The hospitality sector now sits in the top three of industries most frequently targeted by cybercrime, according to the 2015 Trustwave Global Security Report. Half of attacks involve theft of card holder data and personally identifiable information; such data held by hotels include contact details, travel plans, birth dates, passport data and personal preferences – which can be used in many ways, ranging from fraud to extortion.

Overall, 65% of security breaches arise from point of sale systems; in the past 18 months several major hotel groups have had customers’ credit card details hacked.

In May 2016 a Government survey confirmed that nearly 7 out of 10 attacks on businesses involved viruses, spy ware or malware, and despite experiencing a breach at least once a month, only half had taken any recommended actions to identify and address vulnerabilities.  Only a third had formal written cyber security policies, and even fewer an inbuilt management plan in place.

Identifying the risks

The hospitality industry as a whole is very vulnerable to cyber attacks due to the sheer volume of credit cards used – whether at check in, in bars, restaurants or shops – if the right preventative measures are not in place. This is compounded by the fact hotels often keep credit cards on file and access them on multiple occasions during a guest’s stay – every time the card is used is a potential opportunity for cyber theft.

Other areas of potential weakness include unsecured public Wi-Fi access, loss or theft of laptops, poor training of employees around IT security and ineffective vetting of third party suppliers who have access to a hotel’s systems.

Third party attacks

Hotels need also to beware of criminals targeting sensitive data via third-party providers – eg room booking sites or car rental companies, which maintain information on travellers. Sales systems can be compromised when the systems of third party suppliers are used to place malware in the hotel’s system which can capture point of sale information before it is encrypted.

Practical steps to reduce risk

There are sound business reason for bolstering your IT security, whether to protect the bottom line from the costs incurred as a result of a security breach or maintaining brand reputation and avoiding potentially ruinous publicity. In today’s connected world, bad publicity spreads fast via social media and online forums.

 There are several steps you can take to improve the security of your IT systems:

  • Put in place a cyber risk management policy; ensure that this is part of the company’s governance framework
  • Define roles and responsibility and oversight
  • Conduct a regular risk assessment and acting on the results where vulnerabilities are highlighted
  • Provide adequate staff training and employee awareness on all relevant policies and procedures
  • Continuously monitor and, where relevant, introduce safeguards such as:
    • limiting the number of computers and devices that store sensitive information
    • ensuring the Wi-Fi network uses a secure wireless connection and an effective firewall
    • using encryption for storing, receiving and transmitting data
    • ensuring any suppliers who use your IT systems have appropriate security procedures themselves


Consider insurance cover – specific cyber insurance may be appropriate after considering the extent of coverage already provided for cyber risk under existing insurance policies. Be careful examine the exclusions or conditions that could prevent payout in the event of a claim. Make sure that you have sufficient limits to cover each of the costs and liabilities you potentially face.


For advice on cyber risk in the hospitality industry and strategies to protect your business, contact Nigel Gardner

The content of this page is a summary of the law in force at the present time and is not exhaustive, nor does it contain definitive advice. Specialist legal advice should be sought in relation to any queries that may arise.