338 | Cybercrime Spree: Hotel industry more vulnerable than ever to hackers

Read More

SECURITY THREATS: The hospitality industry’s rapid adoption of technology has put hotels in the crosshairs of cyber attackers. However, most bad actors still depend on tried-and-true hacking methods, the biggest of which is business-email compromise. IT security experts say businesses need to assess who can access email accounts, train employees on how to handle messages that contain attachments and, most importantly, install safeguards to software systems.

Busy hoteliers ignore easy fixes that thwart hard threats to business, experts say

Verizon’s 2021 Data Breach Investigations Report reveals the lodging and restaurant industry experienced fewer cyber breaches in 2020 than the year before.

That’s probably because many hotels and restaurants were closed or doing less business amid the coronavirus crisis.

But cybercriminals have not eased up on their schemes.

A recent FBI report on cybercrime said in 2020 it received 800,000 complaints of internet fraud and theft from businesses and private citizens.

That’s an increase of 70 percent over the number of reported incidents the FBI received in 2019.

The bureau said cybercriminals took advantage of vulnerabilities in technology made evident during the coronavirus crisis.

  • Millions of employees worked remotely and connected to companies’ networks through unsecured conduits.
  • Many business owners and individuals filed online for government relief programs.
  • Businesses managers went online to find and pay for personal protection items and other goods that were in short supply.

And who hasn’t participated in a Zoom call over the past 18 months?

In a recent report, Check Point Software Technologies said it’s estimated that in 2020 digital transformation at businesses worldwide accelerated and advanced by seven years.

The advancement increased our dependence on technology.

It also ignited a cybercrime spree.

MEASURES OF CYBERCRIME: The FBI has a division dedicated to receiving cybercrime complaints from businesses and private citizens. The bureau said its Internet Crime Complaint Center or IC3 is an important part of its effort to combat cyberattacks. In its 2021 IC3 report, the FBI said cybercrime has dramatically risen year over year. This chart shows the types of cybercrime and measures the number of reports to IC3.

As the industry adopts new technology to help it recover from the coronavirus crisis and economic downturn, the threats are greater. The good news is for as many nefarious ways cybercriminals can strike, there are corresponding solutions.

Most IT-security experts will tell you that while high-profile attacks such as multi-million-dollar ransomware payouts are serious events, most businesses such as hotels continue to face threats from good old-fashioned cybercriminal tactics such as email phishing scams and hacks into payment systems and private-data storage.

Biggest Threats

Jen Stone, principal security analyst with Security Metrics, a data-privacy and security company that has hotels and restaurants as clients, said cyber criminals ply their trade in various ways. The largest number of events reported to the FBI last year were business email compromise, phishing and ransomware.

But, when it comes to stealing from companies, email is the method that produces the largest bounty.

“Business email compromise, continued to be the costliest form of attack as it has been in the past,” Stone said. “But I guess if you think about it, it makes sense because businesses are where the money is.

“Business email compromise can mean a few things. The most common is phishing, where someone in business receives an email, either from somebody they believe is also in the same company, because someone has spoofed where it gets sent from, such as one of their vendors.”

Stone said an “oldie but goodie” scam that happens on paper is a business receiving an invoice in the mail. “‘Here’s your invoice. Thank you so much for working with us.’ It sets up the assumption that you’ve already done business with them and you need to pay them.

“There are a lot of ways that an assumption can be received through your email,” she said. “By acting on it or by clicking on a link or calling a number in the email, you can take the next steps such as downloading malicious software or calling someone and giving them business information or credit card information or some type of financials that is going to compromise your organization.”

GROWING ATTACHMENTS: Mimecast reported in 2020 a dramatic growth of cyberattacks via email accounts. Forms of scams are social engineering and phishing, tactics cybercriminals use to get receivers to open attachments or respond to a message as a way to infiltrate systems.

The COVID-19 pandemic has practically spoon-fed victims to cyber criminals.

According to Mimecast, companies significantly increased their use of email last year.

And email compromises occur most often at the hands of employees.

Since the start of the pandemic in spring 2020, employees are clicking on three times as many malicious emails has they had before.

Mimecast’s threat center in 2020 charted a 64 percent increase in email threats over the year before.

Many companies have vulnerable email systems. And some have no email security programs in place at all.

“A lot of times these compromises, the BECs or business-email compromises attack smaller organizations, and they’re successful,” Stone said. “Not because people are not trained, not because people are not conscientious. But because people are overworked and trying to do a good job. So, quickly going through things, ‘Oh, I’ve got this. I want to act on it quickly. I want to show that I’m on top of this.’ Or my general pattern is to be helpful. Especially in the hospitality industry, it’s that helpfulness that sometimes gets in our own way.”

CYBERCRIME SPREE: Although hotels were closed or did less business during the height of the COVID-19 outbreak in 2020, cyber criminals did not take a break. The very nature of hospitality can make a hotel vulnerable to cyberattacks. As the industry adopts new technology to help it recover from the coronavirus crisis, the threats are greater and the number of attacks are growing. Episode 338 of Lodging Leaders podcast focuses on the pervasive cyber threats the hotel industry faces as it deploys technology to modernize its business processes and improve guest experiences.

Risky Trends

Gene August is founder and CEO of Sorbis Inc., a managed service provider dedicated to hotels.

He’s been involved in information technology his whole career. In 1995, he landed his first IT job in a hotel. It was the property’s first technology-related position. “They didn’t even know where to put the department,” August said. “Computers were only beginning to hit mainstream then. I ended up in the accounting department.”

In 1997, August joined Starwood Hotels & Resorts as director of information technology.

He left the company in 2000 to start Sorbis after he realized IT services operated more in a break-fix mode, meaning specialists charged a fee per service. Most of those services were to correct a problem, install a new program or upgrade a system. August saw the need for a comprehensive ongoing managed-IT provider to serve the industry.

He’s stayed busy serving clients throughout the pandemic and he’s noticed a few trends that may put hotel businesses in the crosshairs of cybercriminals.

  • The first is the rapid adoption of contactless technology in hotels over the past 18 months.
  • The second is short-staffing at hotels, which leaves employees taking on extra and unfamiliar roles.
  • The third is hotel managers with little time to train new and existing staff members to securely operate software programs and troubleshoot problems.

Choosing Tech

Most of Sorbis’s clients are independent boutique hotels in New York City, where the hospitality industry was hit hard by the COVID-19 outbreak.

August has seen his clients grapple with what is the best guest-facing technology to install in the pandemic era.

“After being hit by the pandemic hotels are required to attain guest safety and maintain profitability, with lower occupancy as well,” he said.

Early in the pandemic, August remembers his clients considering the use of cameras that read body temperatures. But that idea was too costly.

“The hotel community was just looking at what made the most sense and what guests were looking for,” he said. “We’re doing a few hotels now that are opening and kiosks are big. But we’re seeing shortcomings with that as well.”

As with mobile apps and contactless check-in, many hospitality leaders compare the technology with what airlines offer. But August said the business models are not the same. Therefore, an airline solution may not serve a hotel well.

Kiosks are not entirely contactless and hotels are still trying to figure out how to securely check-in different customers staying for different lengths of time.

Other popular products are digital concierges that communicate via texts over guests’ phones.

All of these products are offered by a wide variety of vendors.

The solutions are coming at hoteliers so fast, they risk creating vulnerabilities when adding to the hotel’s tech stack.

“Security needs to continue to play a big role in this,” August said. “Some hotels are assured by the vendors and everything’s OK but they have to maintain these systems down the road. There are things to think about.”

Sorbis has helped new hotels open with generous operating budgets. “They’re all in on the tech, but two years later they have to renew the maintenance contracts and keep systems updated. Then it becomes a concern.”

Lack of consistent maintenance and updating of software programs opens the way for hackers.

Verizon’s latest Data Breach Investigation report reveals direct installation of malware is the most common crime perpetrated on hotels and restaurants. And it’s usually a third party – such as a contracted IT manager – that discovers the breach.

Besides external access and social engineering of email accounts, ransomware is among the top threats to businesses.

PAY UP OR ELSE: Ransomware is a threat to all types and sizes of businesses. Mimecast reported in 2020 the growth of ransomware attacks that extorted money from companies. IT security experts say cybercriminals usually access a company’s systems via the simplest way possible – through virtual private networks that were left unattended and therefore were unsecure.

‘Not Anything Crazy’

Cybercrime classifications might sound sophisticated but in most cases hackers gain access because simple human error opened the door.

That goes for businesses of all sizes.

Take as an example the recent ransomware attack on Colonial Pipeline. The company is based in Georgia and it supplies nearly 50 percent of the East Coast’s fuel.

Cyber attackers in April got into the company’s systems through a virtual private network or VPN, which allows employees to remotely access the company’s computer network.

The compromised password had been assigned to an employee who no longer worked at the company.

“The key is it wasn’t anything crazy,” August said. “They didn’t have lasers or anything along those lines to get in here and compromise anything.

“Hotels and restaurants are as susceptible as any organization. They use the same technologies, the same email platforms.

“One of our core values is security first. You have to have that mindset. nobody is exempt from the ransomware attacks.”

August got a call last month from a small business that was a victim of a ransomware attack.

The company has about 20 computers and its operations were rendered helpless unless the company paid a ransom.

Colonial Pipeline paid $4.4 million in ransom.

Because it’s a such a high-profile company, the attack made the news. But in most cases, small companies like the one that contacted Sorbis keep their ransomware attacks and the payouts a secret.

‘Tough Spot’

Stone with Security Metrics said the hospitality industry is a prime target for ransomware attacks because its uses technology to create a business culture of connectedness. “You can’t check someone in if you don’t have the computer system up. If you have to start turning people away or can’t charge them because of ransomware, it’s a really tough spot. And that means that there’s going to be a lot of pressure to go ahead and pay that ransom.”

In many cases the ransom is relatively small. That encourages victims to “just pay it and get back to work rather than try to fight it or try to restore from another point,” Stone said.

“A key understanding of that is they’re not just taking and locking up your data, they’re locking up your entire systems. So you can’t get your computer to work. The workstation actually won’t connect to any systems you can’t get to the internet. You just can’t work.”

Stone agrees that no business is too small to risk a ransomware event. That’s because cyber criminals use different methods to hunt for victims.

“Ransomware can be deployed in a couple of ways. One is the targeted way that we generally think of, but another is kind of that spray-and-pray approach,” Stone said. “Ransomware will be loose in the wild, so to speak, and it might get a computer that is unprotected.”

Cyber attackers also have various ways to collect ransom payments in exchange for a code that will unlock a business’s system. Some even have a customer-service operation that accepts ransom payments over the phone.

“The risk there is: Are they going to actually get the help they need? Are they actually going to get the decryption keys? Are they going to be able to access it again? Sometimes  yes. Sometimes no.”

Typically, if a victim does not agree to pay the ransom, the bad actors up the ante. While continuing to block access to data and computer systems, they threaten to publish the company’s information on the dark web and in public online forums.

That’s what happened to LG and Xerox in August 2020 when authors of the Maze ransomware published the companies’ data after they refused to pay up.

Easy Block

Cyber attackers search for the easiest ways into a business’s computer network. That means many attacks are easily preventable.

“Ransomware is highly preventable by doing some of the regular cybersecurity or cyber hygiene activities that we all are kind of familiar with,” Stone said.

“All of us have heard of patching, where you apply security updates to your operating systems, to applications, to any kind of device that is in your environment. Making sure those patches get applied is critical because the patches are there in to keep vulnerabilities from being exploited and ransomware is notorious for exploiting vulnerabilities in unpatched systems.

“Another way is to make sure email is protected. Let’s say you get a suspicious email and the person who receives it is not necessarily very savvy about whether that is a piece of ransomware or not. So they go and open the attachment in the email. You could have training that says do not open attachments in emails, but we all make mistakes.

“If you have software in place on your systems that prevents any type of unknown software from what we call ‘executing on the system’ that is an additional layer of protection to help you close that gap between a lack of knowledge or maybe lack of time and getting malicious software.”

GLOBAL DIMENSIONS: In its Global Digital Trust Insights 2021 PricewaterhouseCoopers noted business’s rapid adoption of technology as a result of the coronavirus pandemic. In July and August 2020, PwC Research surveyed more than 3,200 business, technology and security executives around the world to gauge how cybersecurity has changed. This graphic shows how company leaders view technology as they respond to the health crisis and economic recession.

Payment Systems

Though IT experts such as Stone and August are well versed on the newer forms of cyber attacks, the most frequent events involve breaches into systems that keep customer data, including credit card information.

In most cases, criminals gain access through an employee’s account.

Check Point Software Technologies’ Security Report 2021 said at least 44 percent of organizations had experienced an employee download a malicious mobile application that threatened the organization’s network and data.

In March 2020, Marriott International reported a data breach that affected more than five million guest accounts. The hacker infiltrated the system by using login credentials belonging to employees at a franchised hotel.

August said such events are preventable through continual maintenance of a hotel’s computer network. That includes making sure the hotel’s payment software programs are PCI compliant. PCI stands for payment card information.

Many hotels today do not store guest payment info on their property systems, opting instead to use virtual payment terminals connected to the internet.

In some cases a hotel might have a payment-application system and an internet-connected system on the same local area network or LAN.

Hotel operators can assess the security of these internet-based systems by performing a payment-card-information self-assessment questionnaire or a PCI SAQ.

The payment card industry has assessment programs for different types of point of sale processes.

LISTEN: Lodging Leaders’ other reports about cybercrime in the hospitality industry:

  • Episode 263 about security challenges introduced during the coronavirus pandemic.
  • Episode 236 about hotels meeting PCI and GDPR compliance standards.

Employee Authorization

No matter what systems a hotel uses, filling out the SAQs helps hotels authorize employees as users as well as removing authorization for employees who have left the company.

Technology is cool when it works but keeping it secure requires a watchful eye and dedicated diligence, which is not always fun.

“Part of technology is having the technology itself, but a big part and something that we’re adamant about is just the processes in place for authorization,” he said.

Businesses should authorize an employee access only software programs the employee needs to access for the job. A major component of PCI authorization is ending the authorization if the employee leaves the company.

“Going back to the pipeline breach, it was a VPN account that was unused and that’s what started the process,” August said. Security is “process-driven and is a big part of IT these days.”

Stone agreed. “Every organization, regardless of size should be performing a security risk assessment on an ongoing basis,” she said.

“But one of the risks that needs to be addressed right now is ‘What are the changes that have been made in how we do things and how are these changes affecting our risk posture?’”

Stone advised hotels facing hiring challenges need to be super vigilant on IT security.

“The challenge is getting people who are experienced, people who are trained. I’m even seeing some of the higher-risk people who in the past would not pass a background check are being considered now for positions.

“When you know that you have a perhaps riskier employee base, then looking at how can we put into place some technology that can either warn us or defend us against insider threats is worth it.

“It’s an uncomfortable conversation because we don’t want to believe that the people that we work with are in any way going to cause us a problem.”

You can find Lodging Leaders podcast on

[thrive_2step id='5870']Get Transcript[/thrive_2step]
Back to Top