On April 10, Symantec released a study showing two-thirds of hotel websites leak guests’ booking details to third-party sites. Marriott International, which experienced a massive data breach in November 2018, was not included in that study. On February 14, the City of Chicago filed a lawsuit against Marriott International for that breach that exposed the data of up to 500 million guests in the U.S. and Canada. The suit claims the hotel chain knew about the breach and did not take action. The City of Chicago is seeking restitution for guests, court fees and a fine of at least $2,000 per offense.
Given the $500 billion hospitality industry’s dependence on technology, such leaks and breaches are troubling. The industry’s future growth depends heavily on its ability to implement new technology—like smart-tech-equipped rooms and artificial intelligence (AI)—to improve guests’ overall experience. A 2017 Oracle report on the hospitality industry showed 72 percent of hotel operators expect the use of AI to recommend dining and local attractions to guests, would be mainstream by 2025.
Yet, the Marriott leak and subsequent lawsuit serve as a sobering reminder that doing business in the digital realm carries significant risks for hospitality companies and their guests. According to Karl Olson, Vice President, Professional and Management Liability Practice Leader, Burns & Wilcox Brokerage, San Francisco, California, “Hospitality is in the top three for industries at risk for cyber liability.”
Tremendous activity and public access mean greater exposure
Part of the challenge, Olson explained, is that most hotels include a restaurant. Recently there has been a surge in the number of new, in-hotel restaurant openings in the U.S. and abroad, and restaurants offer point-of-sale purchases with credit cards. “No matter what credit-card-processing procedures are in place or which credit card-processing companies are utilized, there is always exposure,” Olson said.
Recently, restaurants are among the most common targets for hackers; many large food-service chains like Chili’s and Wendy’s are repeatedly attacked. Risks to businesses include compromised devices and networks, both of which hackers scrub for data. Given the high volume of transactions that occur, Olson said, hackers stand to gain access to a tremendous amount of data.
Adding to their overall exposure, hotels, motels and resorts typically have open Wi-Fi networks for guest use. According to the 2017 Norton Wi-Fi Risk Report, 71 percent of consumers globally say a strong Wi-Fi signal is “a deciding factor” in their choice of lodging. However, where there are public networks, risks abound.
Hospitality is in the top three for industries at risk for cyber liability.
“Some hotels are pretty much running a Wi-Fi router like you would at home,” said Chad Beadles, Associate Director, Loss Control, CPCU, AINS, AIS, Afirm, Fort Collins, Colorado. These open networks allow hackers to gain access to guests’ devices and leave hotels’ systems vulnerable to hacking.
“Sometimes hackers will check in as an actual guest and then hack in with an approved access,” Beadles said. This may have been the method employed by a woman with multiple cell phones and a USB stick loaded with malware who gained access to a reception area at President Trump’s Mar-a-Lago resort at the end of March. Had she not been apprehended she could have put U.S. national security at risk, potentially hacking the resort’s Wi-Fi network and gaining access to its systems, records and guests’ devices.
Another vulnerability comes from how hotels process credit card information, Olson said. “Hotels use and process your data differently than most other industries. They have memberships and reward profiles, so they have your name and address, and typically a credit card associated with that. They also hold onto the data longer vis-à-vis keeping your credit card information “on file for incidentals” during your hotel stay.” Longer-term access to information increases its vulnerability to hacking, he explained.
Beadles noted that guest room key cards can be vulnerable to hackers. Some will hack the cards to open guest rooms, as demonstrated at a security conference last year, when two Finnish experts demonstrated how they created a master key to unlock every room in a hotel using a discarded, expired key card and a $300 RFID card reader and writer. Beadles said that some key cards also store a guest’s information, including credit card information and membership profiles, making the card a prime target for hackers.
Hotel, motel and resort systems and employees are also vulnerable to hackers. “A hacker will emulate someone else’s email account and send fraudulent instructions to the finance department,” Olson said. “Or they create a false invoice that looks legitimate and comes from an actual employee but is fraudulent.” Olson noted that this type of cyber exposure is a risk for almost any type of business.
Data breaches and losses can severely damage a company’s reputation, an especially grim outcome for a company in an industry that relies on potential guests’ perception of its security for future bookings.
What hotels and resorts can do to mitigate data-related damages
Cyber and Privacy Liability Insurance coverage exists to help businesses manage the effects of cybercrime, Olson explained. Coverage is available to help pay such expenses as reconstituting or re-creating compromised data; forensic investigation; professional guidance to close security gaps; legal counsel; public relations and reputational damage. “An insurance carrier will have a host of resources available to investigate and audit what occurred,” Olson said. “And potentially to help repair (a vulnerable system) and to help pay for the expense of rebuilding.”
If a network is experiencing system failure or is under attack, Olson said, the hotel or resort may have to shut it down to fix it or prevent further damage. For these cases, Cyber and Privacy Insurance often includes Business Interruption coverage to help businesses pay for the cost of fixing the problem and pay operating expenses during a closure. Not all Cyber and Privacy Insurance policies include Business Interruption coverage, Olson said, so business owners should consult expert insurance brokers to inquire about including it in their policy.
Owners should also consider other risk mitigation strategies, according to Beadles. He noted that while insurance can help mitigate the impacts from a data loss, risk management can help prevent a loss from occurring in the first place. “It is a lot cheaper to pay a risk management professional by the hour than it is to pay an attorney by the hour after something has happened,” Beadles said.
Some Cyber and Privacy Insurance policies include an option for risk management services, which can involve training to reduce the likelihood that employees will inadvertently reply to a phishing email or other hacking attempt. Owners can also work with risk management consultants to set firewalls and other controls. Insurance agents are the best source for help locating a qualified risk assessor, Beadles said. “And if your retail broker works through a wholesale specialty broker, (that broker likely has) access to fee-for-service type opportunities.”
Many Cyber and Privacy Insurance policies will include background risk scans, along with security consultations, Olson said. “These scans can help identify any leaks or unpatched software, data entry or exit points,” Olson added.
The types of Cyber and Privacy Insurance coverage that carriers offer hospitality clients can vary widely. Before investing in coverage, be sure to talk with your insurance broker or agent to inform and guide your decision-making process.
“Make sure that you are working with brokers who understand the risk and have the expertise and experience to put competitive programs in place,” Olson said.