Hotel data security: is the industry behind the curve?

With tens of millions of guests a year, the hotel industry consumes huge quantities of data, much of it personal and highly sensitive. Ensuring the right protection is in place is costly, both financially and for ones reputation, if done incorrectly. Andrew Tunnicliffe talks with PwC’s Matthew Wilmot about the challenges the sector faces and what more it, third parties and regulators can do to avoid the next scandal.

“Personal data has a real value, so organisations have a legal duty to ensure its security, just like they would do with any other asset,” said the UK’s Information Commissioner Elizabeth Denham. “If that doesn’t happen, we will not hesitate to take strong action when necessary to protect the rights of the public.”

She was speaking on the announcement that the Information Commissioner's Office (ICO) intended to fine Marriott International more than £99m for a security breach which resulted in the personal data of more than 339 million guests being accessed. The hack – which first came to light in November 2018 – included the theft of passport details and credit card information of guests worldwide. Labelling the attack “criminal”, the company’s President and CEO, Arne Sorenson, said Marriott deeply regretted the breach, but that it would “respond and vigorously defend its position”.

Just weeks later, Choice Hotels revealed it had contacted 700,000 customers to inform them of a data breach, which potentially exposed personal details of guests, including contact information. The breach was the result of a third party vendor’s actions the company said, adding it had ended its relationship with the supplier, but customers should be aware of the potential misuse of their data via phishing scams.

The travel industry has been the target of a number of high profile attacks in recent times. British Airways was the victim of a breach, which saw the personal details of half a million customers compromised thanks to what the ICO called “poor security arrangements” on the company’s website.

However, increasingly hotels are becoming the target for attackers because they’re seen as the easy way in, warns Matthew Wilmot UK leisure and hospitality lead for cybersecurity at PwC. The sector, he says, has not yet stepped up to the challenge: “Are hotels taking it seriously? In my opinion, they could do a lot more.”

According to Wilmot, the financial sector has been taking this matter seriously for more than a decade, retail for more than five years; but the hotel industry has been “behind the curve”. A significant contributor is the lack of funds available to the industry. Unlike banks, hotels are working to tighter budgets, with considerably less access to the finances and technologies needed to deliver secure IT environments than those in finance.

Hotels must “kick the tyres” of third party vendors

Not so fast: Standardisa-tion issues and low coverage

Complicating matters further is the considerable reliance on third parties, as seen in the Choice Hotels breach. It’s here, Wilmot believes, there is still much to do. Keeping in control of the data third parties have, how they use it and how they secure it is essential; part of doing that is going out and “kicking the tyres yourself” he explains.

Much of this begins with the contract, ensuring expectations are clearly defined from the outset. “Having a right to audit clause within the contract and then setting out the requirements in a data security agreement with a third party supplier is critical,” says Wilmot.

“ensuring you ask for the right documentation is essential.”

“But then you must also make sure you are continually testing the environment so you know exactly all the vulnerabilities that your organisation,” he adds. During his time in the financial sector Wilmot says third party vendors were regularly visited to conduct audits and ensure they are meeting all their requirements. If carrying out a physical audit is not possible, ensuring you ask for the right documentation is essential according to Wilmot. This is something, he believes, hoteliers should be doing.

“For a high risk vendor, you should probably do it every two years. For medium and low risk you might just do remote checks, perhaps through a questionnaire developed internally,” he advises. “If there's any abnormalities you could then have a quick chat, asking the vendor to show you their policies, standards and penetration testing results.”

Data security, indeed a holistic IT security approach, is something Wilmot suggests has to start from the top down. Company boards must take responsibility, filtering down their goals throughout an organisation and its employees, right out to suppliers.

Hotel suppliers must do more

It’s not just hoteliers that have to take responsibility, vendors too must do more. “I think, in all honesty, they [vendors] should be stepping up in supporting hotels,” says Wilmot. That requires suppliers to be open and transparent about what trends and threats they’re seeing, and the steps they’re taking to mitigate them. “You want to make sure these organisations tell you that up front, rather than simply saying ‘this is how good my technology is’.”

Regulators could also be doing more. One of the criticisms Wilmot has is the lack of information sharing, particularly around data breaches and security failures. Whilst the fine levelled at Marriott is large, he questions what benefit it might have for the wider industry given the lack of information surrounding the findings of the investigation.

Although the Marriott fine was large, the real value would come from transparency on behalf of the ICO, he believes. In particular, sharing the findings of the investigation, allowing others to understand the issues and take action to avoid becoming victim themselves. “It’s a tricky situation. You wouldn’t want to be playing one hotel chain against another, you wouldn’t want to be sharing critical internal information. But there must be some high level information the ICO could provide,” he says.

However, in the wake of the Marriott breach, some security experts raised concern at the prospect of sharing too much information. Speaking with industry research provider PhocusWire, threat intelligence expert Patrick Martin said: “Going public with this kind of information can inadvertently encourage threat actors to probe organisations with similar databases for vulnerabilities.”

“Going public with this kind of information can inadvertently encourage threat actors. ”

Conversely, Wilmot sees value in information sharing, something he says has been happening in the financial services sector for some time. Via a paid for subscription service, banks share threat data with the aim of establishing and maintaining something akin to herd immunity. “I think communication channels need to improve between the hotel chains… Having some Chatham House Rules style, with an independent person chairing sessions to support hotels, would be a wise move.”

The hotel industry is evolving, with technology right at the heart of that change. Today guests are treated to a plethora of tools and applications, including self-check-in and keyless room entry all done via their own device. However, as those advances continue, so too will the threat matrix evolve, likely proving to be a constant source of IT and data risk. Given the level and type of personal data hotels almost uniquely hold, and the often extensive regions and regulatory jurisdictions they operate in, being ahead of the curve is essential.

For now at least, however, It isn’t something Wilmot believes the industry fully has a grip of. “I think we are going to see a few more breaches from hotels before, potentially, they take a bit more seriously,” he says. “There will probably be more targeted attacks… I think that's going to mean that reputational damage for some of the chains.” The future, he says, is interesting. Get it right, however, and there’s much to gain from embracing the next generation hotel.

Building for the future: What can hoteliers do to prepare themselves?

According to tech experts, the leap between current 4G Long Term Evolution (LTE) technology – as found in most hotels – and 5G is seismic. The latter is said to be around 1,000 times faster than the former. For hoteliers, bridging such a technological chasm could require a period of acclimatisation. Practically speaking, is the hotel industry ready for 5G?

“While we’re slowly starting to see the emergence of sites where 5G is available, there still isn’t sufficient infrastructure in place yet to facilitate its full rollout,” says Gbedemah.

“There will come a point where access to 5G will become a necessity.”

“Hotels and other hospitality outlets will need to construct aerials and provide access for telecommunications networks to be installed within their properties. From a design point of view, newer establishments that can incorporate them in the initial construction phase are better off than those having to adapt their infrastructure later down the line.”

Consumers, says Gbedemah, have taken for granted the progression of telecommunications since the turn of the millennium. The marvel of wireless internet access at the hands of 3G -first introduced at the start of the last decade - now feels like another lifetime ago. At some point in the future, it will be 4G that is the distant, quaint memory.

“There will come a point where access to 5G will become a necessity and it’ll be used as a selling point for guests, just as Wi-Fi has,” he says. “This is particularly relevant for remote and high-end locations that can offer 5G as an additional feature that city-dwellers and business travellers have become used to.”

Home is a feeling 

The premium and luxury end of the hotel sector, where Schmidt operates, can act in the same way that Formula 1 influences the wider automotive industry, with ideas intended to satisfy the most demanding customers in the world gradually filtering down to more affordable market segments, from premium hotels to serviced apartments. When it comes to luxury residential trends for ultra-high net worth travellers, the aim is increasingly to blend the best virtues of residential and hotel ambience.

“We’re seeing now this blend of wanting all the mod cons of my private home – I want it to feel like a home and not like a cookie-cutter corporate chain, but I want that home to be open to people like me,” Schmidt says. “So it’s this new thing that is partly behaving like a domestic residence – the scale, the grandeur, the size of rooms, the non-corporate design, more random in a way, more lived-in. And yet they want the sociability, the buzz of the hotel experience to bring some animation into those quasi-domestic spaces.”

Accounting for the human factor and social dynamics in the hotel residential theme is certainly trickier than judging the right curtain material or the perfect sofa set for the lobby, but it can be all-important. ‘Home’ has always been more of a feeling than a structure, and more about people than things. In this way, the residential trend isn’t simply a box that hoteliers must tick – it’s a frustratingly intangible quality that all hotels should try to blend with other design and branding objectives, all in the service of boosting human connections.

“You want them to feel like they’re at home, but you also want them to feel like they’re getting the best service ever.”

“From three-star to five-star, what makes the hotel experience memorable for guests is their exchange with human beings, not technology,” Shaw argues. “You want them to feel like they’re at home, but you also want them to feel like they’re getting the best service ever.”

Striking the right balance between home comforts and the memorable experience that hotels can provide will always be tough, especially as the hospitality industry continues to drill down towards the core of what customers expect. Branding experts like Schmidt are paid to stare into the industry’s crystal ball in search of revelations, but there are no easy answers.

“I think the industry is struggling to find [a balance], and I’ll admit we are too,” Schmidt says. “We’re working on a project where we’re trying to find what this next thing is. I don’t have the answer yet; we’re literally working on it as we speak. We’re trying to find that space where there is exchange, there is dialogue, there is conversation going on between the hotel, the community and the guests, but at the same time the hotel becomes slightly more reclusive, can be less open.”

go to top

Cover image credit: Hilton Hotels and Resorts