Lax data security in hotel industry ‘needs action’

In the wake of the infamous Marriott International breach which saw the records of 500 million customers leaked— including five million unencrypted passport numbers— you would think the hotel industry might have upped its game.

But two out of three hotel websites continue to inadvertently leak guests’ booking details, according to research by Symantec, with personal data handed to third-party sites such as analytics and advertising companies.

Marriott wasn’t included in this study, but 1,500 hotel websites were— across 54 countries, from two-star to five-star ratings— with compromised information including full names, email addresses, credit card details, and even passport numbers.

The majority of compromises occur when a hotel site sends confirmation emails containing a link with direct booking information attached to it. In these cases, the reference code attached to the link could be shared with more than 30 different providers.

These third parties could include social networks, social engines and advertising and analytics services.

Bookings were able to be amended and even canceled with the details, while the information could be exploited by cybercriminals interested in the movements of certain individuals, such as influential business people and government officials. Personal information could be harvested and used in future scams or extortion.

In releasing the report, Symantec has revealed a fundamental security flaw in the marketing practices and handling of customer data currently in wide use in the hospitality sector.

“Of late, the hotel industry has been bearing the brunt of many of the data breaches and I expect the trend to not abate any time soon which is why they need to start taking action now,” said Warren Poschman, senior solution architect at data protection group comforte AG.

According to Symantec, when contacted regarding the issue, 25 percent of those tasked with data security at affected hotel sites had not replied after six weeks— those that did took an average of 10 days to respond. Many reportedly responded that they are still updating their systems to be fully GDPR-compliant, nearly 12 months since the data protection regulation came into effect in Europe.

“The problem that hotels have is clearly the large amount of data they have and persist in their data warehouses,” said Poschman.

“Like other softer targets such as localities and state governments, they maintain numerous and detailed information on clientele because they need it. But having lots of data isn’t really the problem – it’s the challenges of the industry.”

Risks of the franchise model

With much of the hotel industry built on franchises, the results also highlight the security risks associated with the model, Poschman noted, “with each hotel having some latitude on how they run their house with their own local partners while having access to the central systems.”

This makes introducing threats and attacks “much more possible” than to the closed systems of, for example, banks and payments companies. As with the retail and restaurant sectors, threats are hard to contain even with rigorous enforcement of front of house systems.   

“Hotels have a lot of security choices including strengthening firewalls, intrusion detection, encrypting data, and limiting access to data through access controls,” said Poschman. 

“But, focusing on infrastructure, perimeter and intrusion detection is a losing battle since these measures only protect you from the threats you know about and don’t offer any protection once compromised or circumvented.

“The key is to think about what the attackers are after at the hotel chains – the data warehouse – and how that great resource can be used while preventing abuse,” he added.   

“Adopting a data-centric security model allows for the data to be protected as it is acquired and traverses through the organization and, when an attacker gains access through the perimeter, then the risk that the actual personal data will be exposed is dramatically reduced.”