The vast majority of hotel websites leak customer data

The rush to embrace digital has left too many hotel chains open to breach

In hacking terms, hotels have had a bad run. Between 2015 and 2018 major chains including Hilton, Hyatt, Intercontinental (and Trump) have all suffered significant data breaches – taking a hit in terms of customer trust and lost bookings.

Now on the back of a February study showing the travel industry to be one of the least trusted where data protection is concerned, a controlled test by anti-virus company Norton has shown more than two-thirds of hotel booking web sites are insecure.

The company’s principal threat researcher says 67% of the more than 1500 hotels in 54 countries he tested were leaking customer booking reference codes to third parties, potentially exposing personal information to malicious or careless insiders.

Under current safeguards, information such as name, email, postal address, mobile phone number and passport number would all be at risk.

On average, hotels shared booking reference codes with up to 30 different third-parties, including advertising and analytics companies, search engines and social media networks. Even in the case where a booking had been cancelled, some booking data remained visible to Norton researchers.

Almost 30 percent of sites failed to encrypt the reference link they send to customers with email confirmations, opening the door to DarkHotel hacks where criminals use a hotel’s public Wi-Fi to target business guests.

Stolen data could be used to launch personalised phishing attacks, commit identity theft, or even eavesdrop on high profile business and government employees.

An A-list target for cyber crims

Breaching hotels is a bit like a Brink’s-Mat heist for hackers, delivering much more data value than almost any other industry.

While hotels process fewer transactions than, for example, a large retailer, the data they do collect on guests is much more varied and detailed. Hotels work hard to collect personal information and build up substantial customer profiles in order to give guests a more personalised experience.

As part of the wider travel industry hotels often share guest information with travel partners or other local companies.

That means keeping much more than name and credit card information on file. Hotels create a rich trove of personal data which is pure gold to cybercriminals. They can use it to impersonate breached customers, leading to identity theft, and social engineering attacks against individuals or the organisations they work for.

Erosion of trust, erosion of revenues

Like most consumer-facing businesses, hotels have transformed themselves into widely interconnected digital environments, competing with other brands to see who can give their customers the most personalised and simplified digital experience.

Nearly every hotel now offers their guests dedicated mobile apps, some have replaced desk clerks with automated kiosks, almost all are in a constant process of creating new digital partnerships with other travel or entertainment companies.

They deserve high marks for innovation but the rush to make business models more digital has left hotels vulnerable to cyber-attack. From employee terminals to mobile apps, HVAC controls, WIFI systems, alarms, and electronic doors, hotels have a huge number of endpoints and remote connections. Each one is a potential entry point into a hotel’s network.

In larger hotel companies individual properties are linked to the company’s wider corporate network— which means only one location needs to be breached in order to access the entire company.

Customers certainly seem to have caught on. Hotel websites are losing billions in lost transactions,due in part to lack of trust.

When privacy becomes a competitive advantage

Not every organisation is as exposed as a chain hotel, but almost every business does have a single point of failure. Only one employee at one hotel needs to make one mistake to open the door to a hacker.

Where breaches are concerned the size of an organisation clearly matters. Big hotel chains will have invested tens of millions in the latest security technology, but spending power isn’t enough.

With so many physical locations, end points, travel partners, web sites and apps around the globe, it may simply be impossible to make a company impenetrable to cyber attack.

Large or small, it’s not a matter of when a breach will happen, but when. Hotels do need to embrace  a more intensive security posture, with greater investment on the latest security technologies, as well as training to shore up awareness internally.

But let’s be honest – in 2019 that could describe almost any company. In an era where privacy is fast becoming a differentiator for businesses of all sizes, ensuring that data practices are watertight is business critical.