Data thieves are increasingly targeting hotels, thanks to the sheer volume of personal information collected from guests. When a reservation is made, a hotel will take information including names, phone numbers, addresses, card details and even IP address information when a guest books online. Once a guest checks in, additional data may be collected, such as CCTV footage and personal information including medical conditions.
And yet, despite having so much sensitive information at their fingertips, the majority of hoteliers aren’t dealing with it correctly. Hospitality Technology’s 2017 Lodging Technology Study revealed that 74% of hotels don’t have proper data protection measures in place. The recent GDPR changes mean that hotels in the EU have to be even more careful with information they handle. Data breaches can cost hotels not only financially, with huge fines levied, but also reputation-wise, which can take years to redress.
Data privacy in practise
Thankfully, there are a number of practical steps that hotels can take to protect themselves and their guests. Alex Hollis, GRC Practice Director at SureCloud, is a security expert who has worked with a number of top global hotel chains on data privacy and risk. He advises hoteliers to first list the information they are collecting about their guests, in order to better understand that information and where it is stored.
Photo: credit to Glenn Carstens-Peters
“Hotels need to think about the information they’ve got, and decide whether it’s really necessary to have that many pools of data, or whether they can reduce the amount,” Hollis says. “Reduce the number of systems where data is duplicated, such as paper copies printed at guest registration. If paper is necessary, consider shredding it afterwards. Treat personal data with more respect for its value, more like money, reduce the places that you’re storing it and then protect those places.”
The key, Hollis suggests, is ensuring that the places where information is stored are secure, with encryption and good IT security-based practices. Since there is no audit trail of paper, he suggests moving away from manual storage to electronic format, particularly in larger hotels. Systems should have the right software development lifecycle to make sure they’ve been built securely. Hollis says: “Get a reputable guest registration system, and ask the third party who built the software questions like: how are we protecting our customers’ data? Is it encrypted? How do we prevent unauthorised access to that data?”
Paul Leybourne, data security expert and Head of Sales at Vodat International, agrees that data should be stored in a secure cloud environment, and recommends a double authentic sign-in. “Instead of using single passwords, use multiple passwords or different devices to sign in. Choose a password that is complex, with a mix of alphanumerics and symbols, and change it every month.”
Briefing the team
Hoteliers have a responsibility to keep their staff updated with training, Leybourne suggests. “Training manuals should be standard, but it has to be an ongoing process – cyber criminals are becoming extremely clever and the tactics that they use are changing on a regular basis as we become familiar with them. Hotels need to respond to these changes and keep their security systems updated to keep their guests safe,” he says.
For Hollis, limiting access among staff and not sharing passwords is an easy way hoteliers can retain control of guest data. He says: “Each employee with a legitimate reason to access should have separate credentials, and when they leave the organisation those credentials should be shut down to ensure there’s no malice done on exit.” And although there is no specific direction on retention periods for information under GDPR, he recommends removing any guest data not relating to current or future bookings after 12 months. “Guest information for marketing purposes can be retained beyond this, provided there is clearly established consent which should be confirmed every 12 months,” he adds.
Like this? Why not read:
- How to reduce property risk
- Spotlight on: facial recognition technology in the hotel industry
- Former Lonely Planet CEO talks travel tech opportunities
So what should you do if you discover you’ve been hacked and have lost guest data? The first step is to declare it to your local supervisory authority within 72 hours of discovery. Then, isolate the problem to ensure you’re not still under attack, by preventing people accessing your system. If you’re going to collect evidence, create CD or USB copies and lock them away, so you know the chain of custody. Once secure, you can start to restore service.
For Hollis, gone are the days when it was just banks falling foul to data breaches. “Unlike banking where the internet has had a massive effect, guest registration in hotels is pretty much the same as it’s always been. This sameness has created some apathy,” he says. But times are changing and hoteliers need to wake up to this.
Hero image: credit to rawpixel
- Switch from paper to electronic storage. Ensure your system is encrypted and ask the company that built the software questions about how you can prevent unauthorised access to that data
- Make a list of the data you are collecting about your guests. This will help you to understand what information you’re collecting, where you’re storing it, and will give you the chance to reduce duplicates
- Use multiple passwords and devices to sign in, and change your password regularly
- Staff training in data security should be an ongoing process
- Aim to keep guests’ data no longer than 12 months