Why Hotel Cybersecurity Is Still A Problem and It Is Getting Worse
By Robert McGarvey
For probably two decades I have covered hotel data breaches. Everything from the Trump hotels to the Hard Rock has been breached and truth to tell I doubt that there is a single large hotel group that has never been breached. If there is I don’t know it.
Bet on this: there will be more breaches in the hotel business and soon. A perfect set of circumstances makes this a safe bet. Hotel revenues were near zero for 18 months and that meant, for sure, cybersecurity spend was also near zero. If money was getting spent it was on better ways to sanitize hotels in the pandemic in order to lure guests back.
Cyber criminals, like all predators, target the weak.
Besides, cyber insecurity is a perennial industry problem. Hoteliers resist expenditures that do not contribute to the bottomline and the average hotelier sees cybersecurity as a cost, not as investment that could contribute to the bottomline.
This is why I strongly urge hotel guests to never use a debit card (protections against fraudulent use are weaker than with a credit card) and to use a credit card with a very low credit limit. If need be, ask a bank to issue a card with, say, a $2000 limit. $1000 if you think you can navigate within that budget. Probably if a credit card of yours is stolen in a hotel data breach and put to use by crooks you will eventually be made whole. But my advice is to try to minimize the damage by using a card with limited spending ability.
Note: you usually won’t know for many months that a credit card of yours has been scooped up in a hotel data breach. These breaches often go undetected by the hotel for years and once discovered, hotels are reluctant to go broadly public with the info. The massive Starwood breach – involving some 500 million consumers – was not disclosed until late 2018.
Assume any card you give a hotel is likely to be breached and behave accordingly.
By now you are probably looking for proof that in fact hotels are wretched at cybersecurity. NordPass, which makes password management software, recently looked into password sophistication across many industries and, no surprise, hospitality fared poorly.
NordPass collected its data by looking into known breaches and eyeballing the passwords that had surfaced. The researchers looked into 15,603,438 breaches and broke down the resulting data into 17 different industries.
Remember this, a company website is only as secure as the passwords used by employees who access it. If employees use passwords that are easy for crooks to guess, the site security is nil.
Here are the top 10 most used passwords among hospitality employees, according to NordPass’s digging:
password
123456
Company name123 *
Company name*
Company name*
Hello123
Company name 1*
Company name*
company name*
company name1*
NordPass offered this explanatory gloss about the recurring company name password: “This password is a company name or a variation of it (e.g. Company name2002). We are not naming the exact company.”
Commented NordPass, “The hospitality industry had the most passwords that were the company’s name or its variation.”
That list of hospitality passwords is gravely disturbing. Wrote TechRepublic: “Some of the weak passwords uncovered seem almost comical, but this trend has serious ramifications. Weak passwords are actually one of the leading vulnerabilities that lead to data breaches.”
Know that how cybercriminals hack a company site is they send a bot to it and the bot is scripted to try common passwords. Like what? Like, well, password, which is a perennial top ten most used password. Hackers use the common password lists to script their bots of course and in hospitality the employees obligingly seem to use such lists to pick their own passwords and, astonishingly, the company websites are not programmed to reject their use,
According to NordPass, only 29% of hospitality industry employees use unique passwords (which is something like Ma!yo#Cty908& – the sort of password usually generated by any decent password management tool).
More than two thirds of hospitality industry employees reuse passwords across multiple accounts which is another big no no.
Call this a huge fail on the part of hospitality.
Just don’t say it is surprising and don’t believe ir will be fixed soon.