Data Security a Major Concern for Hotels in 2012

With an increasing number of guests toting multiple mobile devices such as laptops, iPads and smartphones, and with the use of social media platforms intensifying, data security is getting harder and harder to maintain, say hoteliers. In a report released yesterday by, many hotel companies say guarding against potential information-technology breaches will be a top priority this year.

According to trade association Hotel Technology Next Generation, hotel credit card transactions are much more difficult to secure than in other industries, because the data often flows across systems controlled by several different companies, each one using a different security process. Compounding the problem is the fact that the data often has to be stored for weeks and months. So, while individual hotel companies may have invested heavily in securing their own systems, they have no control over the countless third-party networks they interact with, which leaves all of that guest credit card data extremely vulnerable to hacking and theft.

Now, throw into the mix mobile devices, and what you have is a potential breach bonanza, according to Anthony Roman, founder and CEO of Lynbrook, N.Y.-based hotel security company Roman & Associates. "Most mobile devices that are used for business remain unprotected," Roman told, adding that there is a dearth of "written policies and procedures relative to the securing and protection of the information contained within them." And with guests increasingly circumventing the front desk to enjoy the convenience of using their mobile device to check in (an October 2011 USA Today poll found 48 percent of travelers said they do so), hotels are staring down a security nightmare.

When hotel IT leaders met two months ago in Chicago for LodgeNet's Customer Technology Symposium, they shared this concern. As hospitality companies continue to concentrate on building guest loyalty, tons of information about a guest's experience -- from what pillow they prefer to their food preferences -- is constantly being exchanged through e-mail and social media platforms. Protecting that personal information, says Mark McBeth, vice president of information technology at Starwood Hotels & Resorts Worldwide, is even more critical than protecting credit card numbers, because the magnitude of the risk is greater. It could, he said, potentially lead even to child abduction or murder. "If there were a breach, you are exposing the guest's identity," says McBeth. "It paints some pretty scary pictures. There is no gray area with security issues -- you're either secure or you're not."

In the December 2011 issue of CIO Insight, chief information officers from several industries weighed in on their security concerns for 2012. One of those was Mike Blake, CIO for Chicago-based Hyatt Hotels Corp., who said that because the hotel industry has long been a target for data theft, Hyatt has made securing its internal systems a top priority. Still, he said, the growing threat from external sources keeps him up at night. He cited one case scenario: a property hosting 3,000 attendees, with a meeting planner booking rooms on their behalf, via e-mailed credit card data. "I can't prevent your secretary from e-mailing me a credit card number. As good a job as Microsoft does with protecting e-mail, I'm still not comfortable with credit card numbers floating through my e-mail system." Blake said that Hyatt will spend several million dollars this year in search of solutions that will protect sensitive credit card information that arrives by e-mail. Having a system in place before year's end, he said, is his goal.