Cybersecurity in hospitality – a growing issue?

Cybersecurity in hospitality

COVID-19 has brought with it a notable rise in attacks on all businesses. Research from Deloitte reveals that the last 12 months have seen a sharp increase in ransomware, phishing attacks and attempted hacks. 

But there’s one industry that’s right on the frontlines of the fight against cybercrime: hospitality. Why is the industry so at risk? And what can be done to improve cybersecurity in hospitality? 

What are the risks? 

While hospitality businesses face many of the same cyber risks as other industries, they’re also at risk from a few that are fairly unique to the sector. 

There are the risks associated with the contact tracing requirements for COVID-19 that every hotel, bar or restaurant has to abide by. But there are also a few other threats that particularly impact hospitality: 

DDOS (distributed denial of service) attacks

The CCTV and surveillance systems many hotels and restaurants are reliant upon for customer safety are particularly vulnerable to this type of attack. 

Human error

With staff often handling dozens of transactions in a day and constantly juggling tasks, the risk of human errors that lead to breaches is high. 


DarkHotel is targeted spear-phishing spyware that attacks high-profile business customers through the hotel’s in-house WiFi network.

Alongside these threats, phishing and ransomware attacks are also very common amongst hospitality businesses. 

What evidence is there of the risk to cybersecurity in hospitality? 

Unfortunately, we’re not short of evidence on the risks to the hospitality sector. 

In the last few years, hospitality only ranks behind fiance and retail as the industry most targeted by cybercriminals. In 2018 alone, almost 514 million hotel data records were stolen or lost worldwide. The trend continued throughout 2020, with both Mariott and Prestige Software’s Cloud Hospitality platform both suffering massive breaches. 

Why is hospitality under attack? 

Like most industries regularly attacked by cybercriminals, hospitality is seen as an easy target. A recent study into hacker forums revealed that hospitality chains Hilton and Marriott were included in 31% and 28% of mentions respectively in discussions on easy targets.  

What’s more, it’s borne out by the figures. To date, 423 million U.S. travellers have been victims of a cyberattack through their business with hotels. And 70% of hotel guests believe that hotels don’t invest enough in cybersecurity protection. 

70% of hotel guests believe that hotels don’t invest enough in cybersecurity protection. 

So what’s going wrong?

A breakdown of hotel data breach areas revealed that 64% of breaches occur via corporate internal networks and 18% in both e-commerce and at point of sale. This suggests that the problem in hospitality is largely one of employee education and poor cyber hygiene. 

So is contact tracing safe for customers and businesses? 

With the adoption of contact tracing throughout the hospitality industry during the coronavirus pandemic, hotels, restaurants and bars have become a target. This is partly down to their large databases of customer information, but it’s also due to the relatively weak cybersecurity employed by most. 

Using the COVID-19 Guardian tool, cybersecurity experts assessed 40 contact tracing apps around the world to be of risk to users. 72.5% of these apps had a least one insecure cryptographic algorithm and 75% contained a tracker that sent data to third parties. 

72.5% of contact tracing apps have a least one insecure cryptographic algorithm

However, it’s worth noting, despite the risks, all of the apps save Kyrgyzstan’s ‘Stop COVID-19 KG’ were free of malware. We’ve written at length about why the benefits of contact tracing far outweigh the risks here. But, in short, the privacy concerns relating to contact tracing are relatively minor and should be easy to iron out.  

What can be done to improve cybersecurity in hospitality? 

The good news is that the current baseline for security levels in the industry is low. This means that achieving better protection is relatively simple. 

Simply put, hotels, bars, and restaurants need to be better at the basics. This might sound easier said than done. After all, hospitality businesses tend to be populated by staff with great people skills, not cybersecurity experts. 

However, the five technical controls laid out in the Cyber Essentials certification process don’t require expertise and would dramatically improve most businesses’ security. These are: 

  • A secure internet connection
  • Control over data and services
  • Regular updates,
  • Anti-virus and malware tools
  • Using the most secure settings on every device

In fact, it’s estimated that implementing these five steps can protect an organisation from up to 98.5% of the most common cyber threats. 

Beyond technical precautions, there’s another thing hospitality businesses could be doing better.  As we mentioned earlier, the majority of attacks on hospitality businesses stem from internal networks or at the point of sale. This suggests that staff either aren’t cyber aware enough to know a threat when they see them or they’re engaging in risky behaviour themselves.  

The key to fixing this is employee education. If your people aren’t aware of which behaviours are harmful and risk a breach, they can’t correct them. And it doesn’t have to be complex or require a computer science degree. Even the most basic education on proper cyber hygiene, using secure passwords, for example, could mitigate most of the risks hospitality firms face. 

Looking to improve your cybersecurity but not sure where to begin? Start by getting certified in Cyber Essentials, the UK government scheme that covers all the fundamentals of cyber hygiene.

CTA button