Hotels are ripe for data breaches, with all the information guests provide them. The Marriott hack sounded a wake-up call when revealed last year. But hotels have been slow to come up with ways to protect their guests.
Hotels are some of the most vulnerable places for data breaches. That much became obvious last year when Marriott International revealed that about 383 million of its guests had their information compromised because of a hacking of its reservations system.
Faced with the possibility of such intrusions, hotels are now turning to outside companies to protect their customers’ data.
The Martinique Hotel, part of Hilton’s soft brand Curio Collection, is planning to pilot Cyber Safe Travel, a program by risk management firm Cino Ltd. and StrikeForce Technologies, in 2020.
Guests will pay $3 a day to protect up to three devices for as many as three days. They can also purchase an annual subscription for $24.99 that they can use at home or any other hotels.
Data breaches have affected the biggest hotel companies in the world in recent years.
Hilton in 2017 had to pay $700,000 to New York and Vermont to resolve two data breaches that resulted in more than 363,000 credit card numbers being compromised.
“There’s so many different threats that any user faces whether it be on their cell phones, their iPad, or any peripheral device,” said Joseph Delgado, financial officer at the Martinique hotel. “We’re trying to help make sure our guests have a sense of security. A lot of people don’t know what types of threats are out there.”
The Federal Bureau of Investigations said in its 2018 internet crime report that up to $2.7 billion was lost to cybercrime.
More than 22 million U.S. travelers self-report as being a victim of a cyberattack at hotels, according to the Morphisec 2019 Hospitality Guest Threat Index of 1,000 consumers.
California Consumer Privacy Act
The new year will be challenging for the hospitality industry when it comes to cybersecurity with the enactment of a California law that is intended to protect consumers from having their data sold without their consent or knowledge. The law was passed in 2018 after Cambridge Analytica got access to private information from Facebook. The California Consumer Privacy Act goes into effect Jan. 1.
It applies to any company that does business in California and has global revenue of more than $25 million. Companies that collect or receive information of 50,000 or more California consumers, electronic devices, or homes will also be subject to it.
All companies that can get ahold of personal information such as names, addresses, email addresses, passport numbers, and Social Security numbers have to abide by the law.
The law is modeled after the General Data Protection Regulation in the European Union that has rattled many businesses.
Compliance Challenges and Solutions
The new California law is particularly challenging for small and midsize businesses, said Bess Hinson, a cybersecurity and privacy attorney at Morris, Mannin & Martin LLP. Many companies that do not have internal IT departments are outsourcing the work.
“Companies are still struggling somewhat in finding a budget for this effort,” she said. “It’s not something that many businesses want to spend money on. Compliance is pretty thankless.”
Many hotel companies declined to elaborate on their cybersecurity tactics.
“Like other companies, we have monitoring technologies in place, and we have incident response processes that are both validated and tested,” said a Hilton spokesperson, adding that he could not “share specific details on tools, technologies, or techniques.”
“We want to provide comfort that we understand our responsibilities and have the expertise in place but not provide information that could be used by bad actors,” he said.
Marriott spokesperson Jeff Flaherty said the company does not install third-party software onto guest devices. Its mobile app uses a sandbox to protect data. A sandbox is software that provides an extra layer of security that prevents malware from corrupting a system. It can store data that is encrypted when a user does not have access to Wi-Fi.
Marriott has partnered with a security firm to test and analyze its mobile app security features. It has also rolled out software to detect suspicious behavior on its networks.
“We’re in a post-Equifax-breach world and in the hotel industry, we’re in a post-Marriott breach world, and it’s just different,” Hinson said. “You have a more interested consumer base.”
Equifax, one of the three largest consumer credit reporting agencies, had a widespread breach in 2017 that affected millions of customers.
Hyatt Hotels earlier this year launched a “public bug bounty” program with cybersecurity company HackerOne that allows ethical hackers to test its websites and mobile apps for vulnerabilities.
Cyber Safe Travel, powered by Strike Force Technologies, utilizes login breach protection and keystroke encryption. Travelers are particularly vulnerable to hackers because they often log onto open Wi-Fi networks. Hackers can install keylogging spyware on their devices to get access to their information, reading everything that they type.
“Hackers are creating Wi-Fi (networks) everywhere for the unsuspecting person who isn’t in the comfort of their home,” said George Waller, executive vice president of StrikeForce Technologies. “People are generally very trusting.”
Joe Saracino, CEO of Cino, said that the hotel industry is starting to be more proactive to prevent more breaches.
“Data is valuable. I don’t care what kind of data you have. It’s valuable to someone, to some entity,” he said. “The hotel industry is just getting it.”
Photo credit: The hotel industry is struggling to protect their guests from data breaches on their mobile devices. rh2010 / Adobe