By Jim Butler, Bob Braun

Like virtually all industries, the hotel industry continues to be challenged by cybersecurity concerns. As we approach 2022, hotel owners and operators need to address some basic issues that impact the security of their systems and their guests.

  • Wi-Fi. Providing wireless internet to guests has become a “must-do” for hotels – it’s not too much of an overstatement to say that a potential guest won’t stay at a hotel that doesn’t provide free Wi-Fi. But hotel Wi-Fi systems, particularly those in public areas, have long been a soft underbelly of cybersecurity. In the past 10 days, TechCrunch+ reported that “an internet gateway used by hundreds of hotels to offer and manage their guest Wi-Fi networks has vulnerabilities that could put the personal information of their guests at risk.” The system uses hardcoded passwords that are easy to guess and allow an attacker to gain remote access to the gateway’s settings and databases; they can then use that knowledge to access and exfiltrate guest records, or reconfigure the gateway’s networking settings to unwittingly redirect guests to malicious webpages.
  • Social Media. Hotel brands and operators increasingly use social media to promote their properties and attract guests. But social media depends on the collection and use of personal information, and that information makes hotel companies one of the prime targets of bad actors. Their goal isn’t limited to credit card numbers; these threat actors are looking for personal information that allows them to obtain credentials and infiltrate networks. When a threat actor gains access to a network – which could be yours – they can pose an existential threat to a business through ransomware, extortion, denial of service, and other attacks.
  • Vendors. Hotels depend on a multitude of vendors and third parties to operate. These range from point-of-sale systems to HVAC operators to property management systems. Every vendor that has access to hotel systems – and it’s surprising how many do – presents a threat. When they have access to a hotel system, it creates an opening for a bad actor. Even more, each vendor relies on a variety of vendors themselves, which means that every vendor’s vendor that has access to the vendor’s system may also have access to the hotel’s network. And as we’ve discovered from the breaches caused by the highly publicized Solar Winds software and the more recently discovered log4j API vulnerabilities, even the most reliable of vendors cannot be blindly trusted.

These are not the only security risks that hotel companies face, but they demonstrate the conundrum that hotel owners and their operators face – the very things that create security challenges are also essential for operations. Hotels cannot stop offering Wi-Fi at the risk of alienating guests. Social media is a key part of marketing for hotels, giving hotels the ability to target potential guests at a relatively low cost, which is especially important during the current economic challenges. And vendors cannot be eliminated; there are too many functions that require special skills and experience that hotel companies cannot effectively bring in-house, at least at a reasonable cost.

But this does not mean that hotel companies can simply throw up their hands. If hotel companies create reasonable security efforts, they can control their risks and reduce the likelihood of a breach and the damage that brings. Resources, like the National Institute of Standards and Technology, have created frameworks to help hotel companies evaluate and address their risks.

The Jeffer Mangels Butler & Mitchell Global Hospitality Group, in conjunction with the Jeffer Mangels Butler & Mitchell Cybersecurity and Privacy Group, works with hotel companies to understand and address their security and privacy needs, and we are ready to help you. For more information, contact Bob Braun (rbraun@jmbm.com) or Jim Butler (jbutler@jmbm.com)

Further information about cybersecurity issues

If this article was of interest, you may also wish to read other articles by Bob Braun on “Data Technology, Privacy & Security,” which include the following:

New Challenges for Hotels: The New California Privacy Rights and Enforcement Act of 2020

Hotel Managers and Owners Be Warned – You are Responsible for Your Hotel’s Data Security

The California Consumer Privacy Act – What Hoteliers Need to Know Now

Avoiding Hotel Data Breaches With a Risk Assessment Audit™ – Lessons From the Marriott International “Glitch”

California Adopts the California Consumer Privacy Act of 2018

GDPR: What you need to know about the EEU’s new data privacy rules

Cyberattacks on Hotels — What Should Hotel Owners and Operators Do?

Hotel Cybersecurity: Protecting your guests and your property from vendor data breaches