How strong is your vendor’s data security?
How strong is your vendor’s data security?
14 JUNE 2019 7:14 AM

A subcontractor for U.S. Customs & Border Protection got hit with a data breach. Hoteliers, how much do you trust your vendors?

Warning: What you’re about to read will sound overfamiliar, but that’s because these things keep happening. And everyone should pay attention and learn from these situations.

Have you heard about the subcontractor for U.S. Customs & Border Protection getting hit by a cyberattack? Did you hear that images of travelers and their license plates that the agency collected were exposed during the attack? That the images were exposed because the subcontractor transferred copies of these images to its own network in violation of government policies?

Why should this matter to you? Well, after reading about how a company royally screwed up its agreement with a government agency, how confident do you feel with any of your third-party vendors handling your company’s sensitive data?

The areas of concern are two-fold. The first is, how close to the letter are your vendors following the wording on data security in your contracts? The second is, how good is that vendor’s own security?

You cannot reassess either of those things without talking with your vendors. Have them walk you or your in-house IT team through their security policies and practices. Speak with IT security consultants on what are the latest and best practices and use that information to see if your vendors are using those practices or at least are in the process of implementing them. Consider hiring a third-party company to probe and test their security (make sure you include your vendor in this conversation, should you decide to do it).

Aside from watching what your vendor does on a day-to-day basis, hoteliers don’t exactly have a whole bunch of options available to them to make sure their vendors are handling sensitive data the way they agreed to in a contract. That’s going to require a great deal of trust, which means hoteliers should have already vetted them.

There’s a lot on the line here. Protecting guests’ and employees’ personal information are two of the most important things hotel companies should do. Someone having their identity stolen, faces, at best, temporary financial problems and, at worst, years and years of struggle to fix what went wrong.

The legal requirements for a company after a data breach aren’t a walk in the park. There are notification requirements, insurance issues, potential fines, civil claims—the list can go on and on. This costs money, time and a great deal of energy to clean up.

I imagine you’ve heard all of this before (and probably a good deal of it from me too often), but that doesn’t make any of this less important. These data breaches are happening so often now, the reaction isn’t shock or anger but exhaustion, and that can lead to a kind of acceptance, to giving up. The saying about data breaches is that it isn’t a matter of if but when you’ll get hit. While that might be true, that doesn’t mean you shouldn’t do everything you can to push back that when as much as possible.

So go bug your vendors. Make sure they’re doing everything they’re supposed to, so that you can do everything you’re supposed to: serving your guests.

What do you think is going to be the next big data breach? Another government agency subcontractor? Facebook? All the big hotel companies in a massive coordinated attack? Let me know in the comments below or reach out to me at or @HNN_Bryan.

The opinions expressed in this blog do not necessarily reflect the opinions of Hotel News Now or its parent company, STR and its affiliated companies. Bloggers published on this site are given the freedom to express views that may be controversial, but our goal is to provoke thought and constructive discussion within our reader community. Please feel free to comment or contact an editor with any questions or concerns.

1 Comment

  • jtimothy June 14, 2019 9:55 AM Reply

    Third-party risk (which includes vendors) is the second biggest cyber risk behind email.

    Bryan, you're right on point with "it's a matter of if not when" a cyber attack will happen. It feels like we are outnumbered and at a disadvantage. That is exactly what the bad actors want you to feel.

    However, companies can win the cyber battle.

    Don't give up.

Comments that include blatant advertisements or links to products or company websites will be removed to avoid instances of spam. Also, comments that include profanity, lewdness, personal attacks, solicitations or advertising, or other similarly inappropriate or offensive comments or material will be removed from the site. You are fully responsible for the content you post. The opinions expressed in comments do not necessarily reflect the opinions of Hotel News Now or its parent company, STR and its affiliated companies. Please report any violations to our editorial staff.