Cybersecurity and privacy in hotels: safeguarding guests’ data

When the American Hotel & Lodging Association released its 2023 State of the Hotel Industry report in January, it included a list of five topics that it predicted would dominate hospitality-industry tech conversations this year.

Those topics were:

1. Artificial intelligence

2. Robotics

3. Sustainability

4. Cybersecurity

5. Privacy

The AHLA report acknowledged that those last two are often treated as one topic. The pair are indeed closely related, because when hackers launch cyber attacks against hospitality-industry operators, customer data is one of the main prizes they are after.

So, for the purposes of this blog post, we'll look at hotel cybersecurity and privacy as a single multifaceted subject.

Here are a few aspects of privacy and cybersecurity that hotel-industry insiders are buzzing about in 2023.

See also:

• Customization and personalization in hospitality improves guest experience

• Hotel operations can boost customer loyalty by tracking guest journey

• Privacy and personalization in hospitality starts with permission

Understanding the customer

In a report on how the guest experience is changing, Deloitte noted that “The principle of knowing guests is and has always been at the core of understanding and delivering an exceptional hotel guest experience.”

Dan Kornick, chief information officer for Loews Hotels, echoed that sentiment in a report from Skift and Oracle titled "Hospitality in 2025": “The future of hotel technology is about a service culture and a personalized approach at the end of the day, whether it’s through technology or through that high touch experience. And knowing the customer and that data is really the key, the holy grail to it all.”

Why hotels collect guest data

In order to gain that understanding of their customers and craft those exceptional experiences, many hotels collect various types of data about guests. Here are some of the ways they use this information:

1. Personalization: Hotels use the data they gather to personalize guests' experiences by making recommendations and providing tailored services based on guests' preferences and booking histories.

2. Marketing: Hotels can create targeted marketing campaigns based on guest demographics, booking history and other information.

3. Loyalty programs: Hotels use guest information to track loyalty-program memberships, reward points and status levels. They can use this data to create targeted promotions and incentives to encourage loyalty.

4. Operations: Guest data can also be used to improve hotel operations. For example, management can monitor check-in and check-out times to better manage staffing levels and housekeeping schedules.

5. Revenue management: Hotel operators can use guest data to optimize their pricing and revenue-management strategies. By analyzing booking patterns, they can adjust rates and availability to maximize revenue.

Consumers value personalization

How do guests themselves feel about sharing all this data? Surveys suggest that a growing number of consumers see the upside of allowing companies in the travel and hospitality industry to gather certain types of information from them.

As long as their loyalty is rewarded with personalized offers and elevated service, these consumers perceive it as a fair exchange.

As we have previously noted, Google and Phocuswright reported that 76% of US travelers say that they would be likely or extremely likely to sign up for the loyalty program of a travel brand that tailored its information and overall trip experience based on their personal preferences or past behavior.

What’s more, 36% (over 1 in 3) say they would pay extra for more tailored information and a more personalized guest experience.

A separate study by IHG Hotels & Resorts found that 78% of travelers surveyed said they were more likely to book with properties that offer personalized experiences, with almost 50% willing to share the personal data necessary to promote an individualized stay.

Members of the millennial generation have been particularly vocal about their desire to seek out experiences built around their individual interests, and to stay with hospitality providers that accommodate their personal preferences. 

Ensuring guests can trust hotels

A while back, we told you about a report from the law firm Reed Smith highlighting the numerous ways that guests provide high-tech smart hotels with data.

This data collection often starts when a guest scans in their passport and a QR code to check in, and continues when they use app-enabled guidance to connect with devices in the hotel room, such as temperature controls or alarm systems.

“Such processing allows hotels to personalize a service but also enables them to access and collect much more personal data,” the report reads, before cautioning that “Given recent massive data breaches in the hospitality sector, hotels that are stepping in this direction need to ensure guests can trust hotels with their personal data.”

Transparency is vital

The authors of the Reed Smith report go on to note that, because hotel rooms are private spaces, hospitality operators are compelled to implement privacy “by default and by design”.

This means disabling any personal data collection that is not initiated by the guest or required for their stay — such as the collection of information by smart TVs, of movements in the hotel room or of voice recordings — without requiring the guest to take any additional steps.

“Hotels need to be transparent about what personal data they collect and for what purposes before collecting such data,” the report states. “They also need to ensure that they observe basic principles like data minimization.”

What is data minimization?

According to the EU's European Data Protection Supervisor, data minimization means that:

[A] data controller should limit the collection of personal information to what is directly relevant and necessary to accomplish a specified purpose. They should also retain the data only for as long as is necessary to fulfill that purpose. In other words, data controllers should collect only the personal data they really need, and should keep it only for as long as they need it.

Hotels third-most-targeted in cyber attacks

The aforementioned Skift/Oracle report cited the Financial Times, which reported that the hotel and hospitality business is the third-most-targeted industry when it comes to cyber attacks by hackers: "The riches of customer data collected that are opening the doors to personalization also increase the risk."

In one especially high-profile data breach that occurred last year, the IHG hotel network was targeted by a couple of criminals hoping to carry out a ransomware attack. When the hotel chain's IT team thwarted that attempt, the pair tricked an employee into downloading a piece of malicious software in order to gain access to IHG's internal network.

After discovering the network's easily guessed password ("Qwerty1234"), the hackers were able to access the company's internal Outlook emails, Microsoft Teams chats and server directories. Fortunately, they were not able to steal sensitive information about guests, but they were able to wipe out enough files to damage the entire hotel chain's booking systems.

To mitigate the risk of malware attacks, data breaches and other such incidents, which could have serious financial implications, more than 90% of hospitality-industry executives surveyed by Skift said they have already made, or are considering making, investments in cloud technology to improve data security. "More than 25% said they are already running the highest cloud security available, and another 33% are in the implementation phase now," according to the report.

Improving data security in the hotel industry

Whether we're talking about phishing attacks, malware affecting POS systems or a distributed denial of service attack taking down an entire hotel chain's website, cybersecurity threats are very real. Here are a few other ways that hoteliers can improve their data security, protect their operations from cyber threats and ensure that their guests' potentially sensitive information, such as their credit-card details, don't fall into the hands of criminals.

1. Securing data storage: As a data-protection measure, hotels should ensure that all guests' personal information, such as their name, contact details, and payment information, is stored securely. This can be achieved by implementing a robust security system that includes encryption, firewalls, and access-control mechanisms.

2. Limiting access to personal information: Hotels should limit access to guests' personal information to authorized personnel only. This can be achieved by implementing a role-based access-control system that grants access to sensitive information such as credit card data to only those employees who require it.

3. Regularly update software and systems: Hotels should regularly update their security software to ensure that their entire computer systems are protected from the latest security threats. This includes updating antivirus software, firewalls and other security applications.

4. Training staff: Hotel employees should receive training in cybersecurity best practices. Staff should be made aware of the importance of data privacy and how to handle guests' personal information. Such training should cover the proper handling and disposal of confidential information, as well as how to identify common threats and report suspicious activity.

5. Use secure payment-processing systems: Hotels should use secure payment-processing systems to protect guests' payment information. This includes using technology to encrypt payment data and protect credit card information during transmission and storage.

6. Have a data-breach response plan: Hotels should have a data-breach response plan in place in case of a security breach. This includes having a dedicated team responsible for managing the breach, notifying affected guests and working with law enforcement and other stakeholders.

PressReader: a secure platform

Hotels that offer PressReader as a guest amenity can use the built-in Analytics function to get valuable insights into how guests are using the platform. Because PressReader can provide stats on app usage, including which newspapers and magazines visitors are reading from what categories, hotels are able to gauge which topics interest guests the most.

That knowledge can help inform decisions on room décor, treatment offerings at the spa, and innumerable other factors that can add up to a memorable guest experience.

It's important to note, however, that PressReader does not collect personal information on individual users, which means that readers can rest assured that, even in the event of a phishing attack or other breach of data security, none of their sensitive data will be at risk.

It's just one more way that PressReader helps hotels elevate the guest experience while operating more efficiently — and securely.