The hotel industry is more vulnerable to cyber-attack and data breach than most other businesses

In the recent high-profile Marriott cyber-attack, nearly 400 million customer records were breached. These include 9.1 million encrypted credit card numbers, over 23 million encrypted and unencrypted passport numbers, together with names, addresses, phone numbers and emails. Marriott failed to protect its customers’ data. This has resulted in the company being faced with the cost of restoring its systems, being subject to regulatory fines and class-action litigation. Perhaps most damaging of all is the substantial damage to hotels brand reputation.

Why the hotel sector is a cyber-criminal’s dream

The reason for Marriott’s – and the industry’s – vulnerability is simple:

• High dependence on IT to manage most of its systems.
• Sensitive nature of much of the customer data that it collects.
• Multiplicity of system ‘entry points’ across the business – from reservations (own or third party) to the front desk, from guest services to reward programmes.

Alarmingly, the whole interlinked process is currently as vulnerable as its weakest entry point.

The 2019 Verizon Data Breach Investigations Report notes that 93% of all reported breaches in the hotel industry come from three main areas: point-of-sale, web applications and crimeware.

The attacks can take many forms from the theft of data or money through to a ransomware demand on your room-entry systems. The attacker may not be a professional hacker. It could easily be a disgruntled member of staff, IBM have calculated that almost two-thirds of cyber incidents are insider jobs.

A breach can occur from a simple error from an employee, such as accidentally attaching sensitive data to a general marketing email. Unfortunately, whether the source of the attack is external or internal, it is likely that the business will ultimately be held responsible.

What is the cost to you?

Apart from the incalculable reputational damage, and the rectification costs, there are multiple ways a cyber-attack or data breach can leave your business out-of-pocket.

For example:

• Loss of profit if systems are interrupted.
• The defence and compensation costs if customer or staff personal data is stolen.
• Payments to clients or third parties who suffer loss because of the event.  You may even be liable for breach of contract.
• A breach at an outsourced provider, who has a limited liability contract with you, leaving you, as the data owner, exposed.

The remedy

The area is complex and can be full of pitfalls. Centor’s specialist cyber team have the expertise to guide you through the minefield.  They will help you find the right advice on loss control, to eliminate or mitigate many of the risks.  They will tailor the most cost-effective policy for your business to give you the cover – global, if required – that you need. In addition, they can support you with a 24/7 incident response team to help manage the PR fall-out should the unthinkable occur.

For more information

If you would like to set up a meeting with us to discuss your business needs, please contact James Groves on 0207 330 8707. Alternatively, you can click here for more information.

 Cyber-criminals takes aim at the high-net-worth Centor does Tough Mudder for Haven House Children’s Hospice