Cyberthreats Are Rising: Why the Hospitality Industry Must Act Now
As winter travel season continues, the hospitality industry finds itself navigating one of its busiest times of the year. Airports are packed, hotels are fully booked, and rental car agencies are in overdrive.
Millions of travelers rely on interconnected services to book and manage their trips. But while travelers focus on reaching their destinations, cybercriminals see this surge in activity as an opportunity to strike.
The growing integration of systems has undoubtedly created smoother customer experiences, but it has also widened the threat landscape. For travelers, this means understanding where their personal data is stored and how it’s being protected. For hospitality organizations, it’s a call to heighten cybersecurity efforts to prevent increasingly creative and disruptive cyberattacks.
Growing Hospitality and Travel Threats
As travel demand soars, so do cyber risks targeting the hospitality and travel industries. The past few years have seen high-profile breaches that highlight the sector’s vulnerabilities. Earlier this year, Omni Hotels & Resorts—operating over 50 properties in the U.S. and Canada—was hit by a cyberattack that forced a system shutdown. Reservations were disrupted, hotel room door locks became inoperable, and point-of-sale systems ground to a halt.
Unfortunately, this wasn’t an isolated incident. A 2023 report found that 31% of hospitality organizations have experienced a data breach. These breaches come with devastating consequences, from financial losses totaling millions of dollars to reputational damage that can permanently erode customer trust. For an industry so dependent on loyalty and repeat business, even one successful cyberattack can have a long-lasting impact.
As hotels, airlines, and travel companies adopt interconnected systems to enhance guest experiences, their attack surfaces grow. The combination of higher data volumes and fragmented systems makes cybersecurity more critical—and more challenging—than ever.
The Unique Challenges of Cybersecurity in Hospitality
The hospitality industry faces challenges that set it apart from other sectors. In many industries, a system disruption can be managed remotely, but in hospitality, the effects are immediate and personal. For travelers, a cyberattack could mean losing internet access, being locked out of their hotel room, or finding themselves unable to check in after a long journey. A single attack can overshadow an otherwise perfect guest experience, leading to negative reviews that ripple across the industry.
The challenges don’t stop there, with the industry being hindered by:
- High Employee Turnover: Frequent onboarding of new employees creates gaps in security awareness and processes.
- Accessible Point-of-Sale Systems: These widely used systems are common attack vectors and make hospitality organizations attractive targets.
- Fragmented Tech Stacks: Mergers and acquisitions often result in individual properties maintaining separate systems and web presences, increasing exposure to vulnerabilities.
The vast amounts of customer data collected to personalize guest experiences—such as credit card details, contact information, and loyalty program credentials—further raise the stakes. Cybercriminals understand the value of this data, and their efforts to exploit it are only becoming more advanced.
The Vectors Cybercriminals Exploit
According to our 8th Annual Hacker-Powered Security Report (HPSR), cross-site scripting (XSS) attacks remain a significant concern for the hospitality industry. The sector reports higher-than-average occurrences of these vulnerabilities, driven by its large digital footprint and varying levels of asset maturity as companies work to unify their tech stacks and streamline software development lifecycles.
The rise of AI-powered tools, such as booking chatbots, has also introduced new risks. Our survey found that 48% of security professionals view AI as a major risk to their organizations, with generative AI tools making it easier for attackers to develop more sophisticated strategies.
In addition, the hospitality sector’s reliance on loyalty programs has increased vulnerabilities such as Insecure Direct Object References (IDOR), leading to information disclosures that cybercriminals can exploit. As the industry grows more innovative in enhancing customer experiences, attackers are keeping pace, finding new ways to manipulate these systems.
What Hospitality Organizations Can Do
Despite rising risks, many companies are struggling to invest adequately in cybersecurity. Alarmingly, one-third of businesses have either frozen or reduced their security budgets over the last year. Contributing factors include ongoing IT skills gaps, leaving cybersecurity teams critically understaffed during one of the most dangerous periods in cybersecurity history.
Security researchers can play a vital role in addressing these challenges. By identifying vulnerabilities before attackers can exploit them, researchers help organizations stay ahead of evolving threats. In fact, in the HPSR, 70% of respondents further reported that hacker-driven efforts prevented significant security incidents.
Notably, engaging security researchers is often more cost-effective than traditional solutions. Across industries, HackerOne found that the cost of identifying a vulnerability is $1,066, up 5% in 2023—a fraction of the financial losses caused by a successful breach.
For example, Hyatt Hotels launched a public bug bounty program in 2019. Since its inception, Hyatt has resolved over 500 security vulnerabilities and awarded more than $800,000 in bounties.
The Growing Impact of Generative AI
The urgency to engage security researchers continues to grow as generative AI tools enable increasingly advanced and targeted cyberattacks. In the HPSR, more than 55% of cybersecurity professionals indicated that they believe AI will become a major focus in the coming years, and 14% already view it as a significant concern. To address these risks, AI red teaming is gaining traction as a best practice. This approach involves inviting independent security researchers to identify vulnerabilities in AI systems, enabling organizations to address safety and security flaws proactively. In fact, 67% of survey respondents believe that external, unbiased testing is the most effective way to uncover and mitigate AI-related risks.
Already, the number of AI assets included in HackerOne programs has surged by 171% over the past year, a testament to the increasing focus on securing AI applications. As AI becomes embedded in more business processes, hospitality organizations must prioritize not only securing the AI itself but also protecting the broader systems it interacts with, ensuring that AI innovation does not come at the expense of security.
Safeguarding the Industry Through Vigilance
As the hospitality industry embraces a well-deserved rebound during the busiest travel season of the year, it must balance delivering seamless guest experiences with the critical task of securing its systems and data. The interconnected nature of the industry creates vulnerabilities that cybercriminals are eager to exploit.
By prioritizing cybersecurity, engaging skilled security researchers, and addressing the growing risks associated with generative AI, hospitality organizations can safeguard their customers, operations, and reputations. In a season defined by travel, connection, and celebration, ensuring robust cybersecurity measures will help the industry deliver on its promise of worry-free experiences for every traveler.