Hotel Cybersecurity

Hospitality is an industry which relies heavily on data acquisition to build a sustainable business model that can generate revenue in a market of constantly changing variables. The customer data handled by hotels on the daily has always been of an incredibly sensitive nature, including guest and company names, phone numbers, billing addresses and emails, and credit card information.

Guests are increasingly wary of giving out such information as there is a seemingly endless flow of news about companies mishandling or compromising client data with hospitality providers counting themselves amongst them. Last year alone saw an attempt to breach The Marriott’s Starwood property guest reservation database which revealed evidence of a previous breach dating back as early as 2014.

While the recent attack had been prevented, Starwood has processed some 500 million guests since the unauthorised entry into its system, after The Marriott acquired it, there’s no evidence of the data being leaked, the fact alone that someone had gained access to this database can send chills down the spines of industry professionals and guests alike.

Tip: Marriott's Starwood Data Breach Affects 500 Million People. Here's What to Do If You're One of Them

The repercussions of customer data leaks travel far and wide and often jeopardize the personal and financial safety of the person whose information has been hacked as well as the business that was targeted, for years to come. This is why legislators across the world have taken steps in an attempt to increase the defences against cyber attacks on businesses, such are the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).

Data-safety legislation limits the way a business collects and handles customer data in order to protect customer privacy and prevent breaches of business databases. Henceforth businesses across the European Union, and as of the beginning of 2020, the USA’s state of California, are to be held responsible for meeting the requirements of the respective acts and regulations. This has driven hospitality providers to educate themselves and their staff on how guest data can be compromised. The following are some of the most common ways in which your hotel can be hacked:

Identity Theft

Hotels possess a particularly valuable throve of personal guest information which if compromised could be sold on the dark web and used for example to issue out credit cards and take out loans under the name of the person who was hacked. This is a particularly troublesome hack, as the people who fall victim to it often have difficulty proving to different institutions that their identity has been stolen and even then it can take many years and multiple lengthy legal suits to get their lives back on track.

Prevention Tactic:

  • Use updated property management software which meets GDPR and CCPA regulations.
  • Provide staff with proper security training.


This is one of the most prolific risks to your establishment’s cybersecurity. Phishing relies on your staff’s willingness to comply with all requests, so by sending out a false link to a source that requires some form of personal verification.

It is quite easy for someone to take hold of the e-mail account information of a member of your staff and then proceed to send out similar false links to guests, gaining access to their credit card info or straight up asking them to make transactions by assuming the identity of your staff members.

Prevention Tactic:

Provide staff with an updated security protocol and training. Make certain that they:

  • Use only secure links to share information.
  • Double-check the email address from which they’ve received the link, as hackers often impersonate vendors or banks in order to come across as a legitimate and safe source.
  • Use multiple channels of communication for distributing personal information. If a staff member receives an email from someone posing as a manager of a different establishment of your hotel chain, requesting some sensitive guest data, your staff can confirm and send the data using a different channel such as MS Teams, Skype and so on.


Free access wifi-networks are the most common threat aimed directly at the guest. Often when a guest arrives at your establishment they will attempt to connect to your wifi network and in a lot of cases, they might find multiple options all bearing your establishment's name

Prevention Tactic:

  • Use a VLAN in order to make access to in-house software networks harder to hack.
  • Make certain that staff emphasizes that guests should only attempt to log into the designated Wifi network.
  • Encourage guests to use a VPN when dealing with sensitive information.

How do I know if my hotel has been compromised?

Data security audits should be part and parcel of your hotel’s routine. Audits allow you to get a closer look at how your data is stored, who has access to it and how it is handled. It further creates a tangible sense of responsibility in your staff. Following data safety procedure might not seem like such a big deal, until audits become a regular occurence.

This close scrutiny of your own software and procedures would also make you more aware of possible weaknesses, allowing you to prevent a breach by simply eliminating the potential threat, be it a compromised software or a vendor who refuses to comply with safety protocols.


In the case of the Marriott hack, half a billion people’s information was compromised and that is not something to be buried or overlooked. As soon as company officials had the necessary information of the unauthorized entry into their system they came out with a statement in hopes of preventing some of the possible fallout for both the guests and their brand.

When it comes to a data breach, a business’ best call is to be transparent and cooperate with both authorities and the guests whose information it concerns. It can seem tempting to simply cover it up or pretend it didn't happen, as the information breach had happened some 5 years ago. The potential risk of this coming out could undermine the brand, open up the possibility of class action lawsuits and do irreparable damage to the Marriott’s stock market value.

Transparency plays a huge part in hotel cybersecurity. By being open about the risks with your guests (encouraging the usage of VPNs and credit cards instead of debits) as well as making sure that your staff does their due diligence when handling guest data you can reassure your guests that you are committed to treating their information with the sensitivity it deserves.

Request a free demo

You may also find interesting:

Green Hotels Pave the Way to Improved Guest Loyalty
5 Lessons in Building a Successful Hotel Brand
Clock Software Once Again Awarded PCI DSS Level 1 Service Provider Certification

About Clock Software

Clock Software is a global provider of cloud-based property management systems (PMS), integrated online distribution, online & kiosk hotel self check-in solutions and mobile & in-room guest engagement systems with customers in more than 65 countries.