The tourism and hotel industry is becoming increasingly dependent on modern information technology to manage reservations, process payments, and store customer data. Unfortunately, technology dependence has made the industry an attractive target for cybercriminals.
According to data published by IBM in the „Annual Cost of Data Breach” report, the average cost of a data breach in 2022 for the travel industry was USD 2.94 million.
In this article, you will find the most serious cases of cyberattacks that affect hotel chains around the globe.
The most recognizable cases of security breaches of IT systems in the hotel industry
1. 3 hacker attacks on a global hotel group
The history of attacks on this hotel group is one of the most frequently cited examples of the consequences of inadequate security of systems and data in the hotel industry.
It is one of the largest hotel groups, managing 31 brands and over 8,500 properties worldwide, and the history of attacks on its systems dates back to at least 2014. During this time, sensitive data of hundreds of millions of customers were stolen, and the company suffered huge losses, both image and financial.
First incident – 2014-2018
Date of incident announcement: November 30, 2018
What happened
In 2014, hackers gained remote access to the reservation systems of one of the hotel groups after installing RAT malware (remote access trojan). This company was taken over by a global hotel chain two years later. Unfortunately, a proper initial security audit was not performed during the company takeover, and data theft was still possible until 2018.
Consequences
This is one of the largest data breaches in history. As a result, criminals gained access to information about 383 million customers of the hotel group, including approximately 25 million passport numbers, as well as data on 8 million credit cards.
Other consequences of the attack:
- a fine of USD 23.8 million imposed by the UK Information Commissioner’s Office (ICO) for neglecting obligations under the General Data Protection Regulation (GDPR),
- legal costs related to lawsuits filed against the company, both from clients and investors,
- potential compensation resulting from lawsuits estimated at up to USD 1.8 billion,
- a temporary drop in the value of the hotel group shares by 8.7% after the hack was announced in 2018.
Second incident – February 1, 2020
Date of incident announcement: March 31, 2020
What happened
According to the company, hackers carried out an ATO (account takeover) attack using the login details of employees of the chain’s franchise facility.
Thanks to them, in mid-January 2020, criminals gained access to one of the company’s systems, and their activities continued until the company discovered the breach at the end of February.
Consequences
The data breach may have exposed the personal information of more than 5.2 million visitors, including the following information:
- address for correspondence,
- the e-mail address and telephone number;
- loyalty program account information;
- gender and date of birth.
Third incident – 06/2022
Date of incident announcement: 28/06/2022
What happened
In June 2020, an unknown group of hackers used social engineering to deceive an employee of a chain hotel located in Maryland, gain access to his computer, and copy sensitive data regarding both the company and customers.
Consequences
Hackers contacted Databreaches.net in June 2022 to describe the effects of their hack. According to their declarations, they stole over 20 gigabytes of sensitive data, including guests’ credit card details.
In a statement later, the hotel chain said an internal investigation showed that the data accessed „contained primarily non-sensitive internal business files relating to the operation of the property.”
Regardless of which version is closer to the truth, the company notified law enforcement authorities and contacted approximately 300-400 guests whose data may have been stolen.
Other consequences of hacker attacks on hotel network systems
In the case of ongoing attacks on such a large scale as those we are dealing with in the case of this network, it is impossible to determine the exact amount lost by both customers and the company itself.
There have been attempts in various sources to assess the scale of losses incurred – according to data from May 2023, the expenses incurred in connection with the data security breaches described above amounted to at least 71 million USD.
The amount includes, among others:
- costs associated with investigating and remediating security vulnerabilities that allowed systems to be breached,
- expenses incurred in connection with the need to notify injured guests about the risk of their data being stolen,
- creation and operation of a call center for customers, which received over 57,000 calls in the period after the announcement of the largest system hack, from November 2018 to May 2019,
- a fine imposed on a hotel group in the UK, for failing to comply with its obligations under the General Data Protection Regulation (GDPR).
In addition, the company must take into account the additional costs of long-term court proceedings, including legal services as well as possible compensation awarded or amounts paid as part of a settlement with the affected parties.
2. Theft of data from nearly 130 million customers of a Chinese hotel chain
At the time the hack was discovered, the group managed over 3,800 hotels in China under 13 brands. At the end of August 2018, a database of network customers containing nearly 500 million records was put up for sale on the darknet.
Date of incident announcement: 28/08/2018
What happened
According to the company’s statement, the breach was caused by a vulnerability in the hotel chain’s online reservation system, which was exploited by an unknown attacker. The attacker was able to gain access to the system and steal sensitive information including customer names, phone numbers, email addresses, and encrypted passwords, as well as hotel reservation information such as stay dates and specific hotels booked.
Consequences
The data of nearly 130 million hotel chain customers was stolen and then put up for sale by hackers on the dark web.
As a result of the data breach, the company suffered significant financial and image losses, including:
- costs of notifying guests about data theft, as well as purchasing identity theft protection services for interested customers,
- in China, the company was fined 1 million yuan (approximately $145,000) by the National Development and Reform Commission for violating the country’s cybersecurity laws,
- the company’s share price dropped by 4.36% immediately after the hack was announced and continued to decline in the following days.
This data breach undoubtedly damaged the brand’s reputation and image. The company was also criticized for its slow and, according to many experts, inadequate response to the scale of the problem. Additionally, the breach could have slowed down the company’s global expansion plans.
3. $700,000 fine for hotel chain for data protection negligence
In the case of the hotel industry, guests’ credit card data is a desirable target for hackers. Due to the threat posed by leakage of this type of information, it should be particularly well secured by the companies storing it.
In the case of one hotel chain, hackers targeted credit card data in 2015.
Date of incident announcement: November 1, 2015
What happened
Security experts have noticed suspicious activity in payment processing systems. An investigation was immediately initiated and the company soon determined that malware had been used to steal confidential information from POS terminals at some hotels.
The hackers aimed to capture data including the cardholder’s name, card number, expiration date and security code.
The first breach was discovered in February 2015 and the second in July 2015, but information about the breaches was only made public in November 2015, for which the company was heavily criticized.
Consequences
According to investigators, attacks on network terminals threatened over 363,000 customer accounts. However, these are estimates because the specific nature of the software used by hackers made it impossible to precisely assess what data was stolen in the case of individual cards.
Due to its delay in informing customers, the company was fined $700,000 in the United States.
Discussing the case of attacks on this hotel chain, cybersecurity specialists agree that this is a perfect example of the importance of quick notification of potential victims and cooperation with law enforcement authorities to mitigate the effects of theft.
4. Theft of data of 10, 142, or 200 million guests of a hotel chain?
In the case of hacker attacks on hotel facilities, especially if they are undetected for a long period, it is often difficult to precisely determine the amount of data stolen and the number of people affected.
One of the more famous was an example of a situation in which it was difficult to determine the exact scale of the theft which was a hack into the systems of one of the networks in 2019.
Date of incident announcement: February 19, 2020
What happened
In February 2020, the chain’s representatives admitted that there had been a data breach in 2019 that affected 10.6 million guests.
According to the release, the stolen data included names, phone numbers, home addresses, email addresses, and dates of birth. In the case of approximately 1,300 people, the hackers gained access to more sensitive data – such as drivings licenses, passports, and military ID cards.
Half a year after the incident was announced, in July 2020, an article was published on Zdnet.com suggesting that the scale of the incident could have been much larger. On one of the hacker portals on the dark web, there was an announcement about the sale of data from this hack, allegedly containing information about over 142 million network customers. A year earlier, in July 2019, a post promoting a data package for nearly 200 million guests appeared on a Russian-language hacker forum.
Consequences
Due to conflicting information, it is still difficult to assess the true scale of the hacker attack on this hotel chain. However, regardless of any doubts about the size of the hack, the company suffered significant financial and image losses.
Some of the consequences of the hacker attack included:
- an expense of approximately $2.5 million, including the costs of notifying and protecting affected customers,
- 14% drop in revenues in the fourth quarter of 2020, compared to the same period of the previous year, which, according to experts, was largely due to the decline in customer confidence as a result of the incident.
As was the case with the previously described attacks on hotel chains, after the breach was announced, the company’s share price dropped and it took several months to return to normal.
