Hotels Are Rich Pickings for Data
Hotels, together with their owning and operating companies, collect and store large volumes of personal data through their systems such as reservations, accounting, sales, hotel management, customer research and loyalty programs.
The scale of data might surprise some but consider this: Marriott, IHG and Hilton together have approximately 3 million rooms, each room reserved will gather personal data; so just these 3 companies have the potential to collect over 1 billion records a year!
Of course, some will be ‘duplicates’ and full occupancy is never guaranteed. The same 3 companies claim nearly 300 million loyalty program members, each with a more detailed record. To this add Payment Card Industry (PCI) information for each reservation and member plus employee records. From this, it can be easily deduced why criminals ‘like’ hotel companies – ‘rich pickings’.
Hotel Data is High Quality on Complex Networks
From a criminal perspective, hotel companies not only have quantity but also quality data. To provide great hospitality, hotel companies must understand their guests, their preferences and stay records for instance. Loyalty programs hold more detailed personal information to enable ‘enhanced’ experiences. The ‘quality factor’ is likely to increase as hotels seek to introduce personalised marketing, which will require hotel companies to gather ever-increasing amounts of detailed, personal and sensitive data.
Add to these, hotel companies operate highly complex networks; these networks must connect with and share data with their hotels. A hotel owner will often own a portfolio of hotels branded and/or managed by several different brands, in which case the owner’s network may bridge across and link brand networks. This can greatly complicate cyber defences and provide vulnerabilities for criminals to exploit. Of course, there are technical mitigation techniques but there needs to be an understanding of ‘what is connected to what’ and how; this is not always clear. This interconnectivity also causes significant challenges for Payment Card Industry Security Standard compliance, especially considering what is ‘in scope’ for PCISS consideration.
So, the hotel sector has lucrative assets to attract criminals and face significant challenges in defending them. In general terms we can consider digital crimes against hotel companies in 2 categories; Cyber-Enabled Crimes and Cyber Dependent Crimes.
Cyber-Enabled Crimes are physical crimes that are facilitated or are transformed/industrialised by using digital systems and networks such as the internet, Dark Web and hotel networks. In the context of hotels, this might include:
- Theft of data that can be exploited or used to victimise organisations or individuals:
- Commercial – strategy, plans, mergers & acquisitions, financial reporting to either embarrass or to sell to enable competitive advantage
- Guest Data – for immediate or complex victimisation against guests by criminals and hostile governments
- Credit Card Data – for resale or direct exploitation
Loyalty Program Member Data – for immediate or complex victimisation against members
- Theft of Loyalty Program Points – to fraudulently obtain stays or obtain other services and goods through point conversion.
- Employee Data – payroll, health etc. to victimise employees
- The co-ordination of criminal operations and selling activities in hotels including:
- Prostitution – co-ordination of wide-scale prostitution operations into hotels and facilitation of prostitution ‘delivery’ to guests
- Drugs Distribution – management and co-ordination of distribution nodes using hotels and delivery of ‘products’ to guests or employees
- Human Trafficking – Facilitation of trafficking through or to hotels
- Child Exploitation – see Human Trafficking and Prostitution
- Money Laundering – Laundering money through hotel accounts and outlets such as casinos
- The selling of stolen hotel company assets such as Loyalty points, company and/or hotel physical assets
- The selling of Crime as a Service (CaaS) to commit Cyber Dependent Crime against hotel systems and networks
- Business Email Compromise, such as fraudulent wire transfers and re-direction of franchise fees
- The imitation of hotel company websites and apps for phishing attacks against consumers and hotel job applicants
Cyber Dependent Crimes
Cyber Dependent Crimes primarily targets and exploits digital systems themselves to steal data or disrupt systems often using malware. In the context of hotel companies, this might include:
- The theft of data detailed above
- Corruption or deletion of data
- Denial of Service – Corporate Networks, Reservation Systems, PMS etc
- Data Ransom
- System Ransom
- Website defacement
- Threat Extortion (to not make public a data breach)
- Theft of hotel company data from 3rd party vendors
Threats such as those described here need to be thoroughly examined and understood to enable effective defence; consideration should also be given to the potential linkages between crime ‘strands’ and consequent ‘knock-on’ or chain impacts.
Hotel companies should consider building Threat Intelligence and Management programs that span the physical and digital domains to deliver ‘joined up’ intelligence and defence solutions.
Finally, it should be also be borne in mind that many of the criminal activities mentioned here are likely to have the hand of Serious & Organised Crime behind them; some may be sponsored or supported by hostile governments. These are well resourced, cunning and formidable ‘opponents’; that will pose significant challenges to the best defences; consequently, I would recommend that companies engage with, and form working relationships with, public cyber defence agencies. I have had very positive experiences working with both the National Cyber Security Centre in the UK and the FBI Computer Crime Task Force in the US.
Given the complexity and gravity of the threat, public/private partnership in this arena is highly desirable. Please go and liaise!