What hoteliers need to know about protecting guest data

As the line between hotel operations and hotel technology grows ever blurrier, tech suppliers are looking to assuage any fears their hospitality clients may have about the security of guest data. These concerns are well-founded: A number of hotel companies have had to pay millions in breach-related expenses in recent years.

With everything from property-management systems to reservation systems to in-room entertainment requiring guests to share personal information, hoteliers have to ask their tech partners what kind of security is available—and be sure they’re using the systems correctly. 

Cloud-Based Security

SJ Sawhney, co-founder of Canary Technologies, said his company’s digital authorization service helps hotels transition from what used to be a paper-based mechanism for collecting credit card information to one that is both cloud-based and secure. The platform, he said, “helps with making sure that data is regulated and there is a log history of who has access to what.” 

Traditionally, guest data remained on-location at a hotel, Sawhney said, whether that was papers with credit card numbers written down or data that was stored on an internal server. “While there's an attraction of keeping data at the location, physical security is quite expensive and prohibitive,” he said. “Physical security literally means if the data is on-premises, there's a server room with a key and a lock. Literally, you’ve got to guard that room.” Moving data to the cloud, meanwhile, lets software and encryption systems manage the security concerns.

Canary’s digital authorization system requires multifactor authentication to minimize improper access to data. Keeping the information on the cloud, Sawhney said, also keeps it safe from anyone trying to access it from an unapproved network and can let management know about suspicious login attempts. 


Virdee cofounder Nadav Cornberg said the main way his company, which provides digital front desks for branded and independent hotels, keeps guest information secure is through tokenization. Tokenizing, he explained, makes sure that a sensitive piece of data like a credit card number can only be recognized by a specific vendor, and in anyone else’s hands is unreadable and meaningless. “So if you lose that token, you can't really do anything with it,” he said. “It doesn't really have any true value besides representing that sensitive data that lives in a secure place.” Virdee partners with third parties that are certified for that level of data, Cornberg added. “The data doesn't really live in multiple places. There's not a concern about multiple vectors of attack.” 

Tokenization also makes sensitive data available to a hotel’s system (and employees) for a limited number of seconds. The data can be transferred into the next phase of the system, and when the page is refreshed, the crucial information is gone. “Nothing can be used again,” Cornberg said, noting that even the URL for the webpage is only relevant for 15 seconds. “So if somebody accidentally gets a hold of that URL a minute from now, they can't do anything with it,” he said. And if a hotel’s system is breached, the tokens can be invalidated.

Guest Services

Another chief security concern is from guest-facing services like in-room entertainment systems, Wi-Fi platforms and the growing market for voice-activated in-room assistants. Tammy Estes, chief product officer at Nomadix, said guest interactions with these systems should be anonymized whenever possible, and any information should be wiped as soon as a guest has checked out of the hotel. The voice-activated Angie platform, for example, does not save any recordings of guest requests. 

When selecting technology to aid in operations, hoteliers should ask who will own the data, Estes said. “Does the property own the data? Does the brand own the data? Is it owned by a larger, higher-level provider?” (When Nomadix works with partners, she said, either the property or the brand owns whatever data is exchanged. The tech company itself does not.)  

To keep guest data secure when guests are connecting to a hotel’s Wi-Fi network, Estes recommends Passpoint, which installs security certificates on individual devices. “And then when you connect to the Wi-Fi networks, the entire connection from your device all the way out into the internet is fully encrypted,” she said. Hotel companies can incorporate Passpoint into their apps so that mobile Wi-Fi connections are secure, and front-desk agents can encourage guests to download the platform onto their computers as soon as they connect to the property’s Wi-Fi. 

Estes added that her company considers security as it develops each product. “It's so much easier to design for security than to add security back in,” she said.