From bookings and POS systems to staff rosters and guest records, hospitality venues across Australia are digitising their operations. Recent cyber-attacks on hotels, clubs and pubs show that cyber-incidents are becoming increasingly sophisticated. This shift has highlighted the need for better data protection controls and processes to ensure both your business and your customers’ information remains secure.
In particular, phishing attacks targeting the hospitality sector have increased in recent years exposing weaknesses in cyber controls across many venues. Hospitality businesses relying on multiple digital systems (i.e. POS, booking systems) whilst operating with high staff turnover and limited cyber security training has made hospitality venues attractive targets for attacks.
Recent incidents show hospitality is in the firing line
Late last year, a ransomware group claimed to have attacked a major national hospitality operator. During the attack, hackers assert that they stole over 130,000 documents, including invoices, employee rosters, financial records, as well as guest and staff identity documents. [1]
Ransomware is an increasingly common form of cyber-attack and involves malicious software (malware) which blocks access to a victim’s device or encrypts their files. During a ransomware attack, the attacker will usually demand the payment of a ransom in exchange for restoring access to the data or systems.
Access can be gained through phishing emails (i.e. pretending to be a trusted entity such as a bank, postal service or colleague), compromised login credentials (i.e. a leaked or stolen usernames & passwords) and subpar IT security (i.e. having no multi-factor authentication in place across key systems or accounts) meaning one of the biggest issues for ransomware attacks is human error.
In another incident, a third-party IT-provider which provided facial recognition technology to venues suffered a breach which affected multiple clubs and pubs across NSW and the ACT exposing personal data including driver licenses, signatures, phone numbers and addresses of over one million patrons. The data was allegedly leaked by a disgruntled employee based in the Philippines. [2]
Whilst outsourcing to third party companies is commonplace, this does not negate your responsibility to ensure you have good IT security and controls in place. Companies remain accountable for ensuring that appropriate safeguards, monitoring, and assurance processes are in place when services are outsourced. It’s also important to speak with the third-party providers to understand what security and controls they have in place.
This problem is impacting the full gamut of hospitality venues with large hotels and hospitality chains targeted along with smaller single venue organisations.
Why hospitality businesses are especially vulnerable
Hospitality venues are attractive targets for cyber criminals due to:
- High volumes of sensitive data: Guest IDs, staff records, payment information.
- Multiple digital touchpoints: Cloud-based booking and management systems, POS, third-party vendors, contractors, and outsourced service providers (including membership management, gaming, Customer Relationship Management).
- Lack of security & controls: A recent survey conducted by the Council of Small Business Organisations of Australia found that only 47 per cent of hospitality respondents reported using unique passwords or phrases and 37 per cent advised they have cloud-based back-ups in place. Further to this, 33 per cent advised they had multi-factor authentication enabled.[3]
As per Australian Cyber Security Centre’s (ACSC) annual cyber threat report, lapses in cybersecurity controls can have implications for businesses from a financial, regulatory and reputational viewpoint. This can lead to a significant loss of trust in businesses by customers whose data is leaked as a result.
Further to this, if your POS or booking system suffers an attack, your business operations may be interrupted resulting in a loss of income or even closure until systems are back up and running.
Risk-reduction measures hospitality operators should adopt
To protect themselves and remain insurable, we recommend hospitality venue operators should, at a minimum consider the following with a view to strengthening their cyber security controls and processes:
- Limit access to sensitive or personal information to essential staff only.
- Use multi-factor authentication for all platforms.
- Provide IT training and awareness to staff on phishing, social engineering and safe data practices.
- Review legacy systems which are no longer supported by the manufacturer and replace if possible.
For any businesses, especially those storing personal data of guests or employees, cyber risk management should now sit alongside fire-safety, liquor licensing and public liability as a core component of risk management.
Through Bellrock’s use of third-party experts we can assist in reviewing your current cyber risk management procedures, identify exposures or gaps in your network security and infrastructure and provide recommendations to bolster cyber security and obtain appropriate coverage for your business.
By taking the above steps venues can mitigate their exposure to a cyber incident, minimise the severity of a potential incident and have the ability to return to normal operations faster.
[1] https://www.insurancebusinessmag.com/au/news/cyber/australian-hospitality-company-faces-ransom-threat-after-data-breach-556130.aspx
[2] https://www.wired.com/story/outabox-facial-recognition-breach/
[3] https://www.insurancebusinessmag.com/au/news/cyber/research-finds-cyber-gaps-in-small-hospitality-businesses-566542.aspx
