hacking incident or an inside error, this could cause booking systems, the front desk check-in systems, room keys and till points to become compromised. This would prevent business operations from being carried out as normal and the hotel would need to account for the costs of both resecuring and fixing these systems. When you consider consumer spend at UK hotels and restaurants alone is over £230,000 every minute (Statista), the potential losses are significant.

Cyber Theft

This refers simply to data being stolen, such as financial or personal information. This can happen if a cyber criminal is able to gain access to your databases and processing systems. Your hotel would suffer the loss of the data, money or confidential information stolen and may be liable to provide compensation if customer or employee data is compromised.

Cyber Security Liability

This refers to how a cyber security incident may affect other parties that your hotel is in partnership with. For example, if an event being held within your hotel is being catered by an external company, this external company would also suffer loss on account of the cyber attack should the hotel be required to cancel the event. This would come at the expense of you and the hotel itself as it could impose several implications during a GDPR investigation.

Thomson data breach couple cancel holiday

“Luxury hotel chains are notifying guests that their personal and financial information may have been stolen after Paris-based software company Fastbooking, suffered a breach on June 14 2018.”

The Importance of Cyber Insurance for Hoteliers

There are far more ways that a cyber security incident could negatively impact your business, but we won’t bore you with all of the technical details. Our job is to make sure you’re aware of the risks and that you take the necessary precautions to protect yourself.

When we combine all of the different vulnerable points within a hotel business and the extensive costs that you would incur if you become victim to a cyber attack or breach, it’s easy to determine how important cyber security insurance is. Claims for hotel cyber security incidents are usually in excess of £25,000, which is a huge loss for any business to suffer and in some cases may even be enough to close the doors of your business for good.

The hotel industry can often take a bit of a back seat when it comes to cyber security, yet it is one of the most vulnerable sectors. Don’t leave your business vulnerable. Get in touch with us to discuss how to insure your hotel business against cyber threat.


Posted 27/02/19

Latest News from Ashley Page

What is Cyber Insurance and Why Do Smaller Businesses Need It?

23rd April 2019

It’s common for smaller businesses to assume they don’t need cyber insurance. In this post we outline why these businesses are often most vulnerable.

Hotel Franchises & Cyber Attacks: Who is responsible for cyber security measures?

20th March 2019

In this post we outline everything you need to know about cyber attack liability as the owner of a hotel franchise.

The Biggest Risks to Hotel Cyber Security

27th February 2019

Each data collection point has its own unique vulnerabilities, meaning that there is a larger and more broad risk unique to the hospitality sector.

Data Breaches By Numbers: 3 Key Statistics Every SME in the Retail Industry Needs to Know

27th February 2019

Each data collection point has its own unique vulnerabilities, meaning that there is a larger and more broad risk unique to the hospitality sector.