Hotel industry cybersecurity experts say both the "nature and velocity" of cybersecurity threats have changed for the worse during the course of the COVID-19 pandemic.
Speaking during the American Hotel & Lodging Association Safety Summit, Jason Stead, chief information security officer for Choice Hotels International, said the onset of the pandemic spurred many bad actors to quickly pivot and use "COVID as a theme and as a way to try to infiltrate their way into hotels."
"They would contact hotels under the guise of safety and security," he said. "They would send those hotels phishing emails trying to suggest they've got products and other things, but it was really just a method or a theme they were relying on over that period of time."
He said the volume of threats and who they threatened also shifted.
"We definitely saw an uptick in terms of the bad guys targeting the franchisor not just the franchisee," he said. "Phishing was definitely the No. 1 thing that we saw increase immediately, especially when we sent all the employees home that were originally at the corporate location or we had some reductions."
Ben Vaughn, chief information security officer for Hyatt Hotels Corp., said "certain groups of threat actors" believe the hospitality industry is ripe for attacks because companies "have some serious financial problems in the middle of a pandemic."
"So we were very engaged, locking down policies from day one," he said.
But Vaughn said that it hasn't been as bad as they feared across the board, with primarily phishing attacks seeing a spike, as opposed to other attacks like ransomware.
"But we did see a dramatic, dramatic increase in phishing attacks coming in to colleagues at the company at the outset of the pandemic," he said.
The level of phishing attacks recorded by Hyatt began to drop again a couple of months into the pandemics before eventually spiking again, which data analysts were able to find a curious correlation for.
"I asked the teams, our intelligence analysts, to look into why that might because because it was just odd, and actually the chart lines up quite nicely with the reported [COVID-19] case counts in the Republic of Russia," Vaughn said. "You're not going to be sending your phishing attacks if you're taking care of your parents or your family members.
"It really seems as if the e-crime landscape in that May-June time frame really fell off, and then of course, came back with a vengeance later on."
In terms of what bad actors might be targeting hotel companies, Stead said they are broad.
"There's definitely those threat actors that are targeted towards the financial instruments, whether it's your loyalty points conduct fraud, whether it's credit cards to conduct financial transactions, but then you also have a number of others," he said. "You have folks who maybe had a bad stay at one of your hotels, and so they have some personal vendetta and may be out there to try to cause harm, whether that's taking down your website, defacing it or doing other things."
He said the third large bucket of threats for the hotel industry comes from state-sponsored actors that "want to know where people are staying." He said that group looks to leverage guest information by knowing when someone isn't at their home or by identifying potentially incriminating information they could then use.
While that latter group offers the most intrigue and is more headline-grabbing, Stead said, it's is the group that is seeking immediate financial benefit that is the most prevalent.
Vaughn, who used to work in the airline industry, said the cyber threats to the hotel industry are more deep and concerning than many outside observers would realize.
"When I moved from the airline industry to the hospitality industry, I thought that I was taking a very cushy job," he said. "Because to me, I was thinking about airlines, you have terrorists, and you have fears that airplanes could be hacked. All of these things are very scary. And I went, 'Okay, well, what's the worst that could happen at a hotel?' And I ended up landing in an industry vertical that is by far the most attacked and most targeted of any industry vertical."
Vaughn said it's only been relatively recently that the hotel industry has started taking cybersecurity threats as serious as they should, with his team at Hyatt growing from three people to 20 in his four years with the company.
Stead said that growth in recognition of cybersecurity has grown in tandem with how sophisticated the attackers who target the industry are.
"I started at Choice north of 10 years ago, and life seemed so much simpler back then," he said. "The bad guys I worried about were literally the kids down the street trying to steal credit cards from a hotel by grabbing a binder off of a shelf."
Vaughn and Stead said their teams and the industry broadly have benefited from top-level executives buying into the importance of cybersecurity.
Hyatt Chairman Thomas Pritzker "believes firmly, and our company agrees, that excellence in cybersecurity is going to be a strategic differentiator for American businesses in the 21st century," Vaughn said. "When you have that level of support at the board level, it's very empowering to push initiatives forward to get the things done that one needs to do."