Daily Mirror - Print Edition

Hospitality industry cyber-crime risks

09 Oct 2013 - {{hitsCtrl.values.hits}}      

If you lose your hotel key or key card, most hotels are reluctant to hand you a new one without some proof of who you are. If you called to find out which room your sister is staying, no hotel should disclose this either, even if you are family.

These rules are part of a hotel’s “privacy policy”, put in place to protect the personal information of its guests. The guidelines address how a hotel handles guests’ information at the property and online.

Although there are standard privacy protocols for hotels, a review of many hotels reveals that these are optional with details varying from one hotel to the next. Of particular concern, were the many hotels in Sri Lanka including the larger local brands that appeared not to have any privacy policy- or even if they did, fail to make it public; seriously, the privacy and security of the guests’ personal information has to be treated by all hotels as important. Pause a moment, and, consider the kind of personal information we trustingly and voluntarily divulge to hotels whenever we make a room reservation or fill up a registration card at check-in.



Can one avoid providing personal information to hotels?
The kind of personal information hotels collect enable them to process hotel bookings and will include, at the very least, your name, your telephone number, credit card number and expiration and the email address. Additionally, at check-in and during the ‘registration’ process, you will be required to provide your residential or business address, passport or identity card number, date of birth, gender, nationality, purpose of visit, mode of payment.

If you are travelling with family or a companion, their names too need to be disclosed. Registration serves a multitude of purposes. It fulfills the legal requirements for the hotel to keep accurate records of their guests. It confirm guests’ acceptance of the hotel’s terms and conditions. It provides management information: e.g. how many reservations translated to ‘arrivals’ and who did not show up, occupancy statistics, the national origin of guests (helps establish from which countries the majority of the hotel’s guests come from), It provides a record of daily arrivals (as opposed to reservations), which may help to account for resident guests in the event of a fire or other disaster. Throughout your stay this information may be accessed to make changes to your preferences, or to authorize your credit card for additional days added to your stay. If you lose a key, the front desk agent will verify or require identification before handing over a duplicate key.

Many hotels collect facts beyond this, storing information about past questions or comments you have made, your preferences and dislikes, the number of visits and ‘spend’ during your hotel stay/s for frequent flyer or hotel programs. One can therefore understand that there is no other option but to provide hotels personal information about ourselves whenever we want to book and stay in a hotel room.



Criminal hackers’ target
Criminal hackers gravitate to some hotels because, like retail stores and restaurants, hotels do many credit card transactions at a local level, where centralized and highly sophisticated data security safeguards may be lacking.

In its 2013 Global Security Report, Trustwave, a data security management firm, says that the top three industries targeted for data breach attacks in 2012, measured by the number of its investigations, were retailing (45 percent), food and beverage (24 percent) and hotels (9 percent).The hospitality industry shares many of the vulnerabilities – accepting and storing card holder information and volumes of  personal information collected through loyalty and rewards programmes - as the retail industry. Yet it lags in the adaption of data security practices which make it an attractive target for cybercriminals.

Hotels spend millions convincing travellers to stay with them, but are the underlying systems and processes worthy of a guest’s trust? It is widely known that hackers are now turning their attention to the hospitality industry in a big way. The term ‘hacker’ was first used to describe a programmer or someone who hacked out computer codes. Later, the term evolved to an individual who had an advanced understanding of computers, networking, programming, or hardware, but did not have any malicious intent.  Today, a malicious hacker is usually referred to as a black hat or criminal hacker, which describes any individual who illegally breaks into computer systems to damage or steal information. Hackers are highly sophisticated and targeted in their attacks. They discover what works and repeat it over and over – especially with ‘low hanging fruit’. Lately that fruit has been hotels, resorts and restaurants for the simple reason that it is a relatively easy target.




Guardians of sensitive data
Over 90 percent of the data breach attacks in the Hotel and Restaurant industry involved credit card numbers. Last year, for example, the US Federal Trade Commission sued Wyndham Worldwide, the hotel chain, for what it said was inadequate safeguarding of credit card information that led to three data breaches at hotels in under two years, with “millions of dollars in fraud loss, and the export of hundreds of thousands of consumers’ payment card account information to an Internet domain address registered in Russia”. The manner in which hotels do business provide ample opportunity for hackers to steal credit numbers and other confidential guest information. Consider the number of payment channels adopted by hotels – web, telephone, in person and by mail.

To further complicate matters, hoteliers need to store cardholder data at the point of purchase for days for reasons that range between holding reservations to guests convenience, loyalty programmes and charge backs – to name a few examples. Compare this practice to the retail industry where credit data is typically held at the point of sale only for the duration of the transaction. Hotels also claim that the purpose of storing most of this data is to improve your stay by customizing services to fit your preferences. Unfortunately, a great many hotels, despite having the resources and investing in costly technology simply fail to do exactly that. I am aware of a traveller, who despite staying regularly at the same five star hotel, has to repeatedly request for his favourite quiet corner room each and everytime he makes a room reservation.







Credit card skimming

As in the US and in most countries including Sri Lanka, credit cards use magnetic strips that are more vulnerable to hacking than the electronic chips embedded in credit cards in Europe and elsewhere. Such cards also require entry of a PIN. Until these so-called chip-and-PIN cards are headed our way, the threat is constant and the hotel industry on the one hand, needs to immediately take significant strides towards improving credit card security.

When eating at restaurants, ask to pay at the terminal instead of giving your credit card to a server for processing because there is a technique to defraud you of your money that is more anonymous, sophisticated, and dangerous — and all it takes is a device that can easily be purchased for online. This type of fraud is known as card skimming and it involves swiping your debit or credit card through a card reader that has been illegitimately set up to record information from your card’s magnetic stripe.

After your information has been recorded, it is usually then sold to other scammers on the black market or converted into a counterfeit card and used to make fraudulent purchases. Because it is difficult to know when your card has been skimmed, you may not find out unless you review your financial statements regularly.

Skimming at restaurants also happens frequently, especially since customers often leave their credit card for the server to pick up, process, and return a few minutes later. In these cases, a portable card reader is perfect because it is small enough to fit in the server’s pockets or apron. A server may not even need a portable skimming device. Your credit card information can easily be written down or copied from a receipt. It is imperative therefore for travellers to ask the hotel to provide details of its ‘Guest Privacy Policy’ – to be re-assured on what steps the hotel takes to protect the security, integrity and privacy of the personal information submitted by guests. Remember no data transmission over the internet can be guaranteed to be free of any risk; however, hotels that do not have any robust privacy policy can truly be the hacker’s ‘open sesame’.

Shafeek Wahab has an extensive background in Hospitality Management spanning over 30 years. He has held key managerial responsibilities in internationally renowned hotel chains, both locally and abroad, including his last held position as Head of Branding for a leading Hotel Group in Sri Lanka. Now focusing on corporate education, training, consulting and coaching he can be contacted on [email protected].