Data Security in Hotels
Data Security is an important consideration in today’s times and when it comes to hotels this is an issue that needs to be addressed more diligently considering that this involves guests and their privacy.
Have you given a thought to the fact that hotels take so much personal data including your credit card details when you check in? You have probably not. However if you did and the thought of all this data being misused came across your mind, would you even part with that data? And on second thoughts, how will a hotel check you in, if you do not give this information? Sounds like a double whammy for sure, but one that puts the spotlight firmly on the fact that data security systems in hotels need to be robust, scalable and have the ability to thwart all kinds of potential attacks on their systems. Specifically, the hotel industry has witnessed numerous sophisticated attacks on secured data including the recent breaches reported by InterContinental Hotels Group and a Sabre Hospitality Solutions. It is not a surprise, but hackers have usually targeted the payment card data information from different point-of-sales systems in hotels resulting in unauthorized credit card charges and other malicious activities. Apart from the lack of POS encryption; hotel networks are usually poorly defended in some cases allowing the hackers to sit undetected on networks. The industry overtime has witnessed hackers increasingly moving to ransomware and extortion from a regular credit card fraud, a model spreading like wildfire in other sectors.
Data threat is not limited to credit card forgery but also cyber-attacks on guest network and hotel network. Hotels need to think about multiple endpoints and the remote connections they rely on to run the property’s operations. Electronic door locks, HVAC controls, alarms and a full range of Internet of Things (IoT) devices can fall under the control of cybercriminals aiming to disrupt normal operations, highjack the data and misuse it. Hotels accommodate diverse, global clients and corporate travellers with high-credit limits. They are favourite targets for cybercriminals due to the availability of massive number of potential credit cards at one location and large amount of customer data. “Cybercriminals often attack hotels through spear-phishing emails to deliver malware and extortion tactics. These criminals are typically focused on stealing credit card information and personally identifiable information. Most of these actors are opportunistic and generally seek isolated systems for exploitation. They tend to go after large volumes to be sold in the underground. Another threat is cyber espionage. Business and government personnel who are travelling, especially to a foreign country, often rely on hotel networks to conduct business and may be unfamiliar with threats posed while abroad. Last month we observed a campaign by threat group APT28. This Russia-based group compromised hotel Wi-Fi networks to steal personal credentials of hotel guests,” said Subhendu Sahu, Acting Country Manager for India, FireEye.
Safe & Secure
Organizations need to be able to detect and respond to unique attacks that have not been seen before and the key is to have strong coverage on your network’s endpoints, whether those are point of sale, workstations, or mobile device. Hotels are vulnerable to cybercrimes through a variety of avenues that break with the traditional physical security measures deployed across the hospitality industry. “A regular monitoring of network should be there to identify the irregular activities. We cannot put all this responsibility on a machine and relax. Machine can do its task but someone should monitor with his own parameters. You never know that a security threat may come from a hotel guest also. To avoid this situation normally use two different network without and keep them physically separate. Using a good quality firewall on both the networks helps. We normally avoid giving internet on staff personal computers and avoid internet on official computers if it is not necessary,” said Gaurav Tyagi, IT – Manager, StayWell Hospitality Group, India. Sarada Muduli, Revenue Manager, Lords Hotels & Resorts added, “we have installed a Wi-Fi firewall which alerts us to any compromise in its operations. We also have an auto trigger of anti-hacking, anti-spam ware, and antivirus to protect email communication with guest database. We try and keep the interface for the guests as simple as possible however since it is a sensitive area we do maintain protocols that are standard everywhere else. Mandating an OTP while signing into the hotel’s Wi-Fi or a personalized check with PMS are standard procedures and while they may mean a little intrusion, guests are aware of the reason for it. We also request for the identity proof of our guests and offer secured platform to them to use the facilities.”
A key aspect in hotels is ensuring that guests are not inconvenienced at any time and security measures are discreet. “Keeping all the data security standards and implementation in place, we also ensure that the usability is simple and straight forward for the guest devices, where most of the security protocols run at the backend with little or no guest intervention. Example: Guest authentication required as and where crucial, all guest personnel data wiped post guest usage automatically on public access devices,” said Bijesh Mukundan, IT manager, Le Meridien Mahabaleshwar Resorts and Spa. Before seeking any solutions, hoteliers are required to undertake the shift in the mind-set and recognize that in today’s scenario, cyber breaches are not a question of “if” but “when”. “Without graduating from breach-denial or breach-prevention only to breach-acceptance, hoteliers would not be able to see the right solutions that safeguard them as well as their guests against the challenges in the cyber-age. As they undertake this mind-shift, the realization of need to change their security strategy to make it Data-Centred shall be a natural choice. Having said that they shall be reviewing the 3-step secure the breach strategy to protect the data through encryption, secure key management and strong multi-factor authentication,” explained Rana Gupta, Vice President – APAC Sales, Identity and Data Protection, Gemalto.
The Right Fit
Implementing the best quality payment gateway, secured booking engines, firewall for Wi-Fi internal usage and external firewalls are some of the ways to safeguard sensitive data. While numerous solutions are available to ensure data privacy is maintained, a key is to ensure that these are also scalable. “We should know that none of the security software, anti viruses and other tools can 100% guarantees to prevent hotels and any other business from cyber-attacks. On the other hand, securing and limiting the system too much may cause other problems such as preventing the customers to access the information they might need; thus, hotels and other organizations should manage the risk in cyber defence which according to requires a meaningful and understandable operational model which causes balance in security implementation and operation as well as using the newest technology available plus testing of security posture and very strong feedback structure,” said Thirupati Gasiganti, Information & Technology Manager, Novotel Hyderabad Airport Hotel. Practices like creation of separate networks for each aspect of the hotel helps in preventing cyber criminals from gaining wider access to more vulnerable networks. Hotels therefore are implementing innovative strategies to safeguard their data and also protect customer information. “Segregating sections in different VLANS is already in place, however people still play a vital role. e have enforced no removable device policy in our network with exception to only IT and the secure BIOS, disallowing any boot configuration alteration is in place. Also we have secure LAN ports disallowing any foreign device connection physically.”
Naturally technology companies have their own list of protocols that they advice hoteliers to follow. “Companies should have the endpoint and email protection to detect the advanced forms of the attacks, such as spear phishing emails that contain malicious macros to launch malware that can steal credentials or serve as a beach head on a system. It is vital for organizations to have the right threat intelligence to understand how other countries employ these tactics. In cyber, tactics move at the speed of a click. Other countries and criminals adopt malware and tactics of another country,” opined Sahu. Muduli added, “the IT team runs a drill periodically to test the efficiency and preparedness of the systems. This allows for them to identify any loopholes or errors and rectify them. Fronts such as the website domains need to be up and running at all times and so it is auto responsive to any cyber-attack.”
Data security solutions are quite expensive and based on the business requirement a specific budget allocation is required. Tyaggi says, “we have to look it in to two parts -things which are necessary to run the business and things which must be there from IT point of view. In hospitality industry, management is more interested in first part but as an IT person you cannot ignore the latter. For example, you can easily get budget to improve your Internet speed, but it is very hard to get approval on firewall upgrade.” Naturally then ensuring that hoteliers are able to make a wise investment in arguably the most important aspect of data security is of paramount importance in the industry where the differentiator will be guest trust and confidence.
Did you know?
- Cybercrime is the most prevalent threat activity faced by the hospitality sector.
- Since 2013, as per the Breach Level Index, the hospitality sector has witnessed over 57 data breaches that led to almost 10.5 million data records being compromised worldwide.
This story appeared in the Sep-17 issue of Hotelier India here: Data Security