“Personal data has a real value, so organisations have a legal duty to ensure its security, just like they would do with any other asset,” said the UK’s Information Commissioner Elizabeth Denham.
“If that doesn’t happen, we will not hesitate to take strong action when necessary to protect the rights of the public.”
She was speaking on the announcement that the Information Commissioner’s Office (ICO) intended to fine Marriott International more than £99m for a security breach, which resulted in the personal data of more than 339 million guests being accessed. The hack, which first came to light in November 2018, included the theft of passport details and credit card information of guests worldwide. Labelling the attack ‘criminal’, the company’s president and CEO, Arne Sorenson, said Marriott deeply regretted the breach, but that it would ‘respond and vigorously defend its position’.
Just weeks later, Choice Hotels revealed it had contacted 700,000 customers to inform them of a data breach, which potentially exposed personal details of guests, including contact information. The breach was the result of a third-party vendor’s actions the company said, adding it had ended its relationship with the supplier, but customers should be aware of the potential misuse of their data via phishing scams.
The travel industry has been the target of a number of high profile attacks in recent times. British Airways was the victim of a breach, which saw the personal details of half a million customers compromised thanks to what the ICO called ‘poor security arrangements’ on the company’s website.
However, hotels are increasingly becoming the target for attackers because they’re seen as the easy way in, warns Matthew Wilmot UK leisure and hospitality lead for cybersecurity at PwC. The sector, he says, has not yet stepped up to the challenge: “Are hotels taking it seriously? In my opinion, they could do a lot more.”
According to Wilmot, the financial sector has been taking this matter seriously for more than a decade, retail for more than five years, but the hotel industry has been ‘behind the curve’. A significant contributor is the lack of funds available to the industry. Unlike banks, hotels are working to tighter budgets, with considerably less access to the finances and technologies needed to deliver secure IT environments than those in finance.
Hotels must ‘kick the tyres’ of third-party vendors
Complicating matters further is the considerable reliance on third parties, as seen in the Choice Hotels breach. It’s here, Wilmot believes, there is still much to do. Keeping in control of the data third parties have, how they use it and how they secure it is essential; part of doing that is going out and ‘kicking the tyres yourself’ he explains.
Much of this begins with the contract, ensuring expectations are clearly defined from the outset. “Having a right to audit clause within the contract and then setting out the requirements in a data security agreement with a third-party supplier is critical,” says Wilmot.
“But then you must also make sure you are continually testing the environment so you know exactly all the vulnerabilities that your organisation,” he adds. During his time in the financial sector, Wilmot says third-party vendors were regularly visited to conduct audits and ensure they are meeting all their requirements. If carrying out a physical audit is not possible, ensuring you ask for the right documentation is essential according to Wilmot. This is something, he believes, hoteliers should be doing.
“For a high-risk vendor, you should probably do it every two years. For medium and low risk you might just do remote checks, perhaps through a questionnaire developed internally,” he advises.
“If there’s any abnormalities you could then have a quick chat, asking the vendor to show you their policies, standards and penetration testing results.”
Data security, indeed a holistic IT security approach, is something Wilmot suggests has to start from the top down. Company boards must take responsibility, filtering down their goals throughout an organisation and its employees, right out to suppliers.
Hotel suppliers must do more for data security
It’s not just hoteliers that have to take responsibility, vendors too must do more. “I think, in all honesty, they [vendors] should be stepping up in supporting hotels,” says Wilmot. That requires suppliers to be open and transparent about what trends and threats they’re seeing, and the steps they’re taking to mitigate them.
“You want to make sure these organisations tell you that upfront, rather than simply saying ‘this is how good my technology is’.”
Regulators could also be doing more. One of the criticisms Wilmot has is the lack of information sharing, particularly around data breaches and security failures. While the fine levelled at Marriott is large, he questions what benefit it might have for the wider industry given the lack of information surrounding the findings of the investigation.
Although the Marriott fine was large, the real value would come from transparency on behalf of the ICO, he believes. In particular, sharing the findings of the investigation, allowing others to understand the issues and take action to avoid becoming victim themselves.
“It’s a tricky situation. You wouldn’t want to be playing one hotel chain against another. You wouldn’t want to be sharing critical internal information but there must be some high-level information the ICO could provide,” he says.
However, in the wake of the Marriott breach, some security experts raised concern at the prospect of sharing too much information. Speaking with industry research provider PhocusWire, threat intelligence expert Patrick Martin said: “Going public with this kind of information can inadvertently encourage threat actors to probe organisations with similar databases for vulnerabilities.”
Conversely, Wilmot sees value in information sharing, something he says has been happening in the financial services sector for some time. Via a paid-for subscription service, banks share threat data with the aim of establishing and maintaining something akin to herd immunity.
“I think communication channels need to improve between the hotel chains… Having some Chatham House Rules style, with an independent person chairing sessions to support hotels, would be a wise move.”
The hotel industry is evolving, with technology right at the heart of that change. Today guests are treated to a plethora of tools and applications, including self-check-in and keyless room entry all done via their own device. However, as those advances continue, so too will the threat matrix evolve, likely proving to be a constant source of IT and data risk. Given the level and type of personal data hotels almost uniquely hold, and the often extensive regions and regulatory jurisdictions they operate in, being ahead of the curve is essential.
However, for now at least, it isn’t something Wilmot believes the industry fully has a grip of. “I think we are going to see a few more breaches from hotels before, potentially, they take a bit more seriously,” he says.
“There will probably be more targeted attacks… I think that’s going to mean that reputational damage for some of the chains.”
The future, he says, is interesting. Get it right, however, and there’s much to gain from embracing the next-generation hotel.