The next hotel cybersecurity breach is a matter of time. Are you safe?

Instances of cybersecurity breaches are skyrocketing, and the hotel industry is in the crosshairs. One of the main reasons that hotels and hospitality businesses have been targeted is the industry’s heavy reliance on online transactions – millions of credit card payments are processed online every day.

In 2022, 83% of organisations experienced a data breach of some description, with multinational hotels forming some of the highest profile cases.


Marriott experienced its third incident in four years, when 20GB of personal data and company info was stolen. IHG experienced disruption within its booking system and a number of other internal applications as a result of hackers. And Shangri-La saw the personal data of 290,000 of its Hong Kong guests fall into the wrong hands.

Go further back in time and you find some truly infamous hotel cybersecurity breaches; the sort that even the largest corporations can find difficult to survive:

  1. Marriott International (2018): A breach that affected over 500 million guests and resulted in the exposure of personal information such as names, addresses and payment card details.
  2. Hyatt Hotels Corporation (2015): Approximately 250 hotels affected across 50 countries, with credit card data stolen from Hyatt-managed restaurants, spas, and other locations.
  3. Trump Hotels (2014): A breach that resulted in the theft of payment card data from multiple Trump Hotel locations, including New York, Las Vegas and Chicago.
  4. Starwood Hotels (2016): A breach that affected over 50 hotels and resulted in the theft of customers’ personal and payment card information.

These incidents are a reminder that all hotels should shore up their cybersecurity capabilities, especially those that process large numbers of online payments or hold sensitive customer data in their systems.


What are the threats that hotels face?

Hotels need to guard against a range of cybersecurity threats. But what exactly do these threats look like? Five of the most common (and potentially dangerous) include:

  1. Phishing attacks: Phishing attacks are fraudulent attempts to obtain sensitive information such as usernames, passwords and credit card details by impersonating a trustworthy entity – think junk emails claiming to be from Amazon or Apple that ask for account details.
  2. Ransomware attacks: Ransomware attacks are designed to infiltrate a hotel’s systems then steal or lock away important data, such as a customer’s personal or payment information. A ransom is then demanded for the return or release of that data.
  3. Malware attacks: Unlike ransomware attacks, Malware simply seeks to steal, destroy or otherwise compromise confidential data, or damage a hotel’s IT systems (as happened to IHG in 2022).
  4. Wi-Fi attacks: Insecure Wi-Fi can form an unlocked gate through which a hacker can gain access to a hotel’s systems, intercept unencrypted traffic to steal information, or launch attacks on connected devices.
  5. Social engineering attacks: Social engineering attacks are comparatively rare, but often devastating, as they target people rather than computer systems – employees are bribed or deceived into giving away sensitive information (as happened to Marriott in 2022).

The good news? All of these breaches are preventable if a hotel implements the right technologies, policies and procedures, and educates employees on best practices.

What can a hotel do about cybersecurity threats?

Faced with such a broad and ever-evolving range of threats, it is critical that hotels implement appropriate security measures to protect themselves.

The security measures that you might implement will depend on the size of your hotel, the data you hold, your IT infrastructure, your internal processes and even your company culture. Effective cybersecurity measures are always bespoke, built around a hotel’s unique circumstances and needs.

Some of the most effective strategies to prevent cybersecurity threats include:

  1. Investing in employee training: This is perhaps the best investment you can make in cybersecurity. By training your employees on the most secure ways to work, and how to identify and report potential cybersecurity threats, you can either prevent breaches or catch them before they become bigger issues.
  2. Upgrading network security: There are a wealth of cybersecurity shields that a hotel can use to protect its IT systems. By implementing firewalls, antivirus software and intrusion detection systems you can prevent or quickly identify and neutralise threats.
  3. Securing your Wi-Fi network: Your Wi-Fi network must be secure. It should feature strong encryption, and the guest-accessible network should be completely isolated from the hotel’s internal network.
  4. Regularly updating your software: The software companies that supply your digital tools are tasked with ensuring their products are protected against cybersecurity threats. They’ll regularly upgrade and patch their software in response to newly emerging threats – you simply need to ensure you’re working with the latest version by updating regularly.
  5. Implementing good data management practices: You must establish strict data protection policies and procedures both for personal customer data and confidential business data. Store it in a secure location and ensure it is always encrypted.
  6. Auditing your security: Your hotel should schedule regular security audits – ideally performed by a third party – to evaluate the effectiveness of your current security measures. These audits are the perfect way to reveal areas of improvement, as they use similar techniques to those used by threats.

The long-term implication of cybersecurity incidents over the industry

As a former Hotel Manager, I know that some threats are more visible and more tangible than others. Workers tend to take fire training seriously because they are all aware of the damage a fire can do, and that they each have a role to play in getting guests out safely.

The threat of cybersecurity is a little less visible and tangible. Many hotel workers don’t see the impact that these incidents can have on the customers or the hotel: the stolen identities, the fraudulent credit card transactions, the damage to the hotel’s reputation that makes customers hesitant to book.

But it is critical that every team member at every hotel understands just how damaging cybersecurity threats can be, and just how important their role is in stopping these incidents.

Obviously IT departments have the most critical part to play. Strategies such as firewalls, data governance, hybrid workforces and a zero-trust approach regarding cloud services are all critical.

But cybersecurity isn’t just an issue for IT departments. All employees play a part in ensuring the hotel’s guests are kept completely safe, both in the physical and digital realms.