Why the hospitality sector is a prime target for cyber attackers

The hospitality sector is considered a prime target for cyber criminals due to the significant volume of personal and financial data organisations hold. There’s also a view the industry is not sufficiently funded to manage the more advanced cyber risks – a combination that puts the crosshairs on businesses operating in it.

This can be evidenced by the significant rise in the volume and complexity of cyber-attacks being launched against hospitality businesses over the last few years.

This includes the InterContinental Hotel Group which suffered an attack on its UK division affecting its Holiday Inn, Crown Plaza and Regent Hotel brands.

The group confirmed the attack, which could have resulted in customer data being accessed and contact information including names and addresses being compromised, but did not specify whether it was caused by ransomware or another type of software, or the source of the penetration.

Then there’s the Edwardian Hotels London Group which fell victim to a ransom attack launched by the BlackBasta ransomware group. The group breached the company’s system to access sensitive data which it posted on a dark web platform – this included bank account details and passport data.

The impact of a successful attack can be severe and covers reputation damage – which is particularly damaging for this sector – the unexpected costs of recovery, liability and more.

From the example above, it’s clear that no hospitality business is immune. These are some of the largest groups in the UK and are highly likely to have cyber security policies and protections in place. This is why all businesses in the sector need to review their approach to cyber without delay.

But what are organisations having to protect their digital assets against? The most common attack vector being used against hospitality businesses is ransomware, particularly double extortion ransomware.

This is a type of cyber-attack in which threat actors exfiltrate a victim’s sensitive data in addition to encrypting it, giving the criminal additional leverage to collect ransom payments. Typically, they would only encrypt the data.

Of course, the additional threat of exfiltration makes this attack especially dangerous for organisations in all sectors as criminals will be using it against other businesses they are launching attacks against.

Another common attack being used against hospitality businesses is an insider attack. This is particularly controversial as it sees people from within the organisation collude with a cyber gang to provide information about the systems the business has in place to increase the success of an attack.

This is why we recommend taking a risk-based approach to cyber security, allowing hospitality businesses to understand their most critical assets and the impact the loss (including financial losses) of these would have on the business.

It also identifies the attacks they are most likely to face and what they need to do to protect against them given the resources available.

For a hospitality business, the greatest risks could include customer data being stolen (via a ransomware attack) or the loss of systems preventing customers from being able to book stays or make reservations (via a DDoS attack).

It is vital to regularly undertake a cyber risk assessment, as the landscape is constantly changing with new attack vectors emerging. A great example of this is the rise of adversarial AI with threats such as voice cloning becoming increasingly common.

This could potentially see the voice of the Chief Financial Officer be recorded and then used in a targeted attack against unsuspecting employees in the finance department to make a payment to a fraudulent company that has issued a fake invoice.

It’s also important to understand that even when armed with a cyber security programme based on real business risk, not all attacks can be prevented.

This is why an organisation’s ability to respond in a structured and timely manner is increasingly important today. So ensuring that organisations undertake scenario exercises is vital so that when an attack occurs individuals in the organisation know how to respond in a manner that helps reduce any potential impact including the ability to control the narrative with customers, authorities and the media.

This is the only pragmatic way to ensure it is business as usual in the event of a successful attack.

To learn more about how we helped a family-run hotel and restaurant group review and improve its approach to cyber security, check out this case study.