Recent high-profile attacks illustrate the risks facing hoteliers
In the hospitality industry, where time is of the essence, top employees work with a sense of urgency, and that makes them attractive targets for cybercriminals, who are counting on hotel employees to spring into action whenever a problem arises.
Take the recent phishing spree from hackers pretending to be with Booking.com, for example. During the winter, hackers targeted a number of hotels with fake emails saying former guests were leaving damaging reviews online, according to the cybersecurity firm Perception Point. The emails urged hotel employees to reply to the complaints and resolve the issues.
The link to reply provided in the email takes the hotel worker to a fake website that looks just like Booking.com. Unlike the real site, however, this website doesn’t allow users to log in with linked services such as Facebook or Google. Instead, they have to input their Booking.com username and password.
In one variation of the attack, an email says Booking.com has changed a policy, and hoteliers must log into its Extranet periodically or risk having their accounts deactivated. In another version, hotels receive fake emails from guests asking about their upcoming reservations. When they click on the link to reply to the guest, they’re asked to log into the fake Booking.com website.
CONDITION CRITICAL
In every case, the goal is to obtain the hotel’s login credentials to Booking.com, giving hackers access to guests’ full names, emails, phone numbers, credit-card details, and the dates of their stays. Hackers then launch mass phishing campaigns against hotel guests, crafting individualized messages using customers’ real information.
Victims may be instructed to provide their credit-card details within 24 hours to verify their reservations or risk having them canceled. The link provided takes users to a carefully crafted phishing page replicating Booking.com. Much of the victim’s personal information has been prefilled into the fields, making it look more legitimate. All that’s missing is the guest’s credit-card information.
These large-scale phishing campaigns are especially alarming for hoteliers because they’re being delivered through the Booking.com platform, not a suspicious-looking email account. That adds another layer of authenticity to the scam, making it even more convincing to the average consumer, according to Peleg Cabra, product marketing manager for Boston-based Perception Point.
Hackers succeed by exploiting the desire of hospitality companies to keep their guests happy, “leveraging advanced social-engineering tactics to achieve their malicious goals,” Cabra said.
“Responding to a guest complaint, maintaining their property-management portal, and addressing a future guest’s concerns are all high-stakes scenarios that require urgent consideration from hotel employees,” he said. “It’s perhaps hotels’ hospitality that makes them such hospitable targets for attackers.”
STRANGE PHONE CALLS
In addition to fake emails, hoteliers face the threat of “vishing,” or voice phishing, in which cybercriminals try to get hotel employees or vendors to give up sensitive data such as login credentials over the telephone.
Last fall, the hacking group Scattered Spider used vishing techniques to breach the computer systems of Caesars and MGM Entertainment, disrupting hotel and casino operations at properties across the country. Once granted internal access, the hackers harvested the personal information of the companies’ loyalty-club members, including their Social Security numbers and driver’s-license information.
Caesars told investors it was the victim of a social-engineering attack on an outsourced IT vendor and paid tens of millions of dollars to regain access to its computer systems. MGM refused to pay ransom and went more than 10 days without functioning computer systems – everything from slot machines to reservation systems – losing about $100 million in revenue, the company told investors.
MGM said its cybersecurity insurance policy would cover its operational losses, providing a lesson to hoteliers about the importance of obtaining cyber coverage. Still, for MGM and Caesars, the breaches will have lingering effects in the form of brand damage and class-action lawsuits from former guests seeking compensation for the theft of their personal data.
In both cases, workers voluntarily gave up login credentials to cybercriminals posing as IT experts, underscoring the importance of providing ongoing cybersecurity training. Employees should be reminded that cybercriminals often succeed by creating a sense of urgency that spurs workers to abandon normal procedures and cast their doubts aside.
Had the workers stopped to check with a supervisor or asked to call back the fake IT experts on their office phones, they likely could have staved off the attacks.
Likewise, emails urging immediate action should be viewed suspiciously, according to Anton Safonov, co-founder of Aquarius Hospitality Solutions. If an email is requesting sensitive information, pick up the phone and call the sender.
Besides their own employees, hoteliers should make sure any vendors with access to their data are following similar best practices and have cybersecurity training programs in place.
“Always be skeptical,” Safonov said. “Be cautious with emails, especially those requesting urgent action or containing unexpected attachments or links. Staying vigilant, informed, and proactive in cybersecurity measures is essential for protecting sensitive data and maintaining trust in the digital age.”
MUJIJOA79/SHUTTERSTOCK.COM, FIT ZTUDIO/SHUTTERSTOCK.COM
A TREASURE TROVE OF DATA
A resurgent hotel industry is a prime target for cybercriminals due to the high volume of transactions and the sensitive nature of the data involved, Safonov said.
“The magnitude of this problem is significant,” he said. “A breach in cybersecurity can lead to substantial financial losses, both in terms of immediate financial impact and long-term reputational damage. This is especially critical in an industry where trust and reputation play a pivotal role in customer choice and loyalty.”
The risk is amplified by the integration of digital technologies into hotel operations, from online bookings to smart room services. While these technologies enhance the guest experience, they also increase the potential “attack surface” for cyber threats, Safonov said. With rapid advancements in artificial intelligence, cyber threats will grow even more sophisticated, personalized, and ubiquitous.
To safeguard their data, hotel companies should establish a robust cybersecurity strategy that includes regular security audits, employee training, investment in up-to-date security technologies, and adherence to international data-protection regulations, he said.
Weak passwords, poor authentication practices, and unpatched or outdated software make businesses more vulnerable to security breaches, Safonov said. Employees should be trained to change their passwords often and never reuse them, especially since reputable online password managers are readily available. Two-factor authentication provides an additional layer of security by requiring a fingerprint or a code sent by text message to gain access to systems.
Hoteliers should invest in firewalls, antivirus programs, data encryption, and intrusion-detection systems to help prevent and detect attacks. Software programs should be updated regularly, and data should be backed up frequently so if hotels fall victim to a cyberattack, they can recover their data without paying ransom to cybercriminals, Safonov said.
FIX YOUR LEAKS
To identify vulnerabilities, hoteliers should have their IT department or a vendor perform regular cybersecurity audits, taking a comprehensive look at all computer-based systems and their associated levels of risk, he added.
Addressing vulnerabilities is especially vital due to the emergence of ransomware as a service, which has made it easier for criminals without technical expertise to launch ransomware attacks, broadening the pool of potential attackers, Safonov said.
Additionally, the ransom demands of cybercriminals are increasing, “reflecting both the growing sophistication of attacks and the critical nature of the data being held hostage,” he said. Hackers will comb through a business’s documents looking for embarrassing information to leak to the public or proprietary information to give to its competitors. In many cases, businesses feel they have no choice but to pay up.
“The first step is to understand the current security posture,” Safonov said. “Begin with the most critical areas identified in the security audit, and gradually extend the security measures across all operations. Regularly monitor the security measures in place and review them for effectiveness and compliance with emerging threats and regulations.”
All hoteliers should have an incident-response plan outlining the roles for various individuals in the event of a cyberattack, Safonov said. The plan should include steps to contain and mitigate the breach, assess the damage, notify affected parties, and restore operations.
LIMITING ACCESS TO DATA
One best practice businesses often overlook is to limit data access to only those employees who truly need it, according to Dr. Chris Spencer, group chief information security officer for GlobalReach Technology, which specializes in wireless internet service-provider software and services.
Each department in a hotel, and every worker within each department, doesn’t need access to the same sensitive data about the hotel, its workers, and its guests. Workers should have access only to the data they need to perform their jobs, and when they shift roles within the hotel or leave the company, access to that data should be adjusted or eliminated, Spencer said.
Data about customers and workers should be deleted periodically, Spencer said. If a guest hasn’t stayed at the hotel in five years, how valuable is that data anyway? The same goes for workers who left the company years ago.
An important rule of thumb is hackers can’t steal data if the hotel never has it. Spencer said many hotels ask for too much data from customers, particularly on their captive portals, or Wi-Fi landing pages, which allow guests to use the hotel’s Wi-Fi service. Rather than asking for just a valid email address, some hotels are asking for a full name, address, phone number, date of birth and even gender just to get online, Spencer said.
“They want all that data because they view it as a marketing tool, but you should ask yourself whether you really need all that data and whether it’s really useful,” he said.
VECTOR FX/SHUTTERSTOCK.COM, MAKSIM SHMELJOV//SHUTTERSTOCK.COM
