Cyber Attacks & The Hospitality Industry

September 23, 2015

We have all heard of the cyber attacks on financial institutions, retail businesses and the healthcare industry. More and more we are hearing of the attacks in other industries, such as the hospitality industry. Attacks reported just this year have involved Mandarin Oriental Hotel Group, effecting 10 of their hotels worldwide. It is assumed the hacker used malware to acquire the credit card numbers of individuals who used a credit card for dining, beverage, spa, guest rooms, or other products and services at the affected Mandarin Oriental properties. Hard Rock Hotel in Las Vegas is another alleged victim of a hacker accessing information about credit or debit cards used at certain Hard Rock Hotel & Casino Las Vegas retail and service locations. In April, White Lodging – a large hotel management company with some 160 hotels in its portfolio – said it had suffered a breach; it’s second in as many years. Other breached hotels include management company Destination, with some 40 hotels in its portfolio. These are just the high profile cases we hear about.

In addition to these numbers, it is worth mentioning that hotel operators rarely discover their breaches themselves. It usually begins by a large bank or three notices of an influx of fraud, and then a hunt for common elements – that is, a retailer victims have in common. When the bank fraud department determines a pattern, it calls the U.S. Secret Service or FBI and shares its findings. The Feds call the hotel, which typically is in a state of happy denial. How would you like to be the manager that receives that call?   In many instances that call is the first time a hotel realizes it has been breached.

Leading causes of Data Breach

It is true that hackers are responsible for the largest number of losses in claims against cyber liability exposures and that the most advanced hackers are in Russia and Eastern Europe.  However, these numbers are evolving and fast approaching in the cause of losses due to cyber exposure according to a NetDiligence®  2014 claim reports study they note that 97% of data exposed comes from email addresses and passwords.  This information adds to the percentage of causes of loss to the following categories:

  • Lost, stolen or missing electronic assets
  • Rouge employees
  • Staff mistakes

While Healthcare systems, Financial Institutions and Retail are among the most venerable industries to be exposed to cyber attacks, we have seen from recent events and from the growing trends towards social media and carrying everything on our smart phone that none of us are out of reach.

Areas at risk

In the hospitality industry, consider the volume of credit card swipes at check-in, bars, restaurants and shops. There are ample opportunities for cyber attacks in the hotel industry as mentioned above.  Every hotel executive should take seriously the threat of computer security breaches, implementing the most up-to-date prevention and risk management practices, creating an emergency response plan and securing sufficient insurance coverage. Below we have highlighted a few key areas of vulnerability in your hotel:

  • Daily operations are a primary way hotels are susceptible to cyber attacks. Not only do hotels transact business through credit cards, but those cards are kept on file and often accessed multiple times during a guest’s stay. Each charge made at a spa, gift shop, bar or restaurant during the course of a stay is another opportunity for cyber theft.
  • Intentional acts of theft by employees. For example, food and beverage servers can use small devices, easily hidden in a pocket, to swipe customer credit cards over an extended period of time and then sell the data.
  • Public Wi-Fi access, which is usually unsecured. Naturally, hotels want to provide guests with the best possible lodging experience and many favor ease of access over security. That can be a mistake. Wi-Fi access needs to be secured.

There are other areas that are also venerable to data breaches. An employee’s laptop could be stolen, or access to hotel data may be gained through third party vendors who have access to hotel systems. You should conduct a thorough vulnerability analysis for your resort to determine risk.

What should you as a resort manager or board member executive do to help mitigate against cyber risks?

  • To be fully effective, you will need to bring in an expert. Advanced, persistent threats such as the ones that can occur in the hospitality industry require an ability to plan, design, and implement effective cyber security controls that can stay ahead of emerging threats and current technologies. Indeed, cyber security should not be randomly assigned to any employee. Instead, cyber security requires a higher level of education, training, and certification.
  • Make sure your IT system has adequate security and enforcement susceptible to a cyber attack.
  • Gain the technical and administrative knowledge necessary to combat advanced, persistent threats.
  • Conduct a thorough vulnerability analysis for your resort to determine risk.
  • Talk with your insurance broker on the cyber liability products best suited for your particular business.
The Armstrong Company Insurance Consultants (License #0440075)