Businesses everywhere have to defend against the rising threat of ransomware and the growing sophistication of cybercriminals. Hotels are no exception.
Hotel News Now keeps a running list of the most well-publicized data breaches; no doubt many smaller attacks go unreported. These cyber intrusions are not altogether surprising when you consider four distinct challenges facing hospitality industry: third-party vendors, FTC oversight, physical threats, and the potential for human error.
Let’s look at all four challenges in a bit more detail:
1. Third-party vendors
Hotels share sensitive data like home addresses and credit card numbers with outside vendors they cannot control. One of the most notorious hotel data breaches of 2017 implicated Sabre Hospitality Solutions’ SynXis hotel-reservations system, which allowed unauthorized access to the networks of Four Seasons, Trump Hotels, Hard Rock Hotels & Casinos, and Loews Hotels. The intruders reportedly had access to payment card data for as long as seven months.
Every industry with outside vendors faces this challenge, of course, but they might not necessarily share as much valuable private data as hotels do. Furthermore, the complex business structure of hotels — owners, managers, franchisees, and brands — adds more links to the cybersecurity chain. Each link represents a potential vulnerability.
Hotel owners and managers can insist that outside vendors indemnify them against potential cyber liabilities, which can mitigate the cost of a breach. Moreover, third-party vendors have an incentive to be more careful as attacks become more widespread.
Nevertheless, there’s no way to be sure that third-party vendors have adequate cyber defenses, and there’s no way to know how much damage a breach can inflict on your business.
2. FTC oversight
The Federal Trade Commission ruled in 2015 that it has regulatory oversight for hotel cyber breaches. In a case where the FTC sued Wyndham Worldwide over three hacker attacks, the federal regulator noted the hotel chain had ignored a wide range of cybersecurity best practices, exposing more than 600,000 credit card records and costing more than $10 million.
As Harvard Law Review noted, “The FTC did not ‘allege that Wyndham used weak firewalls, IP address restrictions, [or] encryption software. Rather, it allege[d] that Wyndham failed to use any firewall at critical network points, did not restrict specific IP addresses at all, [and] did not use any encryption for certain customer files.’ Furthermore, the company was not hacked just once, but three times, and the second and third hacks occurred after Wyndham had knowledge of the first breach.”
As we stated in our blog post advising hotels how to avoid negligence claims, hotels must follow state and federal rules, take action against likely threats, and follow industry best practices if they are to steer clear of the court system. Wyndham’s missteps are now part of the public record, so hotel managers and owners will have a hard time arguing in court that they had no way to anticipate cyberattacks.
3. Physical threats
The rising menace of ransomware — where cybercriminals lock down computer systems and demand payment before they’ll unlock them — has sent shivers through the healthcare industry. The so-called WannaCry ransomware attack forced dozens of British hospitals to cancel reservations, affecting thousands of patients and raising the alarm of potential hazards to people’s health.
Hoteliers should not think they are immune. After all, properties’ security systems, heating and air conditioning units, and door locks may be computer controlled. Indeed, cybercriminals attacked a hotel in the Austrian Alps in January 2017, deliberately shutting down the hotel’s door-locking mechanisms and demanding payment in bitcoin to unlock them.
As hotels become more data-driven and interconnected with sensors that allow more advanced monitoring of their properties, owners need to acknowledge that each networked device is a potential port of entry for cybercriminals. And nobody should underestimate how ruthless and greedy cybercriminals can become.
4. Human error
Firewalls, intrusion detection software, and other automated cybersecurity technologies force cybercriminals to get more creative. Using emails, malware, and elaborate ruses, they can emulate legitimate log-in screens or write emails that sound like they are coming from trusted sources.
In a spear-phishing attack, they flood specific people with infected emails in the hope that one of them hooks the unsuspecting user and yields log-in credentials. Once they are inside with legitimate log-ins, they can hang around for weeks or months, stealing data in subtle ways that can go unnoticed.
Multiply all these risks by the droves of employees, guests, and vendors of hotels, and the entire industry starts looking like a bullseye for cybercriminals. Attackers prefer to steal credit and debit-card data, but if they can hack into other business systems, they can sell data including names, addresses, and Social Security numbers to people creating fraudulent medical claims.
Managing risk with cyber insurance
Lawsuits are inevitable after a cyber breach. Unfortunately, not all business liability policies cover the full range of costs that arise from cyberattacks. McGowan developed cyberattack coverage precisely to help people like hoteliers prepare for the rising tide of damaging breaches. Our coverage helps hotels recapture the costs arising from:
- Theft, loss, or unauthorized disclosure of private data or third-party corporate information
- Failure to comply with state breach notice laws
- Failure to follow the insured’s privacy policies
- Failure to administer an identity theft prevention program required by governmental regulation
- Unauthorized access, theft, or destruction of data
- Denial-of-service attacks and virus transmission involving the insured’s computer systems resulting from computer security breaches
Wise policies for bolstering network security
In 2017, New York State created new cybersecurity rules for organizations that report to the state’s Department of Financial Services (DFS). While these rules do not apply to the hospitality industry, they offer excellent guidance on cyber hygiene that can help any hotelier boost network security and reduce the risk of breaches.
Companies subject to New York rules must:
- Assess current risks to create a cybersecurity program and put cybersecurity policies in place
- Create a plan to dispose of nonpublic information they don’t need anymore
- Review and limit access privileges
- Ensure third-party service providers are secure
- Assign a chief information security officer (CISO)
- Train employees and monitor authorized users
- Craft an incident-response plan
- Establish multifactor authentication
- Conduct penetration testing and vulnerability assessments
- Establish security policies for applications developed in-house
- Encrypt data at rest and in transit
- Establish an audit trail
This is one case where following the rules is in your best interest even if your company isn’t covered by them.
Contact us to talk to a McGowan expert who can help tailor your cyber coverage to your unique needs.