A lot has been written at Hotel News Now and in other media outlets about the very real threat that cyberhacking poses to the hotel industry and its guests. Most of the reporting, discussion and angst over the topic has centered on hackers stealing personal data from customers by breaking into hotel computer systems. This worrisome topic took an uneasy turn recently with a strange story about a hotel in Austria.
Worry over cyber security in hotels has been increasing throughout this decade.
Since 2010, more than a dozen breaches at hotel chains or individual properties have been reported. The number of incidents ratcheted up in 2015 and 2016, including seven alone in 2015.
The hotel companies that have been attacked range across all segments and locations—from Mandarin Oriental Hotels Group and Trump Hotels to Hilton, Rosen Hotels & Resorts, Hard Rock Hotels, Omni Hotels, Kimpton, Wyndham Worldwide and HEI Hospitality.
According to a 2015 report from Verizon, the focus of 91% of cyberattacks on the hotel industry are point-of-sale systems, which are particularly vulnerable since many of them are sold or serviced by third-party providers.
The latest reported attack came against InterContinental Hotels Group. Earlier this month, the company announced a breach of POS systems at food and beverage outlets at 12 company-managed properties in the United States, Canada, Aruba and Puerto Rico. The hacked properties include eight InterContinental Hotels, three Holiday Inns and one Crowne Plaza.
And as disturbing as this news was, even more chilling was the confusing but serious story of an attack of a different kind at the Romantik Seehotel Jaegerwirt in the Austrian Alps. Instead of seeking to steal the personal data of guests, the hackers went after the hotel and its systems.
The crooks apparently sent an email and attachment to the hotel that, once opened, unleashed encrypted files populated with ransomware. Once activated, the bug prevented guests from using their keycards and hotel staff from issuing new ones. The criminals demanded about $1,800 in digital Bitcoin currency to reverse the hack. Faced with a full house of guests and an inoperable guestroom lock system, the general manager acquiesced and paid the ransom.
As a coda to the story, the GM said he plans to ditch the hotel’s electronic keycard system and replace guestroom locks with ones operated by manual metal keys.
According to news reports, the FBI said incidents of ransomware have surged in recent years, costing victims $209 million in the first three months of 2016, up from $24 million in all of 2015.
While $1,800 seems like a relatively small price to pay to make this problem go away, it opens the door to other malicious hackers to go after hotels and the many Internet-of-Things systems they operate.
Besides electronic lock systems, hotels have a myriad of internet-based systems that could be vulnerable to hacking—everything from security cameras and Wi-Fi networks to cloud-based back-office technology and mobile messaging systems. One of the new technology frontiers in the hotel industry is the use of artificial intelligence bots for everything from room service delivery to concierge services to housekeeping. As this technology spreads, so does its vulnerability.
I assume most individual properties and hotel companies employ rigorous security protocols to avoid and respond to the most common kinds of data breaches. Now with the additional threat imposed by ransomware and other kinds of attacks, everyone will need to reassess and beef-up their protective measures.
Email Ed Watkins or find him on Twitter.
The opinions expressed in this blog do not necessarily reflect the opinions of Hotel News Now or its parent company, STR and its affiliated companies. Bloggers published on this site are given the freedom to express views that may be controversial, but our goal is to provoke thought and constructive discussion within our reader community. Please feel free to comment or contact an editor with any questions or concerns.