REPORT FROM THE U.S.—While cyber criminals continue to target the hotel industry, sources say there are complex initiatives underway to protect customer data, and hoteliers who lag behind risk exposure.
Hotel owners and operators who take only the minimal steps to secure data stored onsite are typically either unaware of the potential consequences or unwilling to invest the capital required to implement true security, sources said.
The issue has received intense scrutiny as hackers continue to target the industry with success, most recently stealing customer credit card data and personal information from 14 White Lodging properties
The responsibility of securing customer data most often lies in the hands of franchisees, but franchisors’ names are often tarnished. Therefore, brands are expected to stop washing their hands of the issue and start working data security into their compliance requirements.
Hotel owners and brands tend to point fingers at each other when it comes to the responsibility for data security.
On one hand, the payment-card industry, which has the most exhaustive rules for credit card security, says the merchant is responsible. In most cases it’s the owner who will pay the fines and investigation costs when a breach occurs, according to Douglas Rice, executive VP and CEO of Hotel Technology Next Generation, an association dedicated to enhancing the deployment of technology in hotels. Fines, Rice said, can run to hundreds of thousands of dollars or even more than $1 million per incident, even for a single hotel.
On the other hand, it’s usually the franchisor that suffers the reputational hit, which can hurt entire brands as opposed to just the breached hotel.
“Unfortunately, the responsibility lies with whoever is holding the data,” said John Bell, former enterprise architect at Marriott International and founder of AjonTech consulting firm. “That could be a travel agent, a meeting planner, a technology vendor or the franchisor. It depends on who is holding the data.”
Both Rice and Bell said they expect over the next few years the industry will see changes in franchise agreements where brands will accelerate their requirements for franchisees to follow a framework for securing customer data. One hurdle, Bell said, is closing the argument on who owns the customer data.
“From a franchise perspective, you believe the data is yours,” Bell said. “From the brand standpoint, you believe that data is yours as well. You have competing concerns and interests over that data, so you need to have a common understanding because if a franchisee is breached, it affects the brand as well.”
Anthony Roman, founder and CEO of investigative and security consulting firm Roman & Associates, said the U.S. Federal Trade Commission is going to show a greater inclination to pursue franchisors when there are data security violations.
“Based on recent history, it’s clear the corporate brand should be ultimately concerned if not contractually responsible for setting the franchisees’ standard of security and having an audit program in place, along with its standing audit program to ensure cleanliness, service, etc.,” he said. “Likewise, they should establish protocols to ensure franchisee computer security is in place.”
Some hotel brands have taken over responsibility for secure management of the systems they provide or mandate, even those physically deployed onsite at the hotels, Rice said. This was most likely the reason why, in the recent White Lodging breach, brand property-management and reservation systems were reportedly not breached, he said.
“If franchisees continue to suffer breaches—which they will—the brands may be forced to take an even stronger stance, dictating more secure infrastructures for their franchised hotels just as they dictate participation in loyalty systems, thread counts and lobby design today,” Rice said.
Along with instituting brand standards for data security, Debbie Juhnke, director of information governance consulting at law firm Husch Blackwell, said brands could require a risk assessment, which she described as a fairly straightforward process to look at not only what data the hotels have and where its stored but what their policies and practices are.
“That will point them to where the gaps are,” she said. “Then hotel owners can go out and fix them on a gap-by-gap basis.”
Any time the issue of mandated systems arises, hotel owners are focused primarily on one thing: cost. Owners constantly are attentive to profit streams and often point to brand initiatives as cutting into those profits.
Bell said data security is not always as costly as one might think.
“It depends on what data they’re collecting and holding,” he said. “For example, when a consumer wishes to use a coupon or discounted rate, hotels typically ask to copy the customer’s driver’s license. Of course that is filled with (personally identifiable information). So if you’re going to create a copy of that driver’s license, it needs to be secured in a safe-type facility.”
Another example: credit card swipe systems—the little black box that plugs into the larger terminal—are often unsafe. For a “few hundred dollars,” Bell said, hoteliers can install a system that, when swiped, the credit card data doesn’t go to a keypad but instead is tokenized. Tokenizing the data hides it through transmission until the payment processor can extract it at the end of the transmission process.
Hackers build malware that is installed on computer terminals and searches for a string of numbers that resemble credit card numbers. When credit card information is entered on a keyboard, Bell said, the malware will recognize that string of numbers and “dump it out” into the wrong hands. If hoteliers house all of their terminals behind an inexpensive firewall that only lets those terminals talk to a “white list” of outside devices, that data is prevented from getting out into the wrong hands. Bell said hoteliers often install those firewalls with certain black-listed devices, but he suggested the appropriate technique would be to only white list the devices needed.
“You can buy those routers for under $50,” he said. “So there are some things that are fairly simple.”
Roman said the foundation of the problem is that hotel owners don’t see the cost of maintaining a secure and updated network as important as other elements of operations costs. But he blames the brands for not requiring it.
“If not emphasized by the brand, the franchisee is going to look to maximize profits,” he said. “Generally we find the franchisees will do the minimum required.”
Sharing best practices
HTNG has put a heavy emphasis on data security over the past five years. Solutions exist in the marketplace to dramatically reduce the risk of data breaches, said David Sjolander, COO of HTNG. Best-practice models and solutions avoid the need to store credit card numbers in hotel systems at all, so if a cyber criminal gets in there is nothing to steal. He said several hotel brands are already implementing such approaches, while others are in the process.
“Hotels want to be in the hospitality business, not managing security, so solutions provided by outside firms are increasingly attractive, even to major brands,” he said. “Hotel application vendors are working with these firms to enable hotels to get credit card data out of their systems, which can reduce risk for all parties.”
In 2013, HTNG released the Secure Payments Framework
, which outlines common approaches to implementing credit card security through tokenization and is available to hoteliers for free.
Tokenization, Sjolander said, is the safest approach for credit card data. Properly implemented, tokenization can remove all credit card data, even across multiple systems used by a hotel or hotel group. Through tokenization, a trusted third party stores all the actual credit card data, and issues substitute “tokens,” which are not real card numbers. The tokens are stored in the hotel systems.
Sjolander and Rice said HTNG recently has been approached by chief information security officers at two hotel chains interested in creating a forum where hotel security experts could share information about threats and methods of protection and mitigation. The association is exploring the formation of such a group, Rice said.
Sharing information on recent breach attempts among competing hotel companies is something that makes a lot of sense but can be challenging, Bell said.
“Vendors are leery because maybe their product has been compromised and they’re concerned sharing that will affect their business,” he said. “There also are potential issues with federal trade rules.
“I prefer a formal ability to do this because the more information you can get out the more prepared hoteliers and vendors can be, but for now participating in informal meetings is often a way to get the information to move.”