Hotels and Cyber Security: How to Protect Guest Data and Preserve Your Business

Miha Senčar

January 16, 2025

•

min read

Hotels and Cyber Security: How to Protect Guest Data and Preserve Your Business

Imagine the following scenario: The hotel reception cannot log into the reservation system, the cashier cannot issue receipts, and guests do not receive payment confirmations because the email system is down. Does it sound like a technical error? Unfortunately, this is an increasingly common consequence of cyberattacks on hotels that paralyze operations worldwide.

Such attacks are occurring and are indeed becoming more frequent. With the crisis caused by theCOVID-19 pandemic and the war in Ukraine, these incidents have practically exploded. Research on cybersecurity in the Slovenian market conducted by the SI-CERT institute noted an increase of almost 15% in incidents in 2021 compared to the previous year. The growth over the years is clearly depicted in the figure below, summarizing so-called phishing scams that occurred in Slovenia from 2008 to 2021:

Global research indicates that the number of hacking attacks, incidents, and associated frauds has increased by 50% to80%. This is why it is crucial for hotels, which handle sensitive financial and personal data of guests—especially those using digital reservation systems and online payments—to understand how vital cyber security has become in the tourism industry.‍

Prevention is Always Better Than Cure

It is practically impossible to fully protect yourself against hacking attempts, but it is extremely important to have a protection plan developed with an IT security expert for hotels.

The first step is understanding cyber risks in business.

The consequences of an attack or breach can lead to significant financial damage, associated with operational disruptions and loss of data in hotels. Targeted breaches may result in the theft of business secrets, which may also be disclosed publicly. An incident can quickly become widely known, and a company can lose customer trust, often leading to legal troubles.

The second step involves prevention, which every user can undertake independently.

This can also be referred to as computer user ethics. It consists of knowing hacking technique sand understanding that thinking before clicking is crucial for data protection.

Practical steps everyone can take:

• Do not click on suspicious links, especially in emails that appear "urgent."

• Regularly change passwords (strong ones, with a mix of uppercase letters, symbols, and numbers).

• Use two-factor authentication wherever possible.

• Do not automatically trust messages that appear to be from superiors (e.g., CEO Fraud).

If a user does not understand something,they should not open the link. Most frauds stem from clicking on a link that is not safe and leads to a hacking breach.

Basic hacking techniques that every user should know

Phishing

This technique leads to a direct attempt to steal data. In this case, a hacker uses false representation (e.g., fake email addresses or fake websites) to obtain personal data, passwords, login data, credit card numbers, etc.

Types of phishing include:

1. CEO Fraud or executive scam. In this scam, hackers usually search for contact details on company websites, to which they send an email with a fake sender address. They pose as the CEO and request the transfer of a large amount of money to a foreign bank account. Using money mules, the money is immediately transferred elsewhere and quickly becomes untraceable.

Example: executive scam (CFO Fraud)

Prevention: established procedures for requesting and executing transactions/transfers: who, when, and how can order a transfer

When receiving an email, always check the sender's email address, which in the case of misuse is often very similar to the CEO's.

In the event of an unwanted transaction, it is necessary to immediately notify the bank and report the damage to the police.

2. Business Email Compromise or intrusion into business correspondence is even more sophisticated than executive fraud. In this case, hackers obtain the email password and monitor the communication. They familiarize themselves with contracting methods, types of invoices, dispatch notes, and offers, and wait for the right moment. When it comes, the recipient is sent a manipulated document with an almost identical transaction account, from an email address to which they have access due to the stolen password.

Example of a modified transaction account in the picture below:

Prevention: it is recommended to regularly change passwords for email access. Passwords should be strong with at least 12characters, each containing an uppercase letter, a period, a comma, or a semicolon and a number. However, additional protection would be achieved with two-factor authentication confirming identity via a smart device.

3. Bank fraud or banking fraud. In this scam, hackers use emails or SMS messages that lead to fake bank websites, where the recipient discloses financial and personal details.

Prevention: Users should not click on links in emails leading to bank websites. In such cases, the link should be entered manually or via a favorite browser. Banks NEVER use the word URGENT on their websites.

Example of bank fraud:

How can Unija ETL IT Solutions help you?

Our team combines IT expertise and accounting knowledge, and we know where hotels are most vulnerable.

We assist in:

• assessing system vulnerabilities

• setting up security protocols

• educating employees about cyber security in hotels

• backup solutions and quick response in case of an incident

Why is this important? Because protecting reservation systems, financial data, and digital communication is no longer an optional item, but a necessary part of every modern hotel.