November 07, 2017

Checking Out Confidential Data: What the Hotel Industry Needs to Know


Hotel chains around the world have been in the spotlight pretty consistently due to high profile data breaches.

Information thieves target hotels because of all the confidential and personal data these organizations handle. But while cyber security seems to get all of the attention, don’t forget that paper documents are still an important part of hotel business too.

Customer credit card numbers are by far the most sought-after data. According to Verizons 2017 Data Breach Investigations Report (DBIR), accommodation took the lead in point-of-sale intrusions with 87% of breaches. As EMV (smart payment) chip card processes are increasingly adopted, attackers are expected to shift to hotel contact centers where clerks often write down phoned-in reservation information.

Other guest data can be used in identity theft schemes too. This includes names, addresses, phone numbers, loyalty program details, and even boarding passes. This kind of information comes from many different sources – online, faxed, third-parties, phone, walk-ins, and theft – and that makes security more challenging.  

Corporate information is also valuable and includes revenue policies, food and beverage operations, customer and supplier information, research and development, and sales and marketing.  

Employee information held by the HR department includes everything from applications and medical records to payroll, performance evaluations and training information. Employee turnover in this industry is high.  

Social media is important. Research has shown that when guests engage with a hotel brand, they’re nearly 40% more likely to return. Fraudsters get personal information from social media sites too.

With the average cost of a data breach coming in at $3.62 million according to a 2017 Ponemon study, hotels must create a culture of security throughout their organization.

Here’s a checklist.

  • Have a comprehensive information security policy that addresses online, mobile, and physical security. For example, use strong passwords, encryption and secure connections. For work areas, have a Clean Desk Policy and Shred-it All Policy.
  • Provide on-going training that emphasizes secure work habits and a commitment to security. The Verizon DBIR showed that ‘insider and privilege misuse’ was one of the top three security threats in this sector.  
  • Address all regulatory issues. The Gramm-Leach Bliley Act, Sarbanes-Oxley Act, Health Insurance Portability and Accountability Act (HIPAA), Fair and Accurate Credit Transactions Act, Red Flag Rules, and Payment Card Industry (PCI) Security Standards are privacy laws that apply in this sector. New laws include the EU’s 2015 Package Travel Directive, which becomes fully applicable in 2018. The General Data Protection Regulation (GDPR) affecting any business that processes sensitive data belonging to EU citizens goes into effect in May 2018.  
  • Check security practices of vendors because partners are often a weak link. For example, increasingly hotels are demanding that their third party partners become PCI compliant.
  • Use a document management process so confidential information is protected throughout its lifetime. Utilize a retention policy too so data is securely destroyed when no longer needed.
  • Partner with a document destruction professional. The company should have a secure chain of custody and provide locked consoles, certified security professionals to handle documents for secure shredding, and a Certificate of Destruction after every shred. Destruction services for hard drives and e-media should also be provided.  

Start Protecting Your Business 

To learn more about how Shred-it can protect your documents and hard drives, please contact us to get a free quote and security risk assessment.