The hospitality industry has been in the news frequently over the past year as a result of multiple and significant data security incidents. Nationally recognized hotel and resort brands continue to suffer by cyber-attacks, including theft of payment card data from their retail and food/beverage outlets, and at times theft of guest data from reservations and management computer systems, and nationally recognized restaurant have also been subject to similar cyber-attacks to their point of sale systems. In addition, less sophisticated data incidents regularly occur through theft or loss of mobile data and paper data. Recent notable breaches in the industry have affected the following companies in multiple locations:
Why is the hospitality industry such a frequent target? What makes this industry uniquely vulnerable to information threats? This article will examine those questions and suggest certain measures that hotel and restaurant companies can employ to try to mitigate the risks to information that they own or possess.
Multiple Parties Are Involved In The Equation
Hotel companies and many restaurant companies face unusual problems when it comes to cyber security and vulnerability to data theft/loss due to traditional ownership/management/franchise structures as well as the way hotels and restaurants tend to operate.
For branded hotels (and many branded restaurants) there are typically at least three parties are involved in a functioning hotel business: the franchisor or “brand,” the owner (or owners’ group) and the operator a/k/a the management company. Each of those entities plays a particular role in the function of the hotel as a business, and each may have its own computer systems or stored information:
Franchisor
- Owns the “flag” of the brand and in exchange for use of its marks and marketing services, can impose its own standards for hotel features, including the process for booking rooms;
- Typically mandates that the owner install a particular hardware/software suite to handle the reservations functions;
- Maintains ownership and control of that system through contractual means; and
- Typically claims ownership of guest data that is input into the reservations system by hotel employees or others.
Owner
- Typically not the brand; could be individuals, investor groups or major asset holding companies, including investment funds, insurance companies, banks;
- May have varying degrees of involvement in operational issues that include guest or employee data; and
- May own separate “point of sale” payment card systems for food/beverage/retail outlets situated within the hotel; and
Operator
- If independent from Owner, will usually have a management agreement with the Owner that establishes an agency relationship with Owner for purposes of all day-to-day hotel operations;
- Third party operators are usually the formal employers of hotel personnel and maintain all employee data (including Social Security Numbers);
- May collect guest data prior to inputting same into the reservations and management system owned by the franchisor, if the hotel is branded; and
- May obtain and maintain payment card information associated with group bookings.
Sometimes the complex relationship between franchisors, owners and operators requires that information be shared, or that separate computer systems be tied to each other. For example, as indicated above, major hotel brands require all of their franchised hotels to utilize the brand’s reservations and management computer system when booking or checking in all guests. Thus, hotel owners and operators are forced to have their own on-site personnel utilize the computer system of another company when transacting business with guests. In addition, hotels, like restaurants and other consumer businesses, often permit interfacing between their own computer systems and those of third party vendors or credit card processors.
All of this means that hotel and restaurant systems are to some extent dependent upon the security measures and practices of other entities which the hotels and restaurants do not control. A classic example of this is the Wyndham Worldwide breaches which occurred 2008 and 2010, where hackers were able to penetrate Wyndham’s central reservations database through a hack of a single franchised hotel, and then use the Wyndham system’s connections to dozens of other individual franchised hotels to steal hundreds of thousands of sets of credit card data.
The Hospitality Industry Does Business By Payment Card
Credit and debit card data has long been a preferred target of data thieves. Payment by card is the mainstay of most hotels and restaurants.. Therefore, hotels and restaurants represent a tantalizing treasure chest of data for cyber criminals to try to crack open.
The Wyndham Worldwide series of data breaches, where the brand’s reservations system was the subject of the attacks, were certainly notorious in the world of hotel data incidents, but statistically most credit card data theft in hotels occurs due to malware affecting point-of-sale (“POS”) systems, rather than the brand reservations systems for guest room bookings. Of the twenty-one most high-profile hotel company data breaches that have occurred since 2010, twenty of them were a result of malware affecting point-of-sale systems in hotel restaurant, bar and retail outlets. This is also true for the recent restaurant data breaches affecting Wendy’s, Arby’s, Landry’s and Noodles & Company, which were all the result of malware affecting point-of-sale systems in several locations.
Cyber criminals, through a variety of methods, are able to infect POS systems with credit card data-scraping malware that captures personal account data at some point during the payment process. This malware is often capable of moving between connected systems and may infect groups of hotels and restaurants that are either related by common brand or by a common third party operator and may often operate for several months or even years before being detected by the operator.
Some hotel credit card compromises are not high-tech in nature. Many hotels still tend to receive faxed credit card authorization forms for company bookings or group bookings, and often the faxed paper forms, which contain credit card numbers and expiration dates, are kept in a non-secure manner, such as in binders behind the hotel front desk. These paper forms are susceptible to being lost or stolen, and while many state breach notification laws do not expressly cover loss or theft of paper data, a growing number of state laws do. For example, the data breach laws of California, Hawaii and Alaska all protect data in any form, including paper, that contains personally identifying information.
In addition to these “paper” breaches, the hotel industry is also vulnerable to identity thieves targeting guests who may be unfamiliar with the area or the hotel. The thieves use various schemes including calling hotel guests, posing as the front desk, to ask for updated credit card information or leaving fliers for pizza delivery with phone numbers directed to thieves who take down the guest’s credit card information.
Employee Turnover and Fluidity Contribute to Security Problems
In the hospitality world there tends to be a high degree of movement of employees in and out of particular locations. Hotel operators will transfer their skilled employees to other locations where they may be needed. Employees in less skilled positions tend to come and go frequently as well. Hotel or restaurant owners may decide to change third-party operating companies, and the new operator will bring in its own management-level employees to manage the location. Maintaining a consistently trained workforce can be a challenge for both the hotel industry shares with the restaurant industry.
In recent years many information security industry experts have identified a company’s employees as its most vulnerable point from a data security perspective. A fluid workforce means that it is more difficult to train employees in the secure receipt and treatment of personal information, in complying with privacy and security policies, in protecting and changing user access credentials, and in being alert for social engineering attempts. Keeping up with which employees have access to different levels of information is also challenging when there are frequent changes of personnel at particular job levels. Only certain job functions within a hotel setting require access to guest or employee personally identifying information, and hotel companies (as well as companies in other industries) are not always as careful as they should be about controlling access by job grade/description and making sure access is eliminated when an employee moves out of a particular position or is terminated.
How Can Hospitality Companies Better Prepare for and Combat Cyber Threats?
While hospitality companies have unique problems that tend to make them more vulnerable to threats of compromise and theft of personal information, there are ways that these companies can prepare for and mitigate against such risks, and there are lessons to be learned from looking at prior data security incidents. In analyzing recent breaches, it is likely that utilization of the following practices could have mitigated or prevented such incidents.
- Contractual Risk-Shifting and Secure Handling Requirements: Franchisors, owners and operators, in their dealings with each other and third parties such as vendors and contractors, can help to control the risks inherent in sharing systems or information with others. Requiring specific cyber incident indemnification, where negotiating leverage permits, is useful to protect hotel companies from the economic consequences of a breach incident caused by or contributed to by another party. In addition, contract provisions requiring compliance with minimum information security standards (e.g., compliance with Payment Card Industry Data Security Standards a/k/a “PCI-DSS”) or mandating third party compliance with a hotel company’s own security policies can reduce the risk
of cyber incidents. - Employee Policy Enforcement and Training: Despite the fluidity of management and staff employees that is attendant to operating a hotel or restaurant, operators can and should consistently update their employee policies on data security and rigorously train employees who have access to data or systems. Where employees do not require access to personal information to perform their job functions, that access should be terminated. Policies concerning use of mobile devices, external information storage devices and internet usage should be enforced. In addition, to protect against identity thieves, employees should be trained on how to advise guests on potential risks and how to identify suspicious behavior and when to report suspected identity theft or data breaches.
- Guard Guest and Customer Card Data: Considering that POS malware attacks are a very common type of cyber incident affecting hotels and restaurants, operators and owners should take extra care in selecting their POS system vendors and credit card processors. Agreements with those entities should be vetted and, if possible, modified to add protection and minimum data handling standards for the outside vendor. Compliance with PCI-DSS not only helps to ensure that data security software, hardware and practices are safer, but also helps to protect against fines and penalties which may be levied against hotels by the credit card industry for noncompliance with PCI-DSS when a breach occurs.
Authors
Sandy Brian Garfinkel Mr. Garfinkel is a member with the law firm of Eckert Seamans Cherin & Mellott, LLC. He maintains a busy and diverse business litigation practice with a particular emphasis in the hospitality industry. As part of his work in the hospitality world he regularly assists hotel management and ownership companies in preparing for and responding to breaches of data security. He is also the founder and chair of the firm’s Data Security & Privacy Practice Group.Mr. Garfinkel can be reached at 412.566.6868 or at sgarfinkel@eckertseamans.com.
Malgorzata “Gosia” Kosturek Ms. Kosturek focuses her practice on hospitality law and general corporate law. She assists clients in numerous types of corporate transactions, including acquisitions, mergers, and financings, primarily in the hospitality industry. She is also a member of the firm’s Data Security & Privacy Practice Group. Ms. Kosturek can be reached at 412.566.6180 or at gkosturek@eckertseamans.com.