Here’s a hard, cold fact: Of all the vertical industries in the world, the hospitality industry is one of the most attractive to cybercriminals. Why? Because hotels hold two pieces of important data; personal information and credit card numbers.

Here’s another fact: ALL hotel chains in the US were attacked at least one time between 2015-16.

This post will focus on what makes hospitality venues so vulnerable and the solutions to help keep cybercriminals at bay.


What Makes the Hospitality Industry So Vulnerable?


Here are the systems/people/processes that make hotels ripe for this type of criminal activity:

  • Guest credit card information is stored on a local server for several days.
    From the time a guest arrives at the property, until at least 24-48 hours after they leave, their credit card information is stored on the hotel’s server to cover room charges and any damage to the room after the guest leaves.
  • Several points of purchase and access.
    Most hotels have several ways guests can use their credit cards:

    • Check-in and out
    • Gift shop purchases
    • Restaurant/bar charges
    • Spa or other amenities fees


And, while a guest might think all these systems are alike, they are not. Each system may have a different level of encryption and, if they are coupled together, a hacker only has to have access to the weakest link in order to get access into the entire network.

Once a hacker is into the system, they can also affect the hotel’s HVAC system, elevators, and room access just to name a few. This can impact guest satisfaction rates, the reputation of the hotel and, quite frankly, put the hotel out of business if a solution is not remedied quickly.


  • Free guest Wi-Fi systems contain the lowest level of encryption.
    Because so many hoteliers want to provide free Wi-Fi to their guests, they usually provide the lowest level of encryption possible on a shared network, which makes the system ripe for attacks.
  • Malicious insiders.
    According to AON, the hospitality sector accounted for 12% of the cyber security claims in 2015. However, the real news is 24% of those claims were caused by disgruntled past or present employees.
  • Privacy policies are out-of-date.
    As we noted in our June 23rd blog post, often times, employees have access to data they should not. Or the firm does not have a cyber security policy or completed the proper privacy assessment.


Simple Industry Solutions


  1. Move all credit card information to a secure cloud. This gets it off the server and reduces the vulnerability that your server will be attacked.
  2. Update your entire Wi-Fi system to the highest level of encryption which is WP2. 
  3. Do not provide free Wi-Fi.
    Move all Wi-Fi login credentials to a paid system on a dedicated server just for hotel guests. In addition, segment each meeting into dedicated networks. While guest may grumble about the cost, they will thank you for providing a secure connection to them during their stay.
  4. Complete an entire risk analysis.
    This will require help from staff, vendors, and an outside cybersecurity firm. This analysis will help identify your points of weakness and put a plan in place to eliminate the trouble spots. For example, decoupling your systems may be one point of action or improving encryption levels across the board may be another.In addition, this risk analysis will help identify the data employees need access to in order to complete their job and keep them away from the data they should not be accessing.
  5. Formulate cyber policy and train personnel on it.
    A few years ago, it was found that most hotel employees keep their log in credentials within a few inches of their desk. Many had it on sticky notes on their computer screen!A formal, written policy will help ensure that employees have strong passwords, change them often, keep them away from the workspace and prohibit employees into your system when a voluntary or involuntary separation occurs.

    In addition, it is important to have consequences when these policies are violated.

  6. Constantly update your privacy settings and monitor the system.
    One thing you need is to constantly update and be assured of is the credit card and personal information of your guests is protected. You will need the best encryption software, strong firewalls and allow limited access to this private data.In addition, it is best practices to have an outside firm constantly monitor any vulnerabilities and give you appropriate alerts if something is amiss.


Shellproof Security Helps Small to Medium Sized Hotels


ShellProof Security strives to bring to big brand hotel cybersecurity to the small and mid-sized hotels, conference centers and B&Bs.  We understand a single breach of your data can be enough to put you out of business, which is why we will provide you with the resources and procedures to adequately protect against the toughest cyber foes. Bottom of FormCall us at 212-887-1600 for more information.