Maintaining Data Security

Guests’ security in the hospitality industry, today, does not merely refer to physical safety but also involves protecting guest identity and mental peace of mind. With data breaches making headlines over the last few years the threat of misuse of stolen data has been a factor that is priority in the minds of the industry professionals. This is primarily due to two major factors: one, the hotels collect large amounts of data f r o m their guests directly and through third parties; and two that the industry has a checkered track record in protecting guests’ personal information. There is, thus, a demand f r o m the guests to focus strongly on data security. Though it is difficult for the hotels to escape data security threats in today’s fast moving, digitally charged environment, it is not an impossible task. With technologies that are continuously evolving to help hoteliers address their data security risks and concerns, the industry is now feeling a little relieved. Ashok Malkani takes a look at the current scenario and how the industry is tackling this issue.  

Some years ago, in the hospitality industry, guest safety was a very simple process. The innovative happening, till about a decade ago, was only providing an in-room safe for valuables. This was mainly because, at that time, guest security involved only securing people and their physical possessions. 

Now, however, hospitality industry’s business is no longer a simple one that merely involves putting heads in the bed or, organizing sleeping accommodation for the guests. Today, it is a complex process which requires hotels to find out a great deal of information about the guests. Collating that information and processing it may provide opportunities for the hotel to serve the guest more efficiently. In the new digital universe in which we live, guest data is important in a very obvious sense. Knowing who your customers are and how to communicate with them is very much part of the goodwill of a hotel.

Today, the most valuable possession of a hotel guest is not his wallet or gold jewellery or laptops and iPads but his identity. If this is not guarded, all his valuables are at risk. Hotels are often targets for identity and financial theft for several reasons. They transact business through credit cards, whose information can be target for hackers.  
According to Identity Theft Resource Centre,   a United States non-profit organization founded to support victims of identity theft, “The ability to connect to the Internet is an integral part of many individuals’ daily life. This has led to the increased demand for public WiFi. An unsecured wireless network, available in most hotels, is just as dangerous as leaving files of your most important personal documents on a street curb for all to see. Hackers can easily get into an unsecured wireless network and get financial information, business records or sensitive e-mails.”   

It may also be mentioned that several employees of the hotels have access to credit card and other personal information of the guests. The fact that low-level employees typically have access to key guest information, and that there is, historically, a high turnover in hotel employees, exacerbates the problem. 

The sophisticated data collection and analysis process enables the hotel to know about the guest’s habits and preferences which can translate into significant competitive advantage for the property. Thus having access to guest data is important for hotels as it can have a direct impact on their revenue generation both now and in future. But it also creates obligations for the hotels ensuring guests’ data safety and security of personal information. 

Technological innovation, combined with a very strong “know your guest” orientation, has resulted in more and more data on hotel guests being captured and analysed by the hotel industry through digital reservations, hotel property management systems and guest loyalty programs. 

With data breaches making headlines over the past few years the threat of stolen data is a reality that hotels have to safeguard and they have to be doubly sure about the credentials of individuals with whom they share their consumer information. 

Hotels acknowledge that credit card data breach can impact their properties, compromising the financial and personal data of their guests. 

A couple of years back InterContinental Hotels Group (IHG), the parent company of more than 5,000 hotels worldwide, acknowledged that a credit card data breach had impacted about 1,200 of its properties, compromising the financial and personal data of an untold number of guests. Unfortunately IHG is not alone. There is also the case of Wyndham Hotel. The Federal Trade Commission of US filed a lawsuit against Wyndham Hotels claiming that it had misrepresented its security measures to prevent intrusions by computer hackers. FTC stated that Wyndham failed to take common and well-known security measures. The FTC noted that Wyndham failed to require complex passwords, implemented a network setup that did not separate corporate and hotel systems, and used “improper software configurations” that led to sensitive payment card information being stored without encryption. The FTC complaint compared those failures to Wyndham’s privacy policy, which said that Wyndham strove to “recognize the importance of protecting the privacy of individual-specific (personally identifiable) information collected about guests, callers to our central reservation centers, visitors to our Web sites, and members participating in our Loyalty Programs,” and promised the use of strong encryption and firewalls. Wyndham fought the FTC suit but lost its appeal in 2015. Wyndham has settled these charges with FTC.  

One has to realise that for several hackers and cybercriminals, hospitality industry is their favoured target. Hotels are high-value targets for cybercriminals because they not only hold payment card information on guests, but also a wealth of other sensitive personal data that can be used to steal their identity.

Thus data security is as essential as physical security – of the guests as well as the property! 

Importance of Maintaining Data Security 

So, what are the implications of not maintaining data security and what are the methods of protecting your data? 

Shivanand Rajput, Security, safety & Liaison Manager at Alila Diwa Goa disclosed, “Negligence in maintaining Data Security may have following implications: 

Legal Liabilities: Every nation has its own rules and regulations in handling personal data information of guests and their employees. If found guilty of the negligent treatment of personal information, either of their employees or guests, there can be huge fines incurred, closure, and in some countries, jail time. Guests can also sue the organization if their data is compromised and not secured as it should be. Bad name in the media also falls back on the hotel’s name/brand image and makes guests vary of booking in hotels where their data was compromised. This information is normally highlighted in the media. 

Negative Brand Perception: Brands and businesses that are vulnerable to threats because they do not meet data security requirements are putting their reputation at risk. This not only destroys user trust in a brand but can lead to hefty court cases and irreparable damage to the way in which a company performs.

Increased Vulnerability: Data security measures are in place to reduce the unwanted distribution of sensitive or harmful information. Failure to do so means that you might be exposed to the rapidly-changing range of data crimes that are developed every day. If you do not meet data security requirements, your entire operation is at risk.

Repeat Attacks: Unlike physical crimes, data security needs to be updated constantly to make sure that your data remains secure. As the cyber criminals will target you for repeat attacks using more advanced malware.

Achieving Data Security

Data security starts f r o m having a robust firewall configured to protect all your external data traffic. An Antivirus plays a pivotal role in insuring end point data protection on client systems. One should also have a second layer of protection after firewall. You must also make sure your computer Operating System is “properly patched and updated” which is a necessary step towards being fully protected. 

Scheduling regular data backups (Weekly and Monthly) to an external hard drive, or in the cloud, are a painless way to ensure that all your data is stored safely.

Educating your employees about safe online habits and proactive defense is crucial.

Sunil Bhatia, Director, Sales & Marketing, The Mirador Hotel, Mumbai, states, “Since we are living in the Digital Era, Data security has come to the forefront in recent times. At The Mirador, Mumbai, we do not retain guest details in the systems beyond a certain time frame and make it a point that this information does not go out of the hotel’s communication systems. 

Guest information is specific to a hotel and it is their utmost responsibility to keep it safe. This can be achieved by keeping a tab on the information touch points wherever guest communication flows in the Hotel like the Reservations, Front Desk, Banquets, Food and Beverage Outlets/Points of Sale (POS) and Sales and Marketing. The employees accessing these terminals are expected to show the highest levels of integrity as it speaks of the Hotel’s/Brand’s Standards.” 

He further adds, “As hotels ensure the physical security of guests and their belongings, the same is applicable to data security. If guests feel that their personal and financial date is not being kept securely by the hotel, they will take their business elsewhere. To protect the hotel’s reputation they have to create a culture of security, which focuses on protecting guests’ digital property besides their physical property, throughout the entire organization.    

To make themselves more immune to the increasing cyber attacks hotels should adopt innovative technology which ensures that their personally identifiable information is kept secure and segregated and not shared by agents. This reduces the number of individuals with access to sensitive data, making it less attractive to cybercriminals.”  
Kishore Vishwakarma, Loss Prevention Manager at Hotel W Goa claims, “As technology has advanced, so has criminals’ ability to exploit these new technologies. The hotel industry has seen several such examples lately. Russian hackers breached Wyndham Worldwide’s data center in Phoenix three times between 2008 and 2010, accessing more than 600,000 payment card accounts and leading to more than $10.6 million in fraud loss. 

But not all cyber threats occur online, social engineering and physical hacking of hotel computers pose a significant risk. Hotel employees are being trained every year on the physical security of computers, access control, and passwords. Many of the big hacking schemes start with someone conning a password out of an employee. One way in which this can be overcome is by changing passwords every three months. 

Hotels attain security data by maintaining control on physical access points to a property’s computers and servers. At W Goa, we maintain adequate security and surveillance of all the data collected by us in form of hard copy or soft copy. Server HDD is stored in a bank locker or fire proof safe, to other sister concern hotel or vice versa on weekly basis. One way to add more cyber security is to install what is called a VLAN, or virtual network. Installing this software can add another layer of security between your servers and potential hackers”

Gurbaxish Singh Kohli, President, Hotel and Restaurant Association of Western India (HRAWI) & Vice President, FHRAI  and Director, Pritam Hotels, reveals, “Hackers are rampant on the World Wide Web. Free Wi-Fi and internet hotspots make the need of installing effective firewalls a must. Government compliances and the use of internet including strong authentication process should be strictly followed and logs must be maintained for proper surveillance. 

Hotels can achieve security of data by installing strong firewalls, using PSI-DSS (Payment Card Industry Data Secured Standard) certified software and following Govt. compliances strictly. The PCI DSS is an information security standard for organizations that handle branded credit cards f r o m the major card schemes. The standard was created to increase controls around cardholder data to reduce credit card fraud.

Besides this, it is also necessary to restrict access only to authorized personnel and setting up a proper authentication process while accessing the internet will help in securing data. Essentially employing the right agency with trained personnel, if the job is outsourced, is the best way to secure data.”

Avadhoot Mahimkar, Director of Sales and Marketing, The Resort Hotel, Mumbai, affirms, “Hotel industry has a great risk if data security is not maintained. Each day, a large volume of customer data is handled on a daily basis, including card details, names and addresses. Also, each person needs to be able to trust their hotel or the place that they have visited to keep their details private at all times. If data security is not maintained and there is a breach, the hotel would find it hard to regain customer trust and its brand reputation. The result of failure to comply can also include significant financial penalties and legal complications where affected parties are able to seek compensation for insufficient security measures being taken to protect them.

Hotels have to ensure that they are delivering a consistent level of security to guests and their possessions, whether they are physical or digital. Most businesses now store the majority of their secure information on computers, which means their IT infrastructure needs to be able to restrict unauthorised access and prevent breaches. All billing systems need to be secure to protect guests’ personal and financial information.”

Anthony Dias, Loss & Prevention Manager, Four Points by Sheraton Navi Mumbai, Vashi, avers that to maintain data security “all systems have to be restricted for USB storage. Firewall and Antivirus has to be updated at regular intervals. Data backup has to be stored on regular basis in order to avoid any virus. The system has also to be reviewed on periodic basis.

Hotels can achieve data security by ensuring that the software used is PCI compliant and all the security standards are followed so that the card details are masked and there would be no possibility of data breach. Nowadays GDPR is also followed in which guest personal information is completely masked in the registration card.”

Wrap up

Hospitality companies are faced with the unique problems that make them more vulnerable to threats of compromise and theft of personal information. However some of the ways of protecting their data are: 

  • Encrypt payment card information
  • Impart continuous training on cyber security to the workforce
  • Always use cyber security measures like usage of strong passwords, firewalls, anti-malware, network monitoring, etc.
  • Update programmes and systems regularly
  • Monitor for intrusion with cyber security breach detection devices  
  • Always adhere to relevant regulations like  PCI DSS (The Payment Card Industry Data Security Standard) 

An important issue that also needs to be realised is that no matter how best-bred cloud based technology your hotel may have adopted, the key to security and data protection lies in great training. An alarming number of data breaches occur in the hospitality industry mainly because of employee negligence. Adequate training of staff on data security policies and procedures will not only keep hotels out of unfavourable headlines but also pay immediate dividends. It is important that employees handling this data – at all levels – receive this training.

The Growth of Boutique Hotels
Boutique hotels’ popularity has been growing over the years. Some of these properties are themed, whilst others support an underlying philosophy suc  ... Read More
Scent of a Hotel
Tell me frankly, what is the first thing that strikes you when you enter the precincts of a luscious hotel? Is it the imposing Baccarat Chandelier wit  ... Read More
Greenery in Hotels
Landscaping is an important component of hotel design and plays a crucial role in enhancing the property’s value. Landscaping is no longer limited t  ... Read More
Perfect Veda For Inner Wellbeing !
Spanning around 7000 sq. ft., the exclusive neoVeda is truly a haven of peace and tranquility. As you enter the elegant space, a whiff of exotic aroma  ... Read More