Hackers Target Hotels, Exploit Weak COVID-19 Contact Tracing Safeguards

Hackers Target Hotels, Exploit Weak Safeguards

Many travelers left something behind at the last hotel they visited — and it wasn’t a shirt or shoes.

Large amounts of personal identifiable data (PII) collected by hotels throughout the pandemic for contact tracing purposes are becoming tantalizing targets for data thieves. Contact tracing took off in 2020 as government health systems and private-sector players fielded COVID-19 contact tracing apps and ordered hotels to collect this additional — and highly sensitive — health data on all guests.

But hospitality organizations generally weren’t well equipped to manage collecting and storing such data in the first place, and many still have no strategy for sunsetting it in their systems, which could lead to compliance headaches ahead.

Noting that hotels and hospitality businesses are now in the top three sectors haunted by hackers — the other two being financial services and retail — the Financial Times (FT) reported Monday (March 28) that hackers see international hotel chains as “easy pickings.”

See also: Marriott Data Breach Exposed Data of 5.2M Guests

Survival Over Data Security

Saying in a separate report that smaller operators may be more vulnerable, FT quoted Bharat Mistry, technical director at cyber security software maker Trend Micro, as saying hoteliers inexperienced with data security “likely flouted responsibility” for pandemic data they gathered, focusing on “survivability rather than good digital hygiene” as they scrambled for stopgap measures.

In the U.S., lawmakers proposed protections for COVID-19 contact tracing and related health data, introducing the COVID-19 Consumer Data Protection Act of 2020, then the Public Health Emergency Privacy Act (PHEPA).

As news site JD Supra reported, PHEPA would expand on enforcement by the Federal Trade Commission (FTC) and states’ attorneys general, allowing consumers whose data is compromised to sue for statutory damages of up to $5,000 per violation. Neither bill has been signed into law as of this writing Monday.

Read also: Digital Health Passports Seen Rising as Walmart Joins Growing List of Providers

Hardening Property Management Systems

In March 2021, the U.S. Department of Commerce and National Institute of Standards and Technology (NIST) published the report “Securing Property Management Systems.”

“Hospitality organizations can reduce the likelihood of a hotel data breach by strengthening the cybersecurity of their property management system (PMS),” the report noted. “The PMS is an attractive target for attackers because it serves as the information technology (IT) operations and data management hub of a hotel.”

The report added that poorly secured property management systems could expose hotels — and the hospitality organizations — to potentially costly data breaches and huge regulatory fines. While the Marriott-Starwood data breach of 2018 still dominates news of hotel cybersecurity, that was a pre-pandemic event. The addition of countless gigabytes of contact tracing PII pulled into PMS’ is something the hospitality sector isn’t prepared for.

In FT’s coverage of the issue, Chris Weston, principal of chief information officer advisory at IDC, said what to do then or now with contact tracing data is difficult for boutique hotels and smaller operators with little or no experience in complex aspects of shielding heath data collected by hotels.

“We saw several instances of employees using contact tracing data to contact people in inappropriate ways,” he told FT, and “people who felt uneasy filling in data on a form would use fake ‘Mickey Mouse’ or ‘Donald Duck’ style names,” defeating the idea of tracing.

See also: New UK Bill Seeks Crackdown on Data Breaches, Cybertheft From Connected Devices