Large-scale theft of credit card information; hotel room lighting being turned off at random; electronic door locks failing to open and booking systems collapsing. Hackers are getting increasingly bolder and at present systematically focus on the hotel industry.

Digitalization enhances convenience – but entails risks

The InterContinental Hotel Group, one of the largest hotel groups world-wide, informed the public of cyber attacks involving 1,200 hotels in the United States. The attack was directed at obtaining the hotel guests’ credit card information.

“Due to digitalization, hotels have become highly interesting targets for attackers. One of the sources of danger involves credit card information. Another threat to IT security is the variety of new services and functions provided by the Internet of Things during a hotel stay. At present, cyber attackers focus on businesses ranging from four-star family-run inns in the Alps through to international hotel chains worth billions,” explains Christian Polster, Chief Strategist of RadarServices.

When it comes to IT security, the hotel industry needs to catch up with other sectors

Many sectors, primarily whenever critical infrastructure is involved, have long since understood the benefits of continuous IT security monitoring and have even been compelled to introduce this measure by law. In other economic sectors, the proactive detection of IT security gaps and the timely identification of attacks are still being neglected.

“The IT security standard currently applied to hotels is a long way from that of banks. However, the victims of cyber attacks – whether they are hotel guests or bank customers – may suffer similar financial losses. Not to mention the huge financial expenses and reputational damage which an attack to an individual hotel or a major hotel chain may entail,” emphasises Polster.

Continuous IT security monitoring must cover three areas: constant surveillance of all gateways for malware and all communication channels beyond the borders of the company, continuous internal and external vulnerability scans, and an ongoing analysis and correlation of each of the system’s logs.

“What is so special about the protection of hotel chains such as the InterContinental Hotel Group is the fact that the individual hotels are usually managed by franchisees; hence the topic of IT security is much harder to control centrally than from within a joint organisation. Yet, the hotel industry is now facing a task it needs to come to grips with. With effect from May 2018 at the latest, when the EU’s General Data Protection Regulation will enter into force, the most stringent requirements with regard to IT security will apply to hotels as well, and they will have to face high fines in case of incidents. The Regulation will apply to all hotels processing data of EU citizens in their systems, i.e. both the four-star family-run inn in the Alps and the US hotel chain,” concludes Polster.