Why and Where Cybercriminals Attack the Hospitality Industry

Last updated at Fri, 22 Dec 2023 15:31:27 GMT

Digital transformation has facilitated a completely new, globally connected business landscape, opening new opportunities and creating new markets. But this digital explosion has also given hackers and scammers more openings to infiltrate systems and attack organizations.

The gaming, leisure, and hospitality industry in particular has been increasingly targeted by both cybercrime and nation-state groups, and it faces a unique set of challenges compared to other industries.

Cybercriminals are using scams and fraud to target hotel databases

So, why are these threat actors focusing on hotels and other hospitality businesses? The simple answer is that they have expansive databases of customers’ personally identifiable information (PII) and numerous access points like software systems, third-party vendors, and employees who lack cybersecurity training.

Hotels are are an attractive target for threat actors because they:

• Collect and maintain databases of sensitive information, such as travel itinerary, passport details, credit card information, personal preferences, air miles, and more.
• Are spread out geographically, giving them large attack surfaces and information from all different types of individuals that may be valuable in different regions of the world.
• Offer loyalty programs, which store rewards balances and PII, that are not closely monitored by users. Many people reuse login credentials across different sites and platforms, potentially leaving themselves exposed to fraud if hackers can accurately identify their password habits.

Threat actors can leverage well-known brands to target customers with scams and fraud schemes, placing millions at risk of compromised personal data. These efforts can prove to be quite lucrative if the cybercriminals can successfully penetrate a hotel’s network and sell customers’ personal data on the dark web.
In recent years, there have been numerous high-profile data breaches in this sector as threat actors look to tap into this rich source of data.

Understanding a hotel’s attack surface and how hackers can penetrate

Every organization needs to understand its weaknesses that cybercriminals might target. These potential entry points are known as the “attack surface” and can include anything from technology systems, user credentials, social media pages, and even hotel staff.

Hotels, resorts, and casinos are prime targets for cybercriminal attacks because they have expansive attack surfaces, offering multiple entry points for threat actors looking to infiltrate their network. The sheer number and variety of different endpoints most hotels have – Wi-Fi networks, electronic door locks, HVAC control systems, alarms, IoT devices, and more – give threat actors numerous entry points to gain access.

Breaching a single regional hotel’s network gives hackers access to the whole centralized system, which can make it challenging for IT teams to ensure security with dispersed networks.

Hotel staff may lack cybersecurity awareness or are not trained adequately. Hotels also have high turnover rates, which can make training difficult.

Branded hotels tend to have franchisers, owners, and operators all directly involved in making computer system-related decisions. When they are not aligned on cybersecurity initiatives, they leave gaps in their systems that can be exploited.

Hotels rely on many third-party vendors for key services like maintenance, POS systems, and payroll. Hackers often use these third parties as entry points.

Big brand names are often subject to brand impersonations, through which hackers target customers with phishing scams and elaborate customer rewards hoaxes.

Over the past few years, threat actors have launched cyberattacks against organizations in the gaming, leisure, and hospitality industry at an alarming rate, and there have been several high-profile data breaches impacting big brands in the industry. To defend against these new attacks, hospitality organizations should take an offensive approach to ensure they are identifying new threats early and taking proactive mitigation action.

To learn more about how Rapid7 is tackling today’s expanding threat landscape and helping hospitality businesses secure both internal and external attack surfaces, visit Rapid7 + IntSights.

Additional reading:

• Cybercriminals’ Recruiting Effort Highlights Need for Proper User Access Controls
• For Health Insurance Companies, Web Apps Can Be an Open Wound
• The Big Target on Cyber Insurers' Backs
• 4 Simple Steps for an Effective Threat Intelligence Program