A Target in Every Room: Why Cybercriminals Are Hunting Small Hospitality Businesses and How to Protect Yours

When a successful breach is reported in the media, well-known, large companies often make the headlines. However, cybercriminals are much more often successful in their attacks against smaller businesses.  Why?  Because these small and medium-sized business (SMBs) often have fewer resources and, as a result, are less likely to have the latest and most up-to-date security measures in place. In fact, more than a third (36%) of hospitality leaders report having an immature cyber posture.  That means they run a higher risk of falling victim to the latest cyberattacks and malware.

More recently, we have seen an increasing trend of hospitality-sector businesses being targeted. Data and personal customer information have value to cybercriminals; even information that may appear to have limited value can be monetized. With an almost endless supply of new personal and payment information generated by businesses daily, it’s easy to see why criminals are setting their sights on these businesses.

In this blog, we address why cybercriminals find it easy to exploit the hospitality industry and what steps these businesses can take to reduce the risk of data theft and business disruption.

Why is the Hospitality Industry Being Targeted?

According to proprietary VikingCloud research, 54% of hotels suffered a data breach in the last year, as they are recognized as high-value targets for cybercriminals due to their systems' highly sensitive personal data.

The reality is that there are quite a few ways that hospitality businesses can be attacked:

• Logical attacks: Stealing data from insecure systems and the Internet.  
  - Point of sale (POS) breaches have long been prevalent in hospitality. However, with the rapid adoption of digital solutions, such as mobile check-in, room keys, and smart in-room technologies, hospitality businesses are exposing a greater attack surface with more potential entry points for attackers.
• Physical attacks: Cardholder data may be present in physical format (receipts, for example), and physical controls (alarm and surveillance systems) may be weak. This offers multiple ways to steal cardholder data.

And, cardholder data is a high-value asset.  Many cybercriminals find it easier and more efficient to target multiple small restaurants and hospitality businesses that are vulnerable vs. a single attack against a larger business with a more robust cyber defense system in place.

Many hotels use cloud-based or on-premise accommodation booking systems, which, while convenient for managing availability, are also used to store full payment card details to guarantee bookings. Another source of valuable data for criminals is call recording systems. Businesses may record their calls for customer service purposes, but that may also mean they store the PAN (Primary Account Number) and CVV2 (Card Verification Value 2). Depending on the protection measures in place, information stored in these booking and call recording systems can be stolen and used to make fraudulent purchases in-store or online.

The nature of the hospitality business also means that cardholder data may also be received and stored electronically in emails and electronic faxes that can be intercepted.  Printouts of emails and booking forms, faxes, merchant receipts, and chargeback forms are also not always securely controlled – and stored in back offices, archive rooms, or even outbuildings accessible to more people than is necessary. Additionally, if a business does not have secure data disposal practices, recycle bins may contain merchant receipts and other physical media showing cardholder data that could easily be accessible to the public.

More often than not, consumers and travel agents are more focused on making a booking than they are on data security.

So, What Can a Hospitality Business Do to Reduce Their Cyber Risk?

Most cyberattacks are preventable. First, the PCI DSS is a minimum standard that should be used to minimize the risk to cardholder data. Furthermore, it is an industry regulatory requirement worldwide. However, your hospitality customers may not know where to start to secure their business.  We strongly recommend the following steps:

• ‍Know where payment card data is handled: Identify the processes that handle cardholder data. Understand where it is received, where it goes, where it is stored, and who has access to it. Only then will the business be able to ensure appropriate controls to cover all areas correctly.‍
• Data retention: Do not keep cardholder data longer than necessary. Find out why cardholder data is stored and how long it needs to be kept. Once this is defined, the business can remove any unnecessary data exceeding this defined time. Minimize the risk and consider not storing cardholder data using tokenization systems (that store random tokens instead of cardholder data).‍
• Restrict physical access: Do not allow cleaners and maintenance workers access cardholder data media. Most cleaners do not need access to archive rooms. Businesses can restrict access to cardholder data by locking cardholder data media in cabinets that are accessible only to those needing access.‍
• Review the hospitality booking system: Use a secure solution. Consider using a PA-DSS-validated solution (software validated by a qualified payment application assessor).  As POS and booking systems are often sources of breaches, it is very important for businesses to keep their systems secure:
  - Protect the POS by keeping them updated with the latest patches.
  - If cardholder data is stored, ensure it is encrypted.
  - Ensure access to cardholder data is restricted to those needing access.
  - Do not keep the CVV2 once payment has been processed. Be aware that once the initial payment is made, the CVV2 is unnecessary to process a no-show payment.
  - Ensure few staff have access to the cardholder data.
  - Ensure business websites have undertaken a security test (vulnerability or penetration test).
  - Control and limit remote access to business systems.  Make sure any remote access uses multi-factor authentication and strong cryptography.
  - If the business relies on third-party cloud/online booking systems, check that the third party assures that they are responsible for securing cardholder data. Ask the third party whether they are a PCI DSS-compliant service provider.
• Secure/update call recording system: Ensure call recording systems do not store sensitive authentication data (such as the CVV2). Ensure the recorded cardholder data is encrypted (or, better yet, not captured and stored).
• Employee education and awareness training: A 2023 study conducted by IBM found that human error is the cause of 95% of cybersecurity incidents. The key to educating your employees is to develop an effective training program.
• Consider Partnering with an MSSP: Managed Security Service Providers (MSSPs) are a one-stop shop for organizations within the hospitality industry to detect, protect, respond, and recover from any cyber incidents. MSSPs can cover the time and cost of recruitment, hiring, and training and offer modern, best-of-breed technology offerings that defend against an increasingly large spectrum of attacks.

The Future of Hospitality

The good news: Software applications and card payment solutions used by hospitality businesses are becoming more mature and secure. Additionally, businesses are increasingly adopting best practices and new solutions to reduce the risk of business interruptions from cyber incidents.  Keeping the “registers ringing,” protecting customer information – and your brand are all good for business.