Why Are Cyber Criminals Targeting the Hospitality Sector?
The wave of hospitality data breaches seemingly began in 2011 when customer data was stolen from Travelodge UK. In the cyber attack, customers of the hotel received suspicious emails to addresses they had used to make room bookings in the past. This is known as phishing – one of many tactics used by cyber criminals, and worryingly, they are becoming more sophisticated in their approach all of the time. Since Travelodge UK fell victim, other businesses in the hospitality sector that have suffered a similar fate include Mandarin Oriental, Trump Hotels, Hilton Worldwide, as well as Booking.com. Which leaves us with one question: why?
What makes the hospitality sector a prime target for cyber criminals? We know that the healthcare sector is lucrative, as medical records can make a killing on the black market. But, what’s causing hackers to try their luck with hotels, tourist-based businesses and alike? There are numerous reasons, but one of the main motives cyber criminals have for targeting this sector is the fact that it is a soft target. From back office vulnerabilities to outdated PoS protection, the industry simply isn’t doing enough to protect data.
Shockingly, research conducted by Trustwave revealed that every nine in ten PoS terminals they tested run the six-digit password the device came with. This makes them easy for cyber criminals to hack, especially when some of these systems date back to the 90s. You should never use vendor-supplied default passwords; they need to be replaced immediately, and additional security measures should be put in place, such as network segmentation. In fact, this is the second requirement of the Payment Card Industry Data Security Standard (PCI DSS), which must be followed by any business that takes payment via card. By using default security parameters, hackers can easily get malware onto PoS systems, making a hotel hack a quick and easy payday for them.
It’s not just the big players in the industry that need to have their guard up. While we may only hear about large-scale data breaches on the news, small-scale hospitality firms should be just as cautious. Cyber criminals are using malware and social engineering that has been specially concocted to beat individual defences, and they are using this approach to attack smaller hotels. Worryingly, most small hotel owners do not see themselves as targets, and this attitude in itself can be a reason why they are targeted.
You then need to consider the information assets that a typical hotel will have possession of. This includes a multitude of sensitive spreadsheets, emails and other documents, key card data, stock and transaction information stored in food and drink systems, as well as customer information, including credit card details, names, addresses, and bookings, and financial information. Personal information and security questions are widely used, from loyalty programs to purchasing hospitality services, so there is a lot for hackers to get their hands on.
There is no getting away from the fact that the hospitality sector has become a prime target for cyber criminals. All businesses, no matter how big or small, need to invest in expert data security to protect their future. From updating passwords on a regular basis to implementing network segmentation, there are many approaches that must be adopted.
0333 320 8848