Data breaches make the hospitality industry less hospitable

November 16, 2011 by bkrenek

The tourism industry may be bouncing back from the worst of the recession, but occupancy, unfortunately, isn’t the only thing on the rise.  So are data breaches.

According to a new report by British insurance firm Willis Group Holdings, insurance claims for data theft worldwide jumped 56% last year, with the largest share of those attacks – 38% – targeting hotels, reports and tour companies.

Why are hackers increasingly making themselves at home in the hospitality sector?

According to hospitality experts, the reasons are multi-fold:

1.    Labor cutbacks.  Given the recessionary climate, hotels have reduced staff and are trying to do more with less.  While the lean and mean approach may help hospitality businesses bolster bottom lines, it hurts the industry’s front line defenses against hackers.

2.    Software and equipment reductions.  While hotels ride out the recession, security maintenance, implementation and upgrades fall lower in the priority checklist, creating an easy welcome mat for fraudsters.

3.    Multiple entry points.  Customers book hotels through hotel websites, online travel reservation portals, phone calls, email, postal mail, and in-person with concierges.  Each channel offers its own risks for data breaches and must be individually addressed.

4.    Large access to personal data.  The hospitality industry keeps massive amounts of personal data on file for years and can sometimes lose track of what they have stored and where – all within databases that may be far less than bullet-proof.

5.    Guest room computers with flimsy protection.  Those networked desktops that hotels sometimes provide for guests can be so helpful…and harmful.  Often these computers are riddled with viruses or hiding bits and bytes of old customer data.

6.    Insecure cultures.  Even in the best of times, much of the hospitality industry simply doesn’t prioritize security as it should.  By creating business cultures that don’t sufficiently respect privacy, hotels are jeopardizing the trust of their customers.

Given that hackers have identified the hospitality sector as a soft target, what can hotels do to keep these unwanted guests out?  Here are some tips from industry watchdogs:

  1. Minimize data collection.  If you don’t need it, don’t collect it.
  2. Understand and comply with PCI-DSS.  Make sure your business is completely aware of its “cardholder data environment” and is providing appropriate protections.
  3. Find and digitally shred unneeded information.  Old, forgotten data is dangerous. Don’t be “data blind” – eliminate what you no longer need.
  4. Simplify your reports.  For example, don’t offer up social security numbers if not needed.
  5. Limit access.  Employees should be on a “need to know” basis with PCI and HR data.
  6. Split up your network.  Create electronic firewalls that limit the spread of viruses and attacks.
  7. Encrypt. Proper encryption renders hacked data unusable.
  8. Understand your network.  Review network logs for unauthorized activity, and make sure your security professionals do, too.
  9. Don’t put security in the ghetto.  Security isn’t just for IT professionals; make sure your entire organization creates and respects a culture of privacy that prioritizes security as the basis for all of its operations