by Michael Shapiro | May 9, 2017

Recently, the InterContinental Hotels Group notified customers that a massive data breach had affected approximately 1,200 of its franchised hotels in the Americas region. Over the course of three months last fall — from Sept. 29, 2016 through Dec. 29, 2016 — credit cards used at the front desks of those properties might have been compromised. The card numbers, expiration dates and verification codes of those cards were made available to hackers via malware that had been installed on the hotels' systems. 

The fact that it affected so many properties is certainly noteworthy, but the breach in itself was but one in what seems like a never-ending string of cyber attacks on hotel point-of-sale systems. Over the past several years, most major hotel companies have been hit. Just last week, global distribution technology provider Sabre announced that it was investigating a breach to its Hospitality Solutions SynXis Central Reservations system. While Sabre could not divulge how many reservations might have been affected, we're not talking about point-of-sale property terminals in this case. Rather, this is a central reservation system used by more than 36,000 clients. In a statement, Sabre noted that a third-party cyber-security expert was investigating the breach, and that the security vulnerability had been found and fixed. "Until the forensic investigation by our independent experts is complete and we have made any necessary notification to our customers," Sabre director of corporate communications planning Tim Enstice told me, "it is premature to speculate on other details."  

Will the hotel data breaches never end? I spoke last week to Dario Forte, CEO of cyber-security tech provider DF Labs in Milan, Italy. His firm specializes in incidence response and investigation when it comes to cyber attacks. To summarize: He doesn't see the breaches ending anytime soon.

"There's a recurring pattern of attacks," Forte confirmed, "that are exploiting a similar lack of defense in the hotel chains. Hotels, unfortunately, are a growing target because the hotel sector is far below the average when it comes to security awareness."

For one thing, Forte said, many hotels are running outdated software. And it isn't an easy problem to solve, he added, in part because of the franchise model and the resultant challenges to pushing out updates and ensuring that every independently owned property invests in and installs what they need. 

"The lack of investment from third parties — in this case, the franchisees — is one of the weakest links in breach-related issues," Forte noted. "Developing a brandwide security baseline is required, but in the hotel sector that can be challenging. The franchisee is really the most important of the chain, the face of the business. In that environment, the financial decisions are really business-driven rather than security-driven." A balance hasn't been reached just yet, Forte said, where cyber security is an important enough factor in those business decisions.

One solution? According to Forte, "Best results have been obtained when the franchisees are involved in any possible damage that has been associated with the data breach, based on their lack of due diligence. Chains that have been able to push the liability associated with attacks to the franchisees have gotten better results than simply trying to push a security baseline to each location. Because security isn't defined as a priority at this point, liability would be a better driver."

The underlying problem, however, is that neither hotel companies nor the property owners have implemented the security infrastructure that was recommended by experts eight or nine years ago. "I don't want to say that now it's too late," said Forte, "but at this point the effort and investment required to get to that recommended security baseline is more complex, and much more expensive."   

Nevertheless, the increasingly high profile of data breaches, and the potential liability they place on hotel companies, means hoteliers are going to have to make the investment. And, crucially, regulatory measures will soon force their hands more quickly. In May 2018, the European Union's General Data Protection Regulation will go into effect. The sweeping data-protection measures therein place even more responsibility and liability onto the companies holding customer data — and they will apply to any company doing business in the EU, regardless of where they are based. In fact, companies could be liable for as much as 4 to 10 percent of annual revenue in cases of severe data breaches, according to Forte.

"Before, cyber security was a problem of the nerds," said Forte. "Now it's a problem of the boards."

Despite all, there is some good news, too, Forte said. "There are a lot of good professionals out there who are ready to solve these issues, and a lot of technologies available to reduce reaction and response time in the case of breaches. These things are out there, ready to be deployed." All that is required, he pointed out, is the commitment of boards of directors and hotel executives to take advantage of these tools and change the way in which we prepare for and deal with cyber attacks.