Hotel Data Security: Challenges to Address in 2022

By Jim Butler - Partner, Chairman, Global Hospitality Group® and Robert E. Braun - Partner, Jeffer Mangels Butler & Mitchell, LLP

3 January 2022
Jim  Butler
Jim Butler
Robert E. Braun
Robert E. Braun

As hotels find new ways to use technology to attract guests and enhance their properties, they need to remain aware of the security challenges these technologies present.

Bob Braun, senior member of JMBM’s Global Hospitality Group® and Co-Chair of the Firm’s Cybersecurity & Privacy Group, explains three basic issues for 2022 that all hotel owners need to be aware of to ensure their business and guest information remains secure.

Like virtually all industries, the hotel industry continues to be challenged by cybersecurity concerns. As we approach 2022, hotel owners and operators need to address some basic issues that impact the security of their systems and their guests.

  • Wi-Fi. Providing wireless internet to guests has become a “must-do” for hotels – it’s not too much of an overstatement to say that a potential guest won’t stay at a hotel that doesn’t provide free Wi-Fi. But hotel Wi-Fi systems, particularly those in public areas, have long been a soft underbelly of cybersecurity. In the past 10 days, TechCrunch+ reported that “an internet gateway used by hundreds of hotels to offer and manage their guest Wi-Fi networks has vulnerabilities that could put the personal information of their guests at risk.” The system uses hardcoded passwords that are easy to guess and allow an attacker to gain remote access to the gateway’s settings and databases; they can then use that knowledge to access and exfiltrate guest records, or reconfigure the gateway’s networking settings to unwittingly redirect guests to malicious webpages.
  • Social Media. Hotel brands and operators increasingly use social media to promote their properties and attract guests. But social media depends on the collection and use of personal information, and that information makes hotel companies one of the prime targets of bad actors. Their goal isn’t limited to credit card numbers; these threat actors are looking for personal information that allows them to obtain credentials and infiltrate networks. When a threat actor gains access to a network – which could be yours – they can pose an existential threat to a business through ransomware, extortion, denial of service, and other attacks.
  • Vendors. Hotels depend on a multitude of vendors and third parties to operate. These range from point-of-sale systems to HVAC operators to property management systems. Every vendor that has access to hotel systems – and it’s surprising how many do – presents a threat. When they have access to a hotel system, it creates an opening for a bad actor. Even more, each vendor relies on a variety of vendors themselves, which means that every vendor’s vendor that has access to the vendor’s system may also have access to the hotel’s network. And as we’ve discovered from the breaches caused by the highly publicized Solar Winds software and the more recently discovered log4j API vulnerabilities, even the most reliable of vendors cannot be blindly trusted.

These are not the only security risks that hotel companies face, but they demonstrate the conundrum that hotel owners and their operators face – the very things that create security challenges are also essential for operations. Hotels cannot stop offering Wi-Fi at the risk of alienating guests. Social media is a key part of marketing for hotels, giving hotels the ability to target potential guests at a relatively low cost, which is especially important during the current economic challenges. And vendors cannot be eliminated; there are too many functions that require special skills and experience that hotel companies cannot effectively bring in-house, at least at a reasonable cost.

But this does not mean that hotel companies can simply throw up their hands. If hotel companies create reasonable security efforts, they can control their risks and reduce the likelihood of a breach and the damage that brings. Resources, like the National Institute of Standards and Technology, have created frameworks to help hotel companies evaluate and address their risks.

The Jeffer Mangels Butler & Mitchell Global Hospitality Group, in conjunction with the Jeffer Mangels Butler & Mitchell Cybersecurity and Privacy Group, works with hotel companies to understand and address their security and privacy needs, and we are ready to help you. For more information, contact Bob Braun (rbraun@jmbm.com) or Jim Butler (jbutler@jmbm.com)

Further information about cybersecurity issues

If this article was of interest, you may also wish to read other articles by Bob Braun on Data Technology, Privacy & Security,” which include the following:

New Challenges for Hotels: The New California Privacy Rights and Enforcement Act of 2020

Hotel Managers and Owners Be Warned – You are Responsible for Your Hotel’s Data Security

The California Consumer Privacy Act – What Hoteliers Need to Know Now

Avoiding Hotel Data Breaches With a Risk Assessment Audit™ – Lessons From the Marriott International “Glitch”

California Adopts the California Consumer Privacy Act of 2018

GDPR: What you need to know about the EEU’s new data privacy rules

Cyberattacks on Hotels — What Should Hotel Owners and Operators Do?

Hotel Cybersecurity: Protecting your guests and your property from vendor data breaches

Click here to view the original version of this release.

For more information about JMBM, visit www.jmbm.com

Return to overview

JMBM Global Hospitality Group

1900 Avenue of the Stars, Seventh Floor
Los Angeles, CA 90067
United States
Phone: (310) 203-8080
www.jmbm.com

Jim Butler

Jim Butler is a founding partner of JMBM and one of the top hotel lawyers in the world. Devoting 100% of his practice to hospitality, Jim is author of www.HotelLawBlog.com and chairman of the Global Hospitality Group® which focuses on representing hotel owners, developers, and lenders. Jim and his team have helped clients as business and legal advisors on more than $87 billion of hotel purchase, sale, financing, and other transactions, involving more than 3,900 properties all over the world. In the last 18 months, they have closed more than $1.5 billion of EB-5 financing and sourced more than half of that for our clients. In addition to acquisitions, dispositions and financing, the Group handles ADA compliance and defense, hotel mixed-use development, labor and employment, management, branding and franchise agreements and litigation. With experience gained from more than 1,000 bankruptcies, receiverships and workouts, they use innovative solutions to unlock and create value for lenders and opportunistic investors for distressed assets. Jim also serves as an expert witness in hospitality matters.

Robert E. Braun

Robert Braun co-chairs JMBM's Privacy and Data Security Group and is a senior member of the Firm's Global Hospitality Group. Mr. Braun specializes in transactions with an emphasis on data security, privacy and information technology. Mr. Braun's practice includes establishment and development of strategies to implement computer software, cloud computing, computer hardware, communications and e-commerce solutions, designing and implementing privacy and security programs and protocols, as well as remediating security breaches. Mr.Braun has spent more than 20 years representing hotel owners and developers in their contracts, relationships and disputes with hotel managers, licensors, franchisors and brands, and has negotiated hundreds of hotel management and franchise agreements. His practice includes experience with virtually every significant hotel brand and manager.

Jim Butler

Phone: +1 310 201 3526
jbutler@jmbm.com