Why and Where Cybercriminals Attack the Hospitality Industry

Digital transformation has facilitated a completely new, globally connected business landscape, opening new opportunities and creating new markets. But this digital explosion has also given hackers and scammers more openings to infiltrate systems and attack organizations.

The Gaming, Leisure, and Hospitality industry in particular has been increasingly targeted by both cybercrime and nation-state groups, and faces a unique set of challenges compared to other industries. To help organizations in the industry – which includes hotels, casinos, resorts, and other travel-related businesses – understand and identify the potential threats they may face, we put together the Gaming, Leisure and Hospitality Industry Cyber Threat Report (March 2019). Today, we’ll break down why and where cybercriminals attack this industry.

Cybercriminals are using scams and fraud to target hotel databases

So why are these threat actors focusing on hotels and other organizations in the hospitality business? The simple answer is they have expansive databases of customers’ personally identifiable information (PII) and numerous access points like software systems, third-party vendors, or even employees who lack cybersecurity training.

Threat actors can leverage well-known brands to target customers with scams and fraud schemes, placing millions at risk of compromised personal data. These efforts can prove to be quite lucrative if the cybercriminals can successfully penetrate a hotel’s network and sell customers’ personal data on the dark web black market.

Hotels are subject to these attacks because they:

  • Collect and maintain databases of sensitive information such as travel itinerary, passport details, credit card information, personal preferences, air miles and more.
  • Facilitate a significant number of financial transactions, often involving executives and wealthy individuals whose credit card information would be highly sought-after on the dark web.
  • Are spread out geographically, giving them large attack surfaces and information from all different types of individuals that may be valuable in different regions of the world.
  • Offer loyalty programs that store rewards balances and PII, which are not closely monitored by users. Many people reuse login credentials across different sites and platforms, potentially leaving themselves exposed to fraud if hackers can accurately identify their password habits, drain their account balances, and steal other sensitive PII.

In recent years, there have been numerous high-profile data breaches in this sector as threat actors look to tap into this rich source of data. So, what can organizations do to mitigate these risks and thwart attacks?

Understanding a hotel’s attack surface and how hackers can penetrate

Every organization needs to understand its weaknesses that cybercriminals might target. These potential entry points are known as the “attack surface”, and can include anything from technology systems, user credentials, social media pages and even hotel staff. To learn more about how to identify your attack surface and defend it from cyber threats, check out our blog on mapping your digital footprint.

Hotels, resorts, and casinos are prime targets for cybercriminal attacks because they have expansive attack surfaces, offering multiple entry points for threat actors looking to infiltrate their network. Here are some of the unique factors organizations in the hospitality industry have to consider in their cybersecurity strategies:

  • The sheer number and variety of different endpoints most hotels have – Wi-Fi networks, electronic door locks, HVAC control systems, alarms, IoT devices, and more – give threat actors numerous entry points to gain access.
  • Breaching a single regional hotel’s network gives hackers access to the whole centralized system, which can make it challenging for IT teams to ensure security with dispersed networks.
  • Hotels have huge staffs with high turnover rates, and many of these workers lack cybersecurity awareness or are not trained adequately.
  • Branded hotels tend to have franchisors, owners, and operators all directly involved in making computer system-related decisions. When they are not aligned on cybersecurity initiatives, they leave gaps in their systems that can be exploited.
  • Hotels rely on many third-party vendors for key services like maintenance, POS systems, and payroll. Hackers often use these third parties as entry points.
  • Big brand names are often subject to brand impersonations, through which hackers target customers with phishing scams and elaborate customer rewards hoaxes.

Over the past few years, threat actors have launched cyberattacks against organizations in gaming, leisure and hospitality industry at an alarming rate, and there have been several high-profile data breaches impacting big brands in the industry. To defend against these new attacks, hospitality organizations should take an offensive approach to ensure they are identifying new threats early and taking proactive mitigation action.

Download our research report to learn more about cyberattacks in the gaming, leisure, and hospitality industry. Stay tuned for further entries in this series, in which we’ll break down common attack vectors, threat actors, and how organizations can best protect themselves against these threats.

Download Now

Stay up to Date!

Subscribe to the blog to stay up to date with all the latest industry news and updates from IntSights.