Analysis of Information security in Hotel industry- UAE

To date, many effective methods have been developed to classify information security threats in different domains of organization, especially in the hospitality industry. However, myriad risks can threaten the security of information and its resources in hotels.

Hospitality systems have been investing less in maintaining high notch security for information for almost a decade and even longer. But in today’s time, the threats have significantly reached a critical point. Cyber attackers, criminals, hackers, and other malicious elements have become sophisticated in doing their jobs. Access of hackers to the latest machine learning technologies used for data management is a tremendous threat. There is no end to this problem.

Almost every nation has adopted privacy laws and regulations to keep a check on data theft issues. Countries like the USA, Canada, UAE, and more have taken serious steps to bring down the vulnerabilities by enacting security rules in hospitality business. The loss of critical data blots the organization’s name and brings along legal actions. It’s time that everyone takes privacy security as a priority and not as an obligation.

First, it is essential to know what privacy concerns are in the hospitality industry. Determining the risks and vulnerabilities beforehand is crucial. Later, it is significant to know about the privacy laws and the liabilities of every person directly or indirectly involved in the institution. Adopting hard and fast rules and regulating them can resolve some amount of risks. Joining hands with reliable third-parties is the last thing to ensure security.

Table of Content

Overview: Information Security

Information security is protecting confidential and personal data from unwanted data breaches. One in four organizations is vulnerable to data threats each day. Securing the workplace and the working environment is crucially important. It’s not surprising to know that only 25% of the consumers believe that sensitive information and personal data were responsibly handled by the companies.

Did you know that every day nearly 5 million data records are stolen globally, or in other words, 58 records per second? Data breaches can affect a company in very different ways. A data breach is an expensive affair. Firstly, it brings a lot of reputational loss, decreased market value, loss of customers, and a suspicious work environment. The other aspect that it affects severely is the financial domain. The heavy penalties for non-compliance and compensation for the loss of customer data are unbearable. Customers targeted for personal information loss can also become victims of identity theft and similar crimes.

With the advancement in technology, the possibility of theft is not confined to physical stealing but cyberattacks on the hospitality networks. Around 69% of IT security professionals believe that security risks have increased since 2017. It is assumed to rise threefold by the year 2021. The crimes of information theft are spreading, and it’s becoming challenging to protect confidential information in different parts of the world.

So what should a hospitality community/organization do to protect its precious data from breaches? Well, all the information and data must be protected effectively by guaranteed destruction and safe disposal.

Information Security in Hospitality Industry

It has not escaped our sight and minds that the hospitality industries have suffered many data breaches in recent years. Multinational corporations and many well-reputed hospitality industries have been victims of serious information theft and personal data losses.

The hospitality business is a popular target for hackers because of the precious value of data it carries. The information on guests, their financial status, payment details, invoices, other critical personal details, and more are vulnerable to theft. Personally Identifiable Information (PII) is more susceptible to such robberies.

Since most of the information held in the hotels and inns is printed on paper, their chances of getting swiped are also very high. The scope of stealing online has also risen due to online information storage. Each department in a hotel is connected internally via the internet, and the database containing information is linked. Any intrusion from a weak point can lead to heavy losses. The vulnerabilities of these areas are high-ransomware, phishing scams, point of sale, and denial of service attacks, malvertising, and third party suppliers.

The hotel managers and owners should always ensure that complete information security is enforced in their hotels. By raising the security level in data storage, collection, management, handling, and sharing, data breaches risks reduction would occur significantly.

Facts and Stats

Many hospitality industries have started to invest in technology for data management. The main reason recognized for improvement in technology in 2017 is that 52% wanted to improve digital customer engagement and 40% wished to enhance the payment and data security.

It is surprising that by 2021, the cybercrime cost across the globe is expected to be $6 Trillion, which would be double the cost in 2015 that is $3 trillion. While in 2020, the annual cost of data breaches around the world was expected to be $2.1 trillion while the average cost for one breach was $150 million.

Since digitalization is leading in every industry, the rise in data breaches is unavoidable. Around 96% of the malware used in data breaches, specifically in the hospitality and hotel industry, is based on memory scrapping or RAM scrapers, which stores unencrypted payment card information in the PoS system's memory.

Cyberattacks in the form of hacking is a common phenomenon in the hospitality industry. More than 81% of attacks are made to steal credentials from the PoS service provider and reach the PoS systems of the customers.

All data breach in a US company costs around two $225. The Cyber incidents in the hospitality industry related to denial-of-service attacks are approximately 20% of the total attacks. Nearly 90% of data breaches are in the domain affected by a Point-Of-Sale (POS) system where card transactions occur.

These are only known and small figures. There are countless unreported incidents of data theft in different industries. However, the hospitality industry reports even lesser due to the stride and reputation it possesses.

Major Security Breaches in Hospitality Industry

Hotels have fallen victim to numerous cybercrimes and physical thefts. It is certainly a piece of bad news for most of the hotels. Every tourist hopes for the best services and post-services benefits. But an event of intrusion devastates the reputation of tourists and hotels.

Recent incidents of breaches affected some of the splendid names in the industry.

Tourist data/identity theft

The data managers in the hotel industry are responsible for collecting and protecting the information of the visiting customers. Unfortunately, many hackers have raised their levels. They have become more sophisticated in using malware to steal information from the payment systems of hotels. Many Similar attacks have been reported from hotels around the world. The big names such as Hyatt Hotels Corporation, Millennium hotels and resorts, HEI Hospitality, Hilton, and many more have been affected.

In the year 2017, the largest hotel chains in the world were attacked for three months continuously. All the payment specific information was gathered by it along with cardholder names, their expiration dates, verification codes, card numbers, and other critical information. The hackers accessed credit card information from over a thousand hotels. The malware was installed on servers that processed payment information, the key weapon used by hackers.

Another incident of data breach reported in 2017 was about the involvement of a third-party hotel reservation system that enabled unauthorized access to the network of the system of 14 properties. It was similar to the previous incident where the payment card details such as- account numbers, card security codes, expiration dates, and more were accessed. The data was unsecured, not encrypted, and was available for several months. It allowed the perpetrators to steal as much as they could.

In 2017, a Ransomware attack was reported in an Austrian hotel. This cyber-attack was made on the door-locking mechanisms of the Austrian hotel that demanded $1600 bitcoins as a ransom. Finally, the hotel agreed to pay the ransom and get back to normalcy. It was the third attack in a row for that hotel. It severely affected the reputation of the hotel along with monetary losses. They regained control but after falling victims to attacks.

A chain of hotels with over 4900 properties in more than a hundred countries suffered a major data breach in 2015. The payment card details of more than 3,60,000 customers were exposed. The hotel chain had failed to maintain data security, and it also failed to comply with the Payment Card Industry Data Security Standard. The hotel management did not notify the victims about the breaches either. They waited for almost a year to issue the first breach notification.

Middle East countries like Saudi Arabia and UAE have been the victims of a data breach in the hospitality business. The latest breach was witnessed in Dubai based ride-hailing platform Careem and the other in an airline company. The data of 14 million Careem customers were stolen such as their names, email addresses, trip details, phone numbers, and more.

Globally, 56% of data breaches are through social media platforms, but in the UAE, it is more through the app-based platforms.

Risks and Vulnerabilities of Data Theft

Many possibilities could lead to a disastrous data breach incident in the hospitality industry. Some of the most vulnerable reasons are mentioned below.

1. Poor safeguard

According to research around 74% of the hotels lack proper breach protection systems. Not even 50% of the organizations use any end to end encryption systems that could protect cardholder data or any other critical information. Due to the ignorance, data theft chances are higher. The hotel management must ensure high-end security in their data controlling devices.

2. Physical vulnerabilities

The disappearance of devices containing confidential information is an old school method of the data breach. Stealing through cyberattacks and installing malware is very common these days. Another aspect of a physical threat is dysfunctional hotel architecture due to ransomware and malware installation into the network systems. Jamming the door locks, causing trouble in electrical systems, air and heat disturbances, and more are some of the physical damage risks. Keeping the alarms and technicalities up-to-date can reduce the physical threats to the hotel.

3. PoS loopholes

The most common cause of data breaches in the hospitality industry is PoS intrusions. Hijackers and attackers have several entry points due to the distribution of payment card details throughout the hotel. Many hotels have multiple PoS terminal locations. The card details of the guest are available in advance with the hotel management before their arrival. Restricting the number of terminal locations can significantly reduce the chances of intrusion into the PoS system.

4. Close connectivity

Grand hotels have several facilities within their premises. Shops, eateries, dry cleaning, spa and beauty salon, business centres, and more are available inside the hotel. Each service centre has its billing systems. The payment card data of the guest is circulated among the service providers and hence it becomes a complex and costly process. Keeping the information about the guest confidential and limiting it to one department can save you from trouble.

5. High turnover of employees

The hospitality industry is known for its excellent customer service. Hence, the employees working in this industry are the best in their work. Due to the high employee turnover rate in the hospitality industry, data security is compromised. The employee turnover among the non-management hotel employees is as high as up to 50%. Industries should invest more in the training of employees and technical software for hotel management.

6. Third-party intrusions

The hotel industry has shared private information with different similar industries. The car rental companies, retail organizations, airlines, restaurants are some of the third-party vendors. Sharing customer details with them can lead to information leakage in public and more. Around 60% of the chief information security officers are concerned about the security practices by the third parties and the vulnerabilities of the data theft. Hotel management should behave responsibly and limit their sharing with third parties.

7. Outdated devices

As hotel industries and corporations include new technology systems and software in their hotels, the older ones are disposed of just like that. There is no proper system to get rid of old and unwanted devices with confidential information. Hence, this malpractice increases the chances of risk of an attack. The appropriate and secure method should be adopted that comply with the security rules for the hotel industry.

8. Insecure mobile phones

Around 32% of the hospitality industry organizations agreed that they sacrificed Mobile security to enhance their business goals. Poor mobile security affects many departments in the hotel, like-the PoS systems, door locks, messaging systems, property management systems, and more. By introducing effective regulatory policies, the insecurities can be reduced.

These are some of the most vivid risks in the hotel industry. There may be some more unrecognized reasons for data threats. Therefore, looking into each department of a hotel and assessing it for security is very important.

Privacy Regulations

Many privacy and security laws have been enforced in the hotel industry. The hotel owners and security officers should be aware of these security laws.

The General Data Protection Regulation (GDPR)

This law was enacted by the European Union in 2018. It protects the personal data, privacy, and the rights of the European citizens living within the European Union. All the companies around the world that deal with the information with the European Union citizens are compliant with it. Failing to keep up with the regulations can cost huge penalties of 2% to 4% of the annual global turnover. Any hospitality institution in the UAE that accommodates foreign guests such as European tourists are automatically compliant with the GDPR law.

Health Insurance Portability and Accountability Act (HIPAA)

HIPAA ensures the protection and security of confidential health information of patients in hospitals. The prescription details, health status reports, financial status, bill payment details, and more are protected from intrusions.

Personal Information Protection and Electronic Documents Act (PIPEDA)

PIPEDA regulates the private sector organizations. This law safeguards the usage of personal information and its protection from disclosure.

Red Flags Rule

This law prevents identity theft. It requires the establishment of an identity theft prevention program that instantaneously detects any warning signs of theft in everyday operations. These warning signs are referred to as red flags.

The Fair and Accurate Credit Transactions Act (FACTA)

FACTA is a helpful act that reduces the risk of identity theft. It regulates the information management of customers in organizations.

The Payment Card Industry’s Data Security Standard (PCI DSS)

PCI DSS is an efficient rule to withhold payment card details data from any leakage. Every hospitality industry organization is compliant with this law. It ensures the financial data protection of the consumers taking services from hotels.

Gramm-Leach-Bliley Act (GLB Act)

This act is for all financial institutions like banks, transactions services, and more. It regulates the information-sharing practices between customers and service providers. It safeguards sensitive financial data from malicious users.

Which Documents to Take Care of?

The unwanted and old stacks of information files should be eliminated as soon as possible. The documents should be securely destroyed in a private environment. It is critical to get away with unnecessary information to prevent data breaches of any customer in the past.

The following files/documents should be destroyed under expert supervision instantaneously.

Tourist information files

The documents that belong to the hotel visitors and their complete details should be the first to go under the shredding machine. The travel documentation, passport details, driving licenses, credit card information, personal identification, health insurance papers, financial status, or any other personal information that should be concealed from the public must be destroyed when no longer needed. The personal details are most vulnerable to theft, and hence, they should be securely deposited in locked consoles and destroyed by experts.

Financial and accounting department

The details that are lying in the financial department of the hotels should regularly be check. The list of customers arriving, internal audit reports, payroll statements, supplier information, and similar details must be crushed after usage. Prevent these documents from falling into the wrong hands and causing trouble.

Information technology department

The security system's details and hotel infrastructure should be securely destroyed in the hotel premises. Only a few internal core hotel workers should know about the technical aspects of the hotel. Too much storage of technical information can lead to malicious internal worker intrusions. Get rid of any documented confidential data such as passwords, user names, security system technicalities, etc.

Human resources department

The employee detail with the human resource head should be destroyed when no longer needed by the hotel administration. The job application resumes, medical records, performance appraisals, health status, insurance documents, training information, and similar other personal data files should be securely removed from the hotel systems.

Executive department

The critical data about the future perspectives of the firm should not fall into the hands of perpetrators. Get rid of documents related to budgets, financial details, legal contracts, business development reports, legal contracts, and more.

Procurement

It is the most ignored and vulnerable loophole for a data breach. The corporate records, supplier purchase orders, supplier specifications, and records are susceptible to theft. Hence, the hospitality industry must take care of this sector for safe document disposal.

Best Practices to Prevent Theft

You can save your company’s reputation and name by following some of the best hospitality industry tips and practices.

Developing effective policies

The hotel industry should start assessing their departments and identify the loopholes present in them. By considering the weak points, they must update and regulate the policies. Design policies that fit appropriately with the legal compliance. The workplace should be aware of security and regularly assessed.

Information technology upgradation

The hospitality industry should invest an ample budget in establishing secure networks. Install software and tools that segregate spam emails, enhanced firewalls, full encryption, data loss prevention, and more. Regularly update and upgrade the equipment and software for full-proof security. Keep a specialized team for monitoring the hotel structure and prevent breaches by detection at the terminals.

Regularly training employees

Hotels employees having high turnover should be trained regularly about the long-term security policies. They should be made aware of the laws and regulations about data protection. Training them on using computer systems, using strong passwords for logging into security networks, detecting potential risks, and more must be done.

Complying to the laws

The hotel industry should follow the privacy policies and laws established by the state. The method of data collection, storage, utilization, and retrieval should be standardized. There should be a proper system for dealing with sensitive information.

Data sensitivity

Hotel management must conduct regular data audits to understand the information they have collected and who all have access to the data. Particular data are more at risk than the other. The payment details, credit card information, personal identity data, reward program points, confidential property information, and more come under the sensitive data category. The security team should create private networks for different operations at the hotel to prevent too much interconnection.

Responsiveness to threat

Preparedness for a bad situation is always better than having no plan at all. The frontline hotel workers should be fully prepared to respond wisely during a breach situation. By regularly training, testing, and updating the backup plan, troubles during a data breach incident can be minimized.

Clean desk policy

The accountants, data collectors, and data controllers should be aware of what data they necessarily need for conducting a smooth business. The PoS equipment should be replaced with another sensitive and updated device. Adopt secure devices and get rid of the old hard drives and electronic media with confidential information. By regularly cleaning the desks with the piles of huge files and digital data, you can reduce the risks of threats. The physical theft will no longer occur if destruction is done regularly. By outsourcing the information security to a third-party, like EndoShred, you can relax carefree.

These steps will assuredly reduce the vulnerabilities and possible risk of data breaches in the hospitality industry. The key to save from severe penalty is to regularly aware oneself and hotel workers about the security policies. Awareness and alertness are the features of a good and secure hospitality organization.

Partner with EndoShred for Information Security

We are one of the most trusted information security providers in UAE. We protect your hotel business against cyberattacks and physical intrusions by securely destroying the documents on-site in our high-speed shredding trucks.

We are available for shredding at any hotel in the UAE. Our convenient mechanism of destruction is relied upon by hundreds of organizations in Dubai and other cities.

We are totally aware of the UAE privacy policies and penalties. Our trained employees know their jobs quite well. We work in accordance with the regulatory norms ensuring privacy protection. We are here to assist you through the entire process of document disposal in a lawful way.

What do we provide?

Why choose us?

How we assist in compliance with privacy laws?

When you decide to partner with us, you take the best decision of your life. The methodology adopted by us is completely regulated according to privacy laws.

One-time Shredding Service

Endoshred’s Secure On-site Document Shredding Process

Scheduled Shredding Service