Editor's note: This is the first installment in a five-part series about hotel information data security. Tomorrow's feature will examine ways to strengthen hotel defenses.
REPORT FROM THE U.S.—During late January 2010, Wyndham Hotels and Resorts discovered a hacker had penetrated the computer systems of one of the company’s data centers. That system acted as a gateway, allowing the hacker to access information from separate computing environments at 37 properties. At risk: personal data such as guest names and credit card numbers, expiration dates—and the public’s trust.
Wyndham notified the Secret Service, major payment card brands and attorney generals of different states as required by law. Though the company has not identified any customers whose data appears to have been taken by the intruder, an investigation is still ongoing.
It wasn’t the first time Wyndham experienced an information security breach. The Parsippany, New Jersey-based hotel chain experienced two other attacks during a 12-month span.
Though the frequency of such attacks generated considerable news coverage, Wyndham was not alone in its susceptibility to information security breaches.
The Prism Partnership
Last fall, Radisson Hotels & Resorts revealed the computer systems of some branded hotels in the United States and Canada were accessed without authorization. Only a few weeks ago, owners of the Westin Bonaventure Hotel & Suites in Los Angeles disclosed a possible data breach at four hotel restaurants and valet parking operations.
The hotel industry has become a prime target for hackers. A recent report from SpiderLabs, a unit of data-security firm Trustwave, found that 38 percent of its data-breach investigations during 2009 occurred at hotels. The next most targeted sector was financial services with 19 percent of the company’s data-breach investigations.
“The hacker community has identified the hotel industry as a soft spot,” said Mark Haley, partner with hotel-technology consulting firm The Prism Partnership.
A basic failure
Hackers might boast an imposing knowledge of computer systems and their ability to manipulate complex coding illustrates a level of sophistication that surpasses the skills of many an IT professional, but most data breaches are the result of a few basic failures within the hotel industry, Haley said.
“If every hotel manager addressed a couple of basics, specifically regarding default passwords and remote access, a lot of the recent breaches would never have happened,” he said.
But how could the industry have become so lax, especially at a time when reports and awareness seem to be growing?
One big reason is the recessionary economic climate, said Jeremy Rock, owner of RockIT Group and a member of the Hospitality Financial and Technology Professionals advisory council.
“You’ve got less people trying to do more,” he said of reduced staffing levels. “… I don’t think the general maintenance is being done to the systems and the networks.”
Labor isn’t the only area experiencing cutbacks. Upgrading hardware, firewalls and software is expensive. When a hotel is struggling just to get by, those things can fall to the wayside, Rock said.
Problems might also exist if software and security applications weren’t installed correctly in the first place, he added.
Perhaps most damning, however, is the lack of understanding and commitment at the property level, said Josh Ogle, founder and CEO of TriVesta LLC and co-author of a Cornell University study titled “Hotel Network Security: A Study of the Computer Networks in U.S. Hotels.”
“What it really comes down to is most hotels just don’t have data security as a priority,” he said.
Data security should be as ingrained a part of the property’s culture as is customer service, Haley said. Only then will the hotel be delivering on its full promise of hospitality.
“It’s an absolute essential for managers in the industry to ensure that there’s a culture respecting privacy in the hotel,” he said.