InterContinental Hotels Group (IHG), the parent company for more than 5,000 hotels worldwide including Holiday Inn, recently acknowledged that a credit card data breach impacted at least 1,200 of its properties, compromising the financial and personal data of an untold number of guests. Unfortunately, IHG is not alone. The hospitality industry is quickly growing as a favored target of hackers and cybercriminals. In fact, according to the 2016 Trustwave Global Security Report, hospitality is the vertical industry with the second-highest number of data breaches, behind only the retail industry. Many of the hospitality industry’s most prominent names have become victims of data breaches that exposed customers’ payment card information, including Kimpton Hotels & Restaurants, Starwood Hotels & Resorts Worldwide (now part of Marriott International), Hyatt Hotels Corporation, Hilton, Trump Hotels (twice), Mandarin Oriental Hotel Group and White Lodging Services (twice).
Hotels are high-value targets for cybercriminals because they not only hold payment card information on guests, but also a wealth of other sensitive personal data that can be used to steal their identity. In the past, attacks targeting the hospitality industry typically involved compromising point-of-sale systems to steal the payment card data embedded in the card’s magnetic strip. Cybercriminals would then encode the stolen data onto counterfeit cards to be used at physical locations to buy products that could easily be sold for cash. However, with more countries migrating to chip cards and EMV-compliant POS systems, attackers have shifted their focus to card-not-present fraud and are targeting industries where consumers are making their payments and reservations over the phone—such as hotel contact centers.
The fallout from a widespread data breach that compromises guests’ payment card data or personally identifiable information can be disastrous for a hotel chain. The average cost of a data breach in 2016 was $4 million. This figure encompasses everything from breach mitigation to crisis team management costs, business losses and even the more intangible consequences: damages to brand reputation. Given that several states, including California, Massachusetts, Washington and Oregon, require businesses to publicly disclose when they’ve had a data breach that affects a certain number of residents, there is often no way for a breached business to hide from the public eye—which can be disastrous for a hotel chain’s image.
Upcoming data security legislation is sure to further complicate the matter. The European Union’s General Data Protection Regulation affects not just companies in Europe, but any business that holds or processes sensitive data belonging to EU citizens. Even hotels based in the U.S. or other regions must comply with the GDPR or risk facing fines of up to 4 percent of their annual global revenue, or €20m (whichever is greater). They may also be subject to class action lawsuits brought against them by EU citizens. The new regulation goes into effect in May of 2018, creating an added impetus for hoteliers to strengthen their data security processes before that date.
Creating a “Five Star” Security Culture
Hotels are obligated to maintain the physical security of guests and their belongings during their stay—if guests don't feel safe staying in their room or leaving their belongings there, they won’t continue to patronize that hotel brand. The same thinking applies to data security: If guests aren’t convinced that the hotel is keeping their personal and financial data secure, they will take their business elsewhere. In order to protect their brand reputation and their business, hotels need to create a culture of security throughout their entire organization that focuses on protecting guests’ digital property in addition to their physical property. One of the best places to start is their contact center.
In an era of increasing cyberattacks, hotels can make themselves less of a target by adopting technology to ensure that payment card data and other personally identifiable information is kept secure and segregated from the contact center. With such an approach, customers calling to make a reservation or order additional services discreetly type their card numbers into the telephone keypad, rather than reading them out loud to the agent on the phone line. The data is securely routed to the payment gateway or a more secure server so it is never shared with the agent and is not held in the contact center infrastructure. This ensures that there is no possible spillover of the data to the unsecured or unmonitored areas of the business. It also reduces the number of individuals with access to the sensitive data, and makes the hotel contact center a less attractive target for cybercriminals. As an added benefit, this approach makes it easier for the hotel to comply with Payment Card Industry Data Security Standards by reducing the scope of compliance. By keeping payment card data out of the contact center, hotels can significantly reduce the high costs and extensive time associated with maintaining PCI DSS compliance.
Drawing from my own real-life experience, I was personally affected by a data breach at the Kimpton Hotels chain, which resulted in my credit card data being fraudulently used to purchase more than $1,000 worth of goods at Macy’s. From a customer’s point of view, I felt Kimpton handled the matter properly and professionally and made the best of a difficult situation. They wrote a suitable letter of explanation with an apology and an assurance that they had taken the appropriate measures to improve data security. Though, that straightforward and honest approach may have had less to do with guest relations and more to do with the fact that in Massachusetts, where this breach occurred, companies can be fined up to $5,000 per record if they do not report and handle the breach correctly. Even so, this data breach was likely costly for the hotel chain. I suspect that all chargebacks, fines and fees related to fraudulent purchases that were a result of this breach ultimately made their way back to Kimpton’s bottom line.
With stronger security practices for handling guests’ sensitive data, the hotel industry as a whole can transform itself from being one of the most likely targets for data breaches to becoming a model for data security, thereby ensuring that fewer customers ever have to go through the experience I did of being the victim of a data breach. Guests can sleep peacefully knowing that their data is secure, and the hotel can rest assured that its name won’t be making headlines as victim of a costly data breach.
Tim Critchley has been the CEO of Semafone for more than six years and has led the company from a UK start up to an international business that spans five continents. He has helped secure Series A and Series B rounds of funding from various investor groups including the BGF and Octopus. Under his leadership, the company has secured global partnerships and won clients that span a range of industry sectors including major brands such as Aviva Canada, BT, Rogers Communications and Sky. Prior to joining Semafone, he was COO at KnowledgePool Group, the UK’s leading provider of managed learning services where he helped complete a successful turnaround in three years. Critchley graduated from the London School of Economics and has an MBA from Manchester Business School.