The hotel industry is one of the top sectors to suffer data breaches – it’s a cyber criminal’s dream with the amount of information hotels potentially hold about their guests: name, address, passport details, car registration plates and credit card details to name but a few. And that’s before the guest has even checked in!

Once checked in, guests then connect to the WiFi network and are required to enter personal details. Where does this data get collected? Most Guest WiFI access has a software that sits behind the access points and stores all this information. The repercussions, if a cybercriminal gains access to the backend, can be potentially catastrophic to an individual – and to the hotel.

With GDPR in force now, the hospitality sector must be sure to have this at the forefront of their minds. A boutique hotel potentially would not survive a fine should a breach occur.

So, what can hotels, big and small, do protect their guests and themselves from the unpleasant attentions of hackers and cybercriminals?

1. Ensure admin passwords are regularly changed on all IT appliances. This can be easily applied using network settings and tools such as Dashlane or LastPass. Regularly changing passwords dramatically reduces the opportunity for the network to be hacked, particularly when you add rules that make the passwords more complex than many people naturally want to make them.

2. Ensure a policy is in place when clients do connect to the Hotel WiFi ensuring the client has to give consent to their personal data being collected – this is called the ‘Opt in’. GDPR is very clear on this. You have to give them the option to opt in, rather than the option to opt out.

3. Separate your public and corporate WiFi. You don’t want a member of the public able to access data on your corporate network.

4. Quarterly Firewall Penetration Tests, carried out by an independent cyber security specialist, will flag up any holes in your network and keep cyber criminals well and truly out.

5. Look out for Sniffers. Not cute little puppies, these are hacking tools used to gain access and capture information that you send from your laptop/tablet/mobile. Most recently, they are also setting up WiFi networks that reach into the hotel. Guests think it is legitimate and connect to the ‘fake WiFi’.

6. Social Engineering is becoming rife across all industries, including the hotel sector. Emails containing malware can easily infect networks. Some will pretend to be a senior director and ask for money to be sent elsewhere. Tools such as Mimecast will protect your network from such phishing emails. And Social Engineering Training / Phishing Assessment and Training is well worth considering. Users are often thought of as the weakest link.

Onsite employee classroom training, online courses and phishing simulations raise awareness, vastly improving how your users protect themselves online. The responsibilities for hotels have increased significantly with the introduction of GDPR. Not only is there an ethical and social responsibility for you to protect data, there are also legal requirements. Of course, if done properly, the marketing benefits for the hotel are significant; guests who are confident that you are looking after their data, and providing a secure network experience with robust wifi access, will return regularly.

By Mike Ianiri


Mike Ianiri is Director of independent telecoms brokerage and a strategic partner of Switched On Solutions.