A leading daily reported in February last year that cyber criminals hacked into the computer network of a New Delhi-based international five-star hotel chain and stole some “loyalty points.” Even the Hyatt Hotels in India were hit by malware found on its customer payments system. In India, 20 of its hotels - 90% of its portfolio in the country had been affected. This and many more of such cases acted as a wake-up call and pushed all major Indian and global hotel chains scampered to conduct cyber audits to analyse and study weak spots in their information technology systems.
Recently, India was also listed among the top five in the world to be attacked by ransomware, malware that forces its victims to pay a ransom through certain online payment methods to regain their data, as reported by Moscow-based Kaspersky Lab.
With increased 4G and 3G penetration, the internet user-base in India is expected to double to 600 million users by 2020 from the current 343 million, so the threat will only grow. ASSOCHAM and E&Y also revealed that mobile frauds are expected to grow to 60-65% in the country by 2017.
Pavan Duggal, India’s leading cyber law expert, lamented that Indian Cyber law does not have adequate provisions to deal with the growing cyber threats. He added, “The Information Technology Act, 2000, amended in 2008, still does not comprehensively deal with all relevant issues in the cyber security ecosystem. India not being a signatory to any international treaty on cyber crime complicates the intrinsic ability of the immense law and legal frameworks
to provide effective remedies against cyber crimes which are committed from abroad."
- Indians are far ahead than global peers in sharing sensitive information using public Wi-Fi which can lead to cyber risks
- Majority of Indians (54%) are not willing to leave their smartphone at home while on vacation and in fact 69% claim to have felt a sense of anxiety over being unplugged
- Indians (31%) that travel, access or share sensitive information while using public Wi-Fi, which is highest amongst the 14 countries surveyed
- Indians lead their global counterparts in willingly sharing personal information such as credit card number or log in name/password. More than one out of three Indians (36%) shared their personal data even when they realise that this will make them vulnerable, which is highest amongst the 14 countries surveyed
- 37% of Indians could not last a day on vacation without checking social media. This is second only to Japan (45%) when compared globally
Similar to other industries in today’s hyper-connected world, the hospitality sector is not untouched from data security and cyber breaches. This industry is exposed to enormous amounts of private data from customers as part of their daily operations-from personal to banking and financial details.
Hotels are now expected to provide Wi-Fi network access for their guests. Further, there is increasing adoption of “smart systems” within hotels, like controlling guest room access, heating, cooling and even the lighting of guest rooms, ordering room service and other hotel services (including ones often provided by third-party operators such as massage and spa treatments), and even ordering drinks in the bars. These “smart” hotel services run the risk of following the “Internet of Things” (of which they are really just a part), placing functionality above everything else.
Nick FitzGerald, Senior Research Fellow, ESET commented, “Hotels also usually have a web presence that provides an online
booking function, and running that service securely and with strict adherence to good privacy practices is clearly of the utmost importance. Further, Point-of-Sales (PoS) systems are widely used throughout hotel bars, restaurants and so on. Malware specifically targeting PoS systems have been around for many years now and as extensive users of PoS systems, hotel operators should be well-advised to deploy strong defences against such malware.” Also, many hotels are part of large, often multi-national, brands and hence they are more likely to be specifically selected for targeted attacks due to the size of the “parent” business, he added.
Hotel chains are often targeted by hackers as they typically keep credit and debit card details on hard copy for the duration of an individual’s stay in order to cover extra expenses incurred. In classic scenario, within hotel and tourism industry, customer card data is often stored longer than typical, to maintain consumer bookings and for miscellaneous service related charges after they check-in. Online booking systems often get card data from various sources and third parties over the internet, creating additional possible points of compromise, highlighted Nitin Bhatnagar, Head-Business Development, SISA Information Security.
In recent past data breaches seems that decent portion of breached data may have come from the restaurant or front desk of the hotel chains, as usually they are integrated with point-of-sale environments running various applications. Also keeping Indian hotel chains scenarios in mind to an extent they store card data on customer check-in files for future reference which is very prevalent across and may be another exposure point for the compromise. Most infections occur in environments which are using remote administration software with weak password policies, he points out.
Awareness levels on cyber security and data privacy were almost negligible a few years back and were acted upon only after unfortunate incidents happened. But today, levels of awareness are on the rise with recent cyber and data infringements but also with positive conversations and actions in the public and government domains.
Hotels today need to focus on more than just room sales and make a more concerted effort on working to protect the information that their guests trust them with, stresses Prashanth G J, CEO, TechnoBind. Most hotels, including high-end luxury brands hire third-party vendors to manage sensitive data. This data may include personal and financial information of their guests and thus, they should be protected in such ways that even accessing, transferring or making copies shouldn’t be possible without authorisation. To achieve this, hotels can start with ensuring that their technology partners provide their services as per updated security regulations and standard protocols so that their organisation and their guests are protected always.
When it comes to data security breach, all categories of accommodation, whether high-end, budget, standalone or boutique is equally at risk to cyber and data security threats. High-end hotel brands are already gearing up to secure their operations; however, budget, standalone and boutique hotels need to up their game, asserted Prashanth.
Currently, most data protection measures in hotels are very basic, from firewalls to physical security checks and do not focus much on cyber-security. IT security solutions at hotels are still at a nascent stage, since data exchange is largely unorganised. “However, due to the recent demonetisation, hospitality organisations will need to step up their game as we are already seeing an exponential increase in digital payments, either through third-party vendor sites or direct payment portals. This will always remain a potential risk to the business and to their guests if data is not secured as it travels. Typically, hotels have always looked at IT and cyber-security as firewall investments. Lately, high-end hotel brands are looking at data security in a more holistic manner and are seen making the right investments. While they are still far away from being fully secure, the current signs are positive,” shares Amit Malhotra, Vice-President-Sales, India, Middle East & Africa, Seclore.
On the customer’s end, findings from the Intel survey indicate that 84% of Indians connect to the internet while on vacation. While doing so, they often access and share sensitive information without considering the potential cyber risks of divulging credit cards details, works mails and personal information on unsecured public Wi-Fi. There is still a need to raise awareness to adopt safe digital habits and
share security measures to prevent personal information from being compromised while travelling,” stated Venkat Krishnapur, Head of R&D Operations, Intel Security’s India Development Centre.
|Quick Recommendations by SISA
- Review all accounts with administrative access for password complexity
- Check your firewall logs, remote connection logs or Windows Security Event Logs for successful logins from foreign IP addresses
- Regularly check POS systems for physical tampering
- Vulnerability Assessment and Penetration Testing (VA-PT) for both Network and Application layer on quarterly basis through recognised Information Security Companies or CERT-IN Emplaned Auditors
- Ensure Security Risk Assessment has been conducted following ISO27005 OR OCATVE Methodology
IT maturity is good within hotel industry, the importance being given to IT, and subsequently security which is above average in the hospitality industry, agrees Bhatnagar. Awareness level within the hospitality industry has obviously seen a drastic participation proactively by initiating several compliance initiatives for securing card data environment by following industry best security practices and security standard.
Bhatnagar goes on to add that if hotel brands think that they are immune from cyber-attacks then it is wrong. Companies with mature security programs can be breached. The threat landscape is increasingly dangerous and alarming. IT security models followed across have multiple layers of protection and each layer serves a purpose that is intended to safeguard sensitive business and customer data. Data-centric security is evolving rapidly and allows organisations to overcome the disconnect between IT security and the objectives of business strategy by relating security services directly to the data they discreetly protect.
Safeguarding is also significant as data breach would have long-term impact on the brand reputation, customer trust and guest loyalty. When a hotel brand is able to demonstrate reduced risk of data theft that would ensure more guests’ trusting the hotel brand. As more satisfied guests translates into more business and enhanced revenues, hotel brands should focus on protecting sensitive business and guest credit card and payment card data, he states.
Malhotra too agrees that hospitality brands cannot afford to store sensitive data haphazardly without proper protection. When people choose to stay at a certain hotel, they trust the hotel with these personal details. In today’s disruptive marketplace, hotels can no longer depend on ‘legacy trust’ that has been built over years of being in the business. Today, it is about building new trust constantly, at every given point and channel of engagement. This is the ‘new normal’ in the world of hospitality, he outlines.