HOTEL CYBER SECURITY

Hotel Cyber Security

ACID Technologies helps hotels protect themselves by detecting the first signs of an impending cyberattack – as early as in its planning stage, and providing real-time, detailed alerts that enable the targeted hotels to implement effective preventive measures

ACID Technologies provides the hotel industry with 24/7/365 dark web monitoring services, while also monitoring multiple additional sources and platforms. When detecting a threat, ACID sends real-time, actionable alerts with all available information, to enable the targeted hotel chain or specific hotel to effectively respond to the threat and mitigate its harmful impact, whether service disruption (reservations system, room door lock system, etc.), ransom demand, data theft or other.

There is a critical need for cybersecurity in the hospitality industry

The Financial Times reported in 2022 that hotels and hospitality businesses are now the third most cyber-targeted industry. Hotels store enormous amounts of customer data, including names, addresses, passport details, credit card information and more. This is a treasure trove for cybercriminals, who can launch ransomware attacks after stealing this data and encrypting it.

Hotels suffering from ransomware attacks must make the difficult choice of either paying hefty ransom payments, or risking disruption to their operation, and potentially incurring disastrous harm to their reputation and loss of business.

The vulnerability of hotels is explained by the fact that computer systems have replaced many of the face-to-face services provided by hotel staff to guests. Staff shortages have led to even more widespread use of computerized services. Additionally, reservations are increasingly made on external websites and apps – an additional potential vulnerability – as opposed to the hotel chain’s own website.

Hotel & hospitality businesses are the third most cyber- targeted industry

(Financial Times)

The average total cost per breach in the hotel & hospitality industry in 2021/22 was $2.94M
(Ponemon Institute & IBM)

The costs of cyberattacks, which make hotel cyber security services a wise choice

Ponemon Institute and IBM have analyzed the average costs of a breach in the hospitality industry, including not only the cost of lost business, but also costs resulting from damage to reputation, expenses covering forensic activities, legal services, crisis management, regulatory response and customer notification. They have concluded that the average total cost of a breach in this industry between 2021 and 2022 was US$ 2.94 million.

Some recent attacks targeting hotels are described below:

  • Marriott Hotels: In June 2022, a hacker stole 20GB of data from one of Marriott’s servers after tricking a company employee. The stolen data included credit card information of the hotel chain’s guests, reservation logs for airline crew members, as well as other sensitive information about guests and employees.

    In September 2022, Marriott Hotels was required to pay a fine of £14.8 million by the UK’s Information Commissioner’s Office (ICO), for failing to implement adequate security measures to protect its customers’ personal data. The attack in question began in 2014 (against the Starwood Hotel Group, which Marriott acquired in 2016), but was detected only 4 years later. It is believed that it may have affected up to 339 million guests.
  • Intercontinental Hotels Group (IHG), UK: Also in September 2022, a UK-based multinational hospitality company, which operates 6,000 hotels around the world, suffered a two-day outage to its online booking system following a hack. The hackers, who identified themselves as a Vietnamese couple, contacted BBC and said: “Our attack was originally planned to be a ransomware but the company’s IT team kept isolating servers before we had a chance to deploy it, so we thought to have some funny [sic]. We did a wiper attack instead.” In a wiper attack, data, documents and files are irreversibly destroyed.

    This attack came after a ransomware attack a month earlier at a Turkish location operated by the same hotel chain, which in 2019 settled a class-action lawsuit for a malware breach that affected a number of its hotels, restaurants and bars.
  • MGM Resorts Hotels: In an attack targeting MGM Resorts Hotels in February 2020, the perpetrator gained access to the personal details of more than 10.6 million guests and published them on a hacking forum. The guests included celebrities (among them then Twitter CEO Jack Dorsey and Canadian musician Justin Bieber); US government officials connected to the FBI, Department of Homeland Security, Department of Justice, and Transportation Security Administration; CEOs and employees at some of the world’s largest tech companies. The stolen personal details were reportedly names, home addresses, telephone numbers, emails, dates of birth and passport numbers.

Types of cyberattacks that ACID’s hotel cyber security services help protect from

ACID’s hotel cyber security solution helps protect from diverse cyberattacks, including the most common and frequent ones:

  • Point of sale/ payment card attacks, which are regarded by many as the greatest threat to the hospitality industry. This is a third-party crime in which the vendor is targeted, rather than the hotel itself.
  • Ransomware, which can prevent access to systems and data and disrupt hotel operation until the ransom is paid. In October 2020, the U.S. Department of Treasury’s Office of Foreign Assets Control (OFAC) warned that ransom payments may not only encourage cybercriminals, but also place organizations that pay the ransom at risk of violating OFAC regulations.
  • Remote hacking through third-party vendors, such as various contractors and service providers.
  • Phishing scams targeting customers and hotels. Guests sometimes find themselves providing their personal and credit card information on what they discover later are fake websites posing as legitimate ones. Cases in which hotels have sent their monthly fees to falsely branded web pages have also been recorded.
  • DDoS attacks – hotels are particularly vulnerable to this type of attack because so many of their devices and systems are managed by computers and can be leveraged to disrupt other systems operating on the same infrastructure.
  • Theft of personal information over hotel Wi-Fi, which the FBI has warned against, stating that Wi-Fi networks in hotels typically favor guest convenience over strong security practices. Guests cannot be sure that all the security features have been activated on a hotel’s Wi-Fi network, and that security patches are installed as soon as they are provided.
  • DarkHotel hacking is particularly worthy of attention. Classified by Kaspersky as a major risk, it has been known to compromise luxury hotel networks, then stage attacks from those networks on selected high-profile victims. Kaspersky explains that the DarkHotel group appears to use a combination of spear phishing, dangerous malware, and botnet automation designed to capture confidential data. It adds that its attacks are typically layered and involve two malware infections stages – an initial bait for malware infection in order to infiltrate devices and vet for high value targets, followed by a secondary malware infection aimed at stealing their data.

ACID’s hotel cyber security services – a cost-effective solution

As stated above, the average cost per breach in the hospitality industry is close to US$ 3 million. The harm to reputation and resultant loss of business to a hotel, which may continue for an extended period of time, must also be taken into account.

Even when hotels do take action to improve security, running a single penetration test to detect vulnerabilities in their computer systems can cost up to US$ 25,000, according to Tristan Gadsby, chief executive of hospitality consultancy Alliants.

When weighing the cost of ACID’s cybersecurity solution for hotels against the resources an organization would need to invest in-house to achieve results that may not provide a comparable level of protection, leaves no doubt that ACID’s services are not only essential, but also highly cost-effective.

ACID uses AI algorithms and clusters of bots that scan the clear, deep and dark web, as well as social networks and other sources, to detect the first signs of an impending attack. Its real-time, detailed alerts, screenshots of threats detected on the dark web and subsequent updates as more information becomes available, provide IT teams with highly valuable information. If the client wishes to add sources to the very long list that ACID continuously monitors, we are happy to oblige. The information provided by ACID supports the IT teams in preparing effective countermeasures that can potentially thwart the cyberattack or mitigate its harmful effects.

Subscribing to the cybersecurity services offered by ACID Technologies can spare your organization the potentially disastrous effects of cyberattacks at a fraction of their cost, and enable you to put your resources to good use where they are most needed.

ACID’s cost-effective solution can significantly improve the cybersecurity profile of hotel chains and hotels.

ACID deploys clusters of robots and implements sophisticated algorithms to perform continuous dark web monitoring in order to detect signs of impending attacks even while still in their planning stage, attacks that are in progress, and leaked data indicating that the hotel’s or hotel chain’s systems have been breached and compromised. Client-specific keywords are used, and relevant language/s chosen for optimal monitoring results – particularly important for hotel chains operating properties across countries and continents. Once a threat is detected on the dark web or on any other of the multiple sources monitored, ACID sends real-time alerts to the victim, to enable it to implement countermeasures to diminish the impact of the attack, or perhaps foil it altogether.

 

At the HITEC 2024 event attended by hospitality industry leaders, the following vulnerabilities were discussed, as reported by HOTEL.report: 

  • Hotel employees, who are trained to be very hospitable toward guests on the one hand, while on the other hand, to be accommodating to requests made by people who have gained their trust, are not sufficiently knowledgeable in cybersecurity and aware of the risks. Consequently, they can easily fall prey to cybercriminals who exploit their lack of awareness and knowledge to carry out ransomware and phishing attacks.
  • Failure to understand the need for cybersecurity among executives who try to avoid spending more money to protect their IT systems. Some of the reasons given, particularly by owners of small hotels but not only, is that they don’t consider themselves to be at risk, that cybersecurity does not generate revenue, and that they believe that in-house IT teams can adequately meet their cybersecurity needs.

Regretfully, in the case of ransomware attacks, for example, the cost, even in monetary terms alone, can be exponentially higher than the cybersecurity solution that can help protect them from such attacks. ACID’s cost-effective solution was developed to do precisely that.

  • In March 2024, a ransomware attack perpetrated by the Daixin Team group targeted the Omni Hotel & Resorts chain. The chain operates a large number of hotels in North America and employs a staff of more than 14,000. On April 2nd, Omni confirmed that a cyber attack was the reason behind the outage of its IT systems throughout the country. The attack impacted its reservations system, room door lock system, WiFi and phones, as well as its point-of-sale system. In a later update, Omni confirmed that guest data had been stolen, including names, postal addresses, email addresses and guest loyalty program details, but excluding financial information. The hotel chain’s systems were restored on April 8th. Daixin Team added the Omni chain to its dark web leak site about two weeks after the attack was launched and threatened to leak customer information dating back to 2017.
  • One of the most severe cyber attacks in the hotel industry took place in September 2023. It targeted MGM Resorts, one of the world’s largest hotel & casino operators, and disrupted the operation of some of its most well-known properties in Las Vegas, including the Cosmopolitan, Bellagio and Mandalay Bay. It also impacted MGM hotels in other locations. Among the systems affected by the attack were digital key cards, online reservations and electronic payment systems. Consequently, staff were forced to execute some transactions on paper, and waive cancellation and change fees for some bookings. The Scattered Spider group, which is believed to operate under or with the ALPHV / Black Cat ransomware gang, took responsibility for the attack. Its results: More than $100 million in costs, the theft of personal guest information (name, contact information, gender, date of birth, driver’s license number and in some cases, passport details), and a drop in occupancy.