The hospitality industry has undergone a digital transformation in recent years, embracing guest-facing technologies such as mobile check-in, smart locks and in-room controls.

While these advancements enhance the guest experience, they also introduce new vulnerabilities that cybercriminals can exploit.

Luke Vander Linden, vice-president for membership and marketing at the US Retail and Hospitality Information Sharing and Analysis Center (RH-ISAC), discusses the evolving cyber threat landscape and how hotels can adapt their security strategies.

Beyond credit cards: the expanding attack surface

Traditionally, cyberattacks on hotels focused on stealing credit card information. However, Vander Linden highlights a shift:

“The landscape of cyberattacks has shifted dramatically with the rise of guest-facing technologies. Mobile check-in systems, smart locks and in-room controls all represent potential entry points for attackers.”

They can steal guest data, disrupt operations by hacking critical systems or launch ransomware extortion attacks. Increased reliance on internet-connected devices is creating a larger “attack surface” for criminals. 

How well do you really know your competitors?

Access the most comprehensive Company Profiles on the market, powered by GlobalData. Save hours of research. Gain competitive edge.

Company Profile – free sample

Thank you!

Your download email will arrive shortly

Not ready to buy yet? Download a free sample

We are confident about the unique quality of our Company Profiles. However, we want you to make the most beneficial decision for your business, so we offer a free sample that you can download by submitting the below form

By GlobalData
Visit our Privacy Policy for more information about our services, how we may use, process and share your personal data, including information of your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.

“It’s no longer just about protecting credit card information at the point of sale, ” Vander Linden explains.

The high cost of a breach: reputation and revenue

“A successful cyberattack can inflict significant long-term damage on a hotel’s brand image and customer trust.

“The potential exposure of sensitive guest data can lead to an erosion of trust, which often translates into reputational harm through negative media coverage and online reviews, ultimately deterring potential guests and jeopardising customer loyalty.”

Rebuilding trust requires transparency, communication with affected guests and a demonstrably improved security posture.

Financial repercussions are another major concern. 

“The financial fallout from a cyberattack on a hotel is a complex web of immediate and long-term expenses,”  says Vander Linden. 

These costs include incident response, forensic investigations, system restoration, legal fees and potential lawsuits.

“There’s the initial scramble to contain the attack, which involves deploying incident response teams and forensic investigators to identify the breach’s scope and eradicate the threat.

“Rebuilding compromised systems and restoring functionality can be another significant cost factor. Legal fees also come into play, as hotels may face regulatory investigations and potential lawsuits from affected guests seeking compensation for damages.”

However, the most significant cost might be reputational damage “which can translate into a decline in bookings, a loss of customer loyalty and ultimately, a drop in revenue.”

Investing in cybersecurity is therefore an investment in the hotel’s long-term financial health.

Security and innovation: can they co-exist?

According to Vander Linden the hospitality industry “thrives on innovation,” but security shouldn’t be sacrificed for convenience. 

He offers a solution: “Hotels can implement robust cybersecurity measures while still adopting new technologies by focusing on a multi-pronged approach with a particular emphasis on third-party risk management.”

“Since hotels often rely on third-party vendors for IoT [internet of things] devices and other new technologies, the security posture of these vendors becomes an extension of the hotel’s own risk profile.”

Teaming up with vendors who prioritise robust cybersecurity and robust contracts with clear security expectations ensures timely communication in case of an incident.

Essential cybersecurity best practices

Several key best practices can help hotels safeguard guest data and critical systems, as Vander Linden emphasises:

Regular security assessments: Identify and address vulnerabilities in systems and networks.

Patch management: Ensure all software and systems are promptly updated with the latest security patches.

Employee training: Empower staff to recognise and report suspicious activity, such as phishing scams.

Multi-factor authentication (MFA): Add an extra layer of security for accessing sensitive data.

Data encryption: Encrypt sensitive guest information data both at rest and in transit.

Collective defence: The power of information sharing.

The fragmented nature of cyber threats makes it difficult for hotels to get a full picture of the risks they face. This is where the RH-ISAC plays a vital role. 

“By fostering information sharing and collaboration among member organisations, it creates a powerful collective defence against cybercrime. Through secure channels, hotels can share real-time threat intelligence on emerging attacks, vulnerabilities and best practices,” explains Vander Linden.

“This shared knowledge empowers individual hotels to proactively address threats and implement effective mitigation strategies.”

The RH-ISAC also facilitates collaboration through workshops and conferences, allowing security professionals to share experiences and develop solutions.

By prioritising cybersecurity and embracing collaboration, hotels can navigate the evolving threat landscape and ensure a secure environment for guests in the digital age.