Qooco Opinion


Cybersecurity – The damaging dangers of data

August 26, 2016

Hotel HR professionals are well aware of the need to train their employees in how to deal with upset guests, or in upselling higher value products. They will know the key positions that will need to be filled, such as F&B manager, Front Office staff or room attendants. Of less concern would be a hotel’s online security, and the human resource needs that this entails – which is often left up to the IT department.

Hotels possess large amounts of online data on their guests. While data will enable the hotel to provide a higher level of service for less, there are also huge dangers that come from the shift towards technology. Cybersecurity is not something that is necessarily a priority for many hotels, despite a slew of attacks over the past year aimed mostly at credit card data. Hilton reported in September 2015 that it was investigating a credit card breach in several of its US-based properties, The Trump Hotel Collection also suffered from an attack at many of its properties, as did Starwood following the announcement of its acquisition by Marriott. It is only a matter of time before one or two major hotels suffer from a high-profile cyber-attack that targets actual customer data – including information on what they purchased and habits, and they will soon have to incorporate cybersecurity training into their learning programs.

The information that hotels have on their guests, some of whom are very high profile, including politicians, celebrities and businesspersons, can be very personal in nature including food allergies, medical conditions, drinking habits. A cybersecurity breach could expose some seriously sensitive information, significantly damaging the hotel brand. If high profile guests believe that their data will be exposed if they stay at a particular hotel, there is no way they would stay. This would have a trickle-down effect to regular guests as well.

Here is a fictitious, but ultimately plausible, scenario. Hollywood couple Mr. and Mrs. Celebrity check in to a top hotel in Kuala Lumpur. They are in Malaysia on their last leg of their world tour and a due to launch their latest album the next month. Their brand is built on the fact that they are sweet and well-meaning, they eschew alcohol and partying, and promote a healthy, wholesome lifestyle.

During their stay, however, hackers easily circumvent the weak to non-existent hotel online security features. Through the WiFi system, they gain access to all of their e-mails, including some sent from the couple which are particularly disparaging about fellow celebrities and even their Malaysian hosts – perhaps normal in Hollywood, but completely at odds with the image they want to portray. Even more damaging, hackers gain access to the hotel CMS, and are able to view every single item that they ordered during their stay. This, of course, includes large amounts of alcohol, and room service notes on the large end-of-tour party they held, including invoices for TVs and vases that were broken.

The hackers quickly sold this information to major US tabloids, who took no time in spreading the news across their front pages. Suddenly, their album launch was cancelled, and their legions of young fans left them in droves. This is not an unrealistic scenario, and the celebrities could easily be replaced by heads of state, potentially exposing sensitive security secrets, business leaders exposing company strategies and other secrets, or human rights activists who are targeted by corrupt or venal governments.

The damage to the hotel brand would be just as significant, even existential. Experian, T-Mobile, Sony Pictures and others are now tainted by the hacking scandals that affected them, but for a high profile hotel chain whose Unique Selling Point (USP) is the ability to look after their guests in privacy and safety, a cyber breach would undermine their greatest selling point, leading to a flight of high-paying guests and potentially irreparable damage to the brand.

Alongside more investment in cybersecurity measures such as software and the hiring of experts, staff training will play a significant role in reducing the risk of a high-profile cyberattack. Hotels will need to start with ‘cyber basics’ – simple things like changing passwords regularly, and implementing two-step verification – and instilling these habits among their staff. This may sound like common sense, but in one major attack that made headline news, a company kept all of their passwords in a folder labeled “passwords.” And the password required for access? “Password.”

Cyberattack scenarios will have to be incorporated into their training programs, employees will need to know what to do should the hotel be affected by a cyberattack, this could include SOPs such as the immediate shutdown of the hotel’s CMS system until the breach has been plugged, or simply knowing who to contact in the event of a suspected attack. When a high-profile guest comes to stay and the risk of an attack is highest, staff will need to be aware, and the hotel’s IT team will have to be on alert. All these scenarios require practice.

This is an extract from the Qooco White Paper (June 2016). To view the full White Paper, please visit Qooco White Paper