With so much valuable customer information being processed each day, hotels are prime targets for data breaches. It’s vital that they stay abreast of how they can protect their guests as data security evolves and technologies and threats change.
In recent years, hotel chains have asked their customers to share more personal information than ever in exchange for better service. With this comes a need to ensure that this information is as safe and secure from data breaches as possible. SkiftX recently spoke with Aleksander Ludynia, Shiji Group’s director of security, about what hospitality companies should keep top of mind about data security and privacy for the year ahead.
SkiftX: Why is hotel customer data so attractive to hackers?
Aleksander Ludynia: Let’s start with some good news: Hospitality is not among the industries most targeted by cybercriminals, especially compared to finance and healthcare. According to some reports, the cost of hospitality data breaches has actually decreased during the last five years — likely as a result of security measures implemented after serious breaches and a growing focus on privacy worldwide.
But the abundance of personal and credit card data processed, as well as the value of this data, do make these companies attractive to cybercriminals. Credit card data can be easily monetized by hackers, and personal data can be sold on the dark web to conduct scams or identity theft. Hospitality data also has intelligence value, which may attract a specialized group of cybercriminals who are seeking out the location, preferences, fellow travelers, or other details related to high-profile guests.
Because these breaches can be massive, affecting millions of customers, they’re often highly publicized in the media. This tends to give the impression that the industry is less secure than others. Unfortunately, the exposure to risk, plus the growing number of active cybercriminals, means that more data breaches are bound to happen in the industry. All of this makes the software engineering of security deployment processes more complex.
SkiftX: How are consumers thinking about sharing their personal data with larger hotel companies?
Ludynia: Guests realize that sharing some of their personal details with hotels is a part of the deal, and those that are loyalty program members usually recognize that their data is used to improve the services they receive — the more information they share, the more fine-tuned the service. But guests do not want their data to be sold or shared with third parties without valid reason. Hotels must also balance collecting too many personal preferences and ensure that the information is used for customer satisfaction, rather than strictly maximizing profit.
Thanks to GDPR and other regulations, customers hopefully have greater trust that hotels will not do anything unwanted with their personal data. It’s our job to ensure that trust stays intact.
SkiftX: The role of security used to primarily be about protecting systems or the company. Now, it’s about protecting the company’s customers, especially in hospitality. Why is this?
Ludynia: Security has always been about protecting information. However, more attention is being paid to personal data security because of the expansion of digital technology, new regulations, bigger fines, and increasingly intrusive marketing. Customers now realize the importance of controlling who has access to their personal data. They expect that their data will be protected and used only for the agreed purposes. Knowing how much a data leak can cost a company, businesses are taking responsibility to ensure the highest security level to protect customer data. As a cloud services provider, we know that we play a very important role in this chain of responsibility.
SkiftX: What are some of the pros and cons that GDPR has brought to enterprise hotel companies? How well do you think the industry has responded so far?
Ludynia: GDPR defined what hotels can and cannot do with their guests’ personal data, eliminating any uncertainty regarding data protection rules and principles. It has helped hotels unify their processes and internal rules around personal data. This has grown beyond Europe as GDPR becomes the standard and its principles are applied by hotels and regulators from non-EU countries as well.
One of the challenges presented by GDPR was adapting legacy IT systems to its requirements. In some cases, hotels had to decide whether to update its overall system or focus on the implementation of new solutions. I believe that cloud solutions built with privacy at the architecture level is a perfect way to solve such problems. They also shift the responsibility for future adjustments to the vendors, which will make life easier for IT staff at hotels.
It’s never easy to retro-fit new regulations into old systems, but overall, I believe the industry has responded positively.
SkiftX: How should enterprise hotel companies be thinking about data sovereignty? Can you give an example of how the issue of data sovereignty might come into play for an enterprise hotel company?
Ludynia: Data protection laws such as GDPR do not provide the data localization requirements — instead they regulate cross border data transfers. These rules are relatively transparent and straightforward. However, some jurisdictions have developed relevant sectoral laws — in parallel to data protection laws — that define where data should be stored.
Satisfying data sovereignty requirements brought by regulations worldwide is a major challenge for enterprise hotels. Because they operate globally, they may need to follow multiple regulations, which in some areas, might conflict with each other.
For example, one jurisdiction’s regulation could require a property to store its customer data in the country where it operates. Another jurisdiction’s regulation might require that the data be stored in the country where the hotel guest has citizenship. The hotel needs to determine which data storage location should be used: the property location or the hotel guest’s country of citizenship.
Data sovereignty also complicates the process of unifying guest profiles into a single profile. It may require the company to implement multiple data storage locations and strict control over how the data is transferred. Knowing this, we specifically designed our profile management system so it can adapt to global chains and international regulations.
SkiftX: What can enterprise hotel companies do to protect themselves from data breaches?
Ludynia: They can protect themselves and the personal and cardholder data of their customers by understanding their risk exposures and deploying appropriate security measures. They should address the most significant risks by examining their most valuable resources, who might target the company and why, what kind of attacks could take place, and what the impact of such attacks could be. They must also ensure the availability and accuracy of their business systems, as well as the integrity of the data within those systems — for example, the data and information needed to process reservations.
While complex security solutions are important, basic security hygiene is key. This includes maintaining inventories of systems and data, patching systems regularly, configuring them securely, managing access, and limiting external attack surfaces. Legacy systems should be closely monitored, and at some point, might need to be replaced with new solutions that address the current business and security requirements needed today.
SkiftX: What can enterprise hotel companies improve upon when it comes to data security?
Ludynia: One of the weakest links in the data security of enterprise hotels is that the legacy systems often used make it difficult to introduce new security controls. Hotels must shift to the new technologies and IT solutions with security and privacy designed within the core architecture, rather than it being an added layer as the need arises.
Another area to be improved upon is employee training. Employees must be aware of the sensitivity of the data they process, the threats and attacks they may face, and the procedures they must follow to prevent breaches. Without proper, regular training they may become the weakest links. It’s important to realize that the issue of security is never completed. There will be always areas for improvement as technology changes and threats evolve.
SkiftX: What are some advancements you expect to see in data security and privacy for hotel companies in 2021 and beyond?
Ludynia: I expect that we’ll see advances in how hospitality companies store and manage regional data, and I believe that data sovereignty is going to become more important in terms of guest safety and trust. I also predict that the scope of what we consider to be “private information” will expand. Currently, we consider information such as name, address, and phone number as directly identifiable personal data. However, as technology advances, a wider scope of data may be used to link information to an individual. Therefore, such data as behavioral analysis, food preferences, or expenditures might eventually be explicitly covered by privacy regulations. Finally, all new technologies implemented by hotels will also create new risks that will have to be addressed by security teams.
SkiftX: Cloud platform technology vendors frequently claim that cloud is more secure than on premise technology. What are your thoughts on this?
Ludynia: I agree that cloud solutions are usually more secure than legacy on-premise systems. Due to technical limitations, these older systems might not offer a sufficient level of security, especially in the interconnected environments. This is only expected to become more of a challenge as API usage grows.
It should be noted, however, that not all cloud solutions are equally secure. A system isn’t necessarily more protected just because it’s a cloud solution. Cloud services vendors share the risk and responsibility with their partners. The key is to choose a trusted cloud technology partner that takes these risks seriously and takes sole responsibility to deploy effective security measures. We at Shiji have a ‘customer security first’ approach, but that isn’t the case for every cloud security provider.