With the rollout of the COVID-19 vaccine, hotels are beginning to look ahead to a post-pandemic future. However, to bounce back they’ll not only have to show guests they’re safe from the coronavirus — hotels must also convince guests their personal information is safeguarded.
Two of the top five biggest data breaches made public in 2020 were at hotel chains. Attackers stole personal information including names, emails and addresses from 5.2 million guests at Marriott and 10.6 million guests of MGM Resorts. More than 100,000 MGM guests also had more sensitive data compromised, such as passport and driver’s license numbers. To ensure a swift recovery from COVID-19, the hospitality industry must shore up its cybersecurity protections — or risk more headline-making breaches in the future.
The point-of-sale problem
Breaches like those that affected Marriott and MGM Resorts have major business impacts. Though no fines have been issued yet for 2020, in October the U.K. government announced it would fine Marriott $24 million for GDPR violations related to a similar breach that was discovered in 2018. But the consequences extend beyond monetary costs. Breaches undermine hospitality brands’ reputations and erode customer trust. Eighty-one percent of consumers will stop engaging with a brand after a breach, according to a 2019 study.
Risk is especially high at hotels because attackers have multiple points of entry. Guests may share their credit card numbers with the hotel in advance via a booking app or website, opening up the possibility of web-based attacks. Loyalty programs are another source of online vulnerability, with an estimated $1 billion a year lost to account fraud and related crimes.
However, one of the biggest vulnerabilities may be on the hotel grounds themselves. Most hotels have multiple point of sale (POS) terminals across different locations, from the front desk to restaurants, all of which are connected to each other. If a POS device is not properly secured, attackers can use malware or other attack vectors to steal clear-text credit card numbers and other data. According to the 2020 Verizon Data Breach Investigations Report, POS attacks remain one of the most common causes of data breaches in accommodations and food services.
How to defend the fort
When it comes to cybersecurity, companies today have two options: Defend the fort or devalue the data. The former is the more traditional approach. By strengthening the digital “walls” around your data — via firewalls, intrusion detection, 24/7 monitoring and other security protections — the defend-the-fort approach works to keep attackers from accessing your systems at all.
One important and underutilized aspect of cyberdefense is employee training. This can be difficult to accomplish in an industry like hospitality, where turnover is high — but it’s a vital element of cyberdefense. The attackers who breached Marriott in 2020 gained access through two employee accounts. Make sure your employees use strong passwords and know how to spot fraud and spear phishing attacks. You may also want to limit employee access to confidential data, so if an account gets hacked, private guest information doesn’t go with it.
You should also make sure your software is up to date with all security patches, as attackers often exploit known weaknesses in programs. Isolating POS devices from the rest of the network can also limit the damage from malware infections at that entry point.
The importance of devaluing data
Unfortunately, with cyberattacks on the rise, it’s unlikely that even the strongest digital “walls'' will prevent all incursions. Defenses are important, but the ever-changing nature of technology means that new, hard-to-catch vulnerabilities will pop up all the time.
That’s why it’s so important to devalue your data, rendering it unusable to attackers who gain access to your systems. One way to do this is to implement point-to-point encryption (P2PE) by encrypting payment information from the moment it enters your network at the POS. Encrypted data is unintelligible to anyone who doesn’t have the right digital key. Implementing P2PE is the only way to ensure that clear-text payment data doesn’t fall into the hands of attackers targeting POS systems with malware.
Data that’s stored for the long term, like passport information or credit card numbers saved to a loyalty program, can also be devalued through tokenization. Data that’s tokenized gets replaced with an alphanumeric pseudonym, so the actual sensitive information isn’t stored on your servers. This method helps secure guest information beyond the initial transaction at the POS.
The 2021 opportunity
It’s been a challenging year for the hospitality industry, but 2021 could be much brighter. Hotels that reckon with their security vulnerabilities now will protect themselves from fines and other fallout from data breaches as business rebounds. They’ll also build deeper, more trusting relationships with customers by keeping their personal information secure. By strengthening security protections and devaluing their data, hotels can set themselves up for a brighter future.
ABOUT THE AUTHOR
Ruston brings 20 years of payment security experience to his role of Founder and Advisor, where he serves as Bluefin Payment Systems’ security thought leader and technology evangelist. Ruston founded Bluefin in 2002 and speaks at conferences and industry events on payment security throughout the year. Bluefin was the first North American-based company validated by the PCI SSC for a point-to-point encryption (P2PE) solution in March 2014 and today specializes in PCI-validated P2PE integrated and stand-alone solutions for retail, mobile, call center and kiosk/unattended environments, and secure Ecommerce technologies including transparent redirect and tokenization.