U.S. Agency Nudges Hotels to Tighten Their Data Security Against Fraudsters

New guidance issued on Tuesday by the U.S. National Institute of Standards and Technology (NIST), a standards-setting agency within the Commerce Department, offers useful lessons for how hotel leaders can secure their most critical hotel software systems.

It’s the first time the agency issued recommendations on how hoteliers should tighten the security of their most critical software, the property management system (or PMS). Nearly every hotel uses a property management system for daily tasks, such as checking in guests, planning room assignments, and record-keeping about guest profiles and transactions.

Property management systems typically store personal details on guests and credit card data. Some government officials and advisors said these systems are particularly vulnerable to fraudsters, hackers, and spies. The data contained in the systems can be attractive to cybercriminals.

Some attackers have compromised the tech systems of several major hotel chains, putting at risk data on hundreds of millions of guests — especially via recent ransomware attacks.. A report by security vendor TrustWave found that hospitality ranked third among industries compromised by cybersecurity breaches in the pre-pandemic year of 2019, with hotels experiencing 13 percent of the total reported incidents.

Most of those data incidents involved attacks on corporate servers, which often store guest information and communicate with on-premise property management systems. When a vulnerability is found, the National Institute of Standards and Technology, which maintains the National Vulnerability Database, talks to the vendor whose product has a vulnerability to evaluate the risk to all companies.

Several of the problems the agency report highlighted aren’t new. Yet the issues may have increased urgency because hotels may have had to reduce oversight for monitoring their systems due to pandemic-related staffing cuts.

The challenges cited in the report are common to nearly all hotels, said Robert Braun, a partner at the Los Angeles law firm Jeffer Mangels Butler & Mitchell. Braun has advised hotel clients on data security issues.

Here is some high-level advice on what hotel executives should keep in mind when assessing the security of their property management systems, according to the 138-page report from the agency.

Conduct frequent assessments. Hotels should use the report to inspire them to define their unique cybersecurity requirements for all the tech vendors they use, put their data security requirements contracts, and set up schedules for vetting compliance. The report recommends hotels conduct in-person inspections or use checklist-based questionnaires for the few vendors who have access to a hotel’s most sensitive data.

Stay vigilant about Wi-Fi systems. While not new, Wi-Fi-based attacks on guests and hotel systems remain a problem. One technique, called DarkHotel hacking, leverages a hotel’s Wi-Fi to target and deliver malicious software to traveling executives.

Minimize staff access to sensitive data. As much as half of reported hotel security incidents have been traced to hotel employees, the report said. The agency advises hotels to limit employee access to sensitive data unless it’s strictly unavoidable as part of a worker’s job. It also provides advice on how to think about how to configure systems securely.

Minimize tech vendor access to sensitive data. The report embraces data tokenization, which shields critical data, such as credit card details, by replacing it with a randomly generated value that only a separate system can unlock. The process can help foil many hacking attempts.

Expect other standards organizations to follow suit. Later this summer, for example, a new global risk benchmarking standard for corporate travel will become the first of its kind for corporate travel when it’s published.

Skift Research subscribers can get the latest analysis on the hotel tech stack in a two-part report.

Here’s the National Institute of Standards and Technology report for hotel technologists:

NIST hotel PMS report