Everything You Need To Know About Hotel Cybersecurity Risks And Countermeasures

Cybersecurity is a critical issue for many businesses, but the hospitality industry is particularly vulnerable to hackers and other cybercriminals. Bisnow consulted Jack Pulvirenti, CPA, and Steve Goldberg, accounting and advisory experts at Berdon to learn more about hospitality-specific cybersafety concerns.

Why Hotels Are Especially Vulnerable To Cyberattacks

Constantly rotating guests, high staff turnover, and complex reservation systems integrated with third-party applications all make the sector uniquely susceptible.

In addition, hotels tend to store their customers’ credit card data in multiple places, including reservation and point-of-sale systems at restaurants, bars and gift shops, providing hackers with multiple potential weaknesses to exploit for sensitive data. Often, POS systems are shared among hotel chain members, further increasing the information’s exposure to cybercrime.

In addition to a damaged reputation, hotels that experience data breaches may have to deal with costly class-action lawsuits and, increasingly, enforcement measures taken by state and federal government agencies.

In recent years, the Federal Trade Commission has assumed the mantle of federal cybersecurity regulator, a role that was endorsed by the US Third Circuit Court of Appeals in FTC v. Wyndham Worldwide Corporation.

Hotel owners should view the Wyndham decision as a wake-up call to review and update their information security programs. They should take proactive steps to protect customer information.

FTC v. Wyndham: A Cybersecurity Wake-Up Call For The Hospitality Industry

In Wyndham, the FTC sued the global hotel operator for failure to maintain “reasonable and appropriate” data security measures. The company had experienced three data breaches that compromised more than 600,000 credit card records and led to more than $10M in fraudulent charges.

The FTC argued, and the Third Circuit agreed, that Wyndham’s website privacy policy overstated its security and, therefore, was unfair or deceptive. Wyndham’s data security practices fell short in several ways. Among other things, the company:

•          Stored credit card information in clear, readable text.
•         Allowed employees to use easily guessed passwords.
•         Failed to use readily available security measures, such as firewalls.
•         Failed to adequately restrict vendor access to its network.
•          Failed to employ intrusion detection and prevention systems, conduct security investigations, or follow proper incident response procedures.

The Aftermath: A Cautionary Tale

After the Third Circuit recognized the FTC’s authority, the parties settled and agreed to a Consent Order. The order did not impose any monetary penalties—the FTC has very limited authority to seek penalties.

But it did require Wyndham to implement a 20-year comprehensive information security program that’s “reasonably designed to protect the security, confidentiality, and integrity” of customers’ credit card data.

As part of the information security program, Wyndham must:

•          Conduct a risk assessment.
•          Implement and test reasonable safeguards that control identified risks.
•          Ensure that service providers continue to maintain appropriate safeguards.
•          Designate one or more employees to be accountable for the program.

Security measures must comply with the Payment Card Industry Data Security Standard or a comparable, FTC-approved standard.

In addition, Wyndham must undergo annual audits of its security practices and obtain an independent assessment and incident report within 180 days after any data breach that affects more than 10,000 credit card numbers. 

It can’t make any significant changes to its information security practices without an independent assessor’s certification that the company continues to comply with approved standards.

How Can Hotel Management Learn From Wyndham?

The Wyndham decision and Consent Order provide welcome guidance on the types of cybersecurity precautions the FTC is seeking. Another valuable resource is the FTC’s publication here.

According to the FTC, hotels should consider, at a minimum:

•          Employee training
•          Information systems evaluation, examining network and software design, information processing, storage, transmission and disposal
•         Mitigating risks associated with branded hotels
•         Analyzing robustness of prevention, detection and response protocols 

To learn more about our Bisnow sponsor, click here.