November 28, 2017

Checking In: How Safe is Confidential Information in a Hotel?


Technology is changing hotel operations – and the experience of staying in one. Tech-savvy hotels have mobile device check-in, key cards and room service as well as public Wi-Fi in rooms, lobbies and conference areas.

But all this connectivity means that hackers are checking into hotels more often too.

More than a dozen data breaches have been reported by large hotels since 2010. While that number may sound low, many hotels are international and connected to hundreds of properties and other businesses around the world.

One of the biggest culprits of high profile data breaches at hotels is malware that targets customer credit card data at point-of-sale systems.These breaches can cost companies hundreds of millions of dollars, damage reputation and consumer confidence too.

What’s also worrisome is that the Hospitality Technology’s 2017 Lodging Technology Study showed that 74% of hotels do not have breach protection. For example, less than half use end-to-end encryption, which protects cardholder data, and tokenization, which protects personal payment data at payment terminals.

What can hotels do to better protect themselves and their guests?

  • Make it policy. Hotels should have a demonstrated vision for security and privacy. Implement a culture of security so that security awareness is highlighted throughout the workplace.
  • Commit to PCI Security. The PCI Security Standards Council created Payment Card Industry Data Security Standards (PCI-DSS) so hotel owners and operators would implement a secure network and security policies.  
  • Protect POS Systems specifically. POS attacks account for 87% of breaches in the accommodation industry, according to the 2017 Data Breach Investigations Report. Invest in the latest cyber security tools to safeguard again these attacks. Patch regularly, update equipment and software, and use a monitoring system that can detect breaches at terminals.
  • Be aware of software. The Data Breach Investigations Report also pointed out that the level of software installation occurring in the industry needs to decrease, highlighting the need for better security policies and awareness.  
  • Educate employees. Provide on-going training (hotels usually have high employee turnover) to ensure new and long-term employees understand and follow security policies. For example, don’t use default passwords, and learn how to recognize phishing emails.
  • Keep up-to-date about different privacy laws. In Europe, the new General Data Protection Regulation (GDPR) will affect companies around the world that process personal information about EU citizens. In the U.S., each state has its own notification and reporting requirements and fines related to a breach.
  • Segregate sensitive data. Create separate networks for different aspects of the hotel to prevent widespread access to all networks. For example, use a dedicated network for reservations and payment cards, another for email and social media, and another for the use of smart phones as room keys.
  • Vet third parties. Payment terminals in a hotel ecosystem typically include third party gift shops, restaurants, car rental companies, airlines, etc. Assess all third parties to make sure their security is solid.
  • Purge.  Hotel owners should securely destroy outdated paper and digital data. De-identify customer information data as much as possible too.

Start Protecting Your Business 

To learn more about how Shred-it can protect your documents and hard drives, please contact us to get a free quote and security risk assessment.