Hotels take responsibility for the security and safety of their guests every day. Data breaches are not the only risk. It is all-too-important that hoteliers focus on a refined overall Cyber Security Plan encompassing the interconnection of systems; data, door locks, electrical, plumbing, heating and air conditioning and other key structural and physical parts of the hotel, in order to ensure safety throughout their facilities. Bob Braun, JMBM Global Hospitality Group, shares insight into the growing problem of Cyber Security and what you can do to help reduce risk.
Last year, at the Global Hospitality Group’s Meet the Money™ Conference, I participated in a panel on Cybersecurity and we discussed how cybersecurity issues affect the hotel industry. One of the comments was that hotels, more than most private industries, have to take into account the kind of physical harm that might be done by a hacker. We noted that not only are guest information systems targets, but also the life and safety systems – HVAC, elevators, electricity and so on. We concluded that while financial theft could impact a hotel and its reputation, a hack of the physical structure of a business could put the hotel out of business.
Our discussion turned out to be prescient when, this week, Romantik Seehotel Jaegerwirt, in the Austrian Alps, had their systems frozen by hackers, which resulted in the complete shutdown of hotel computers.
The 111-year-old hotel had already been targeted by hackers twice. This time, however, the hackers breached the key card system, made it impossible for guests to enter their rooms and prevented the front desk from reprogramming cards.
The hackers demanded €1500 in Bitcoin, promising that control of the key card system and room locks would be returned. Management of the hotel, fully occupied at the beginning of the winter season, chose to pay the ransom, rather than attempt a solution that could have taken significant time and harmed their 180 guests.
The story could have been worse; once a hacker breaches a system, the system remains open until the vulnerability is eliminated. In this case, the hotel took the precaution of seeking and remediating a backdoor the hackers left (which they tried to exploit, almost immediately) and was able to secure their systems.
The Threat to Hotels
We have pointed out before that hotels are particular targets of hackers. During 2015 and 2016, every major hotel company was breached. In each case, however, hackers attacked hotel point of sale systems for the straightforward goal of obtaining personal information. This, however, may be the first case where hackers threatened the safety of guests, something much more important. After all, guest safety is paramount, and threats to safety can overcome every other achievement.
Moreover, hotels are complex businesses with overlapping and interconnected systems. Thus, finding a way into one system can allow a bad actor to access other parts of the hotel, giving them the opportunity to demand payment for protection. Hotel owners and operators should be aware that ransomware is increasingly popular because it provides for almost immediate return on a hacker’s “investment.” Rather than selling personal information, which rapidly loses value, the use of ransomware gains the hacker an immediate return. Moreover, as with the Romantik Seehotel Jaegerwirt, hackers will now know the hotel’s vulnerability, or leave a backdoor, allowing them to shake down the same institution multiple times.
What Can Hotels Do
Hotels need to take the same steps that other business take to achieve data security:
- Analyze risk. Each business is different, and each business needs to identify the risks it is willing to take, and how it can neutralize the other risks. For a hotel, this can include decoupling systems – preventing, for example, the key card system from access through the hotel’s website – or preparing for workarounds. In the case of the Romantik Seehotel Jaegerwirt, the decision has been made to include physical keys, allowing a manual override of the system.
- Train Personnel. Virtually every breach is the result of a human act, whether an error or malicious act. Training personnel to identify risks and avoid them is one of the most effective steps to reduce cyber risk.
- Plan for the breach. No matter what technical or personnel prevention is taken, every system capable of authorized access is vulnerable to unauthorized access. When that happens, it is too late to design the response playbook. Hotels, like other businesses, have to design, implement and test response plans, and update them regularly.