Although all industries have felt the strain from COVID-19, the hotel sector has been particularly hard hit. As hotels move to bring occupancy rates up, they should use this time to examine another pressing problem: protecting customer data, which has been an issue in the industry for years.
Two years ago, in its “Hotels Outlook Report 2018-2022,” PWC found that hotels are a favorite target for hackers, with the hospitality industry having the second-highest breach numbers after the retail sector. The same report found that 74% of hotels lacked breach protection. Hotels are attractive to hackers because they capture personal and financial information and have a large number of data touchpoints, each of which can leave information vulnerable. The list of those affected reads like a “who’s who” of global brands. In 2018, hackers attempted to access Marriott International’s Starwood Hotels & Resorts Worldwide guest reservation database. In the same year, the Radisson Hotel Group identified a breach affecting Radisson Rewards members. These breaches can also be costly, with the UK’s Information Commissioner’s Office (ICO) fining Marriott $23.8 million for the Starwood breach.
In the years since the report was published, the hotel industry has become even more digitized. Today, close to 50% of all bookings happen through online travel agencies or online channels, with the share of offline bookings dropping every year. The online bookings get delivered through different third-party partners, with each reservation containing sensitive data. This differs from other consumer booking/app interactions, in which data is exchanged between the payment gateway and the retailer only. For hotels, the information is exchanged between the payment gateway, the OTA, the intermediary and its central reservations system (CRS). These multiple data exchanges among partners leave the data that much more susceptible to breaches. In addition, in partnering with any third party, any security gaps with tech partners eventually become the hotel’s problem. Hotels have financial liability for security breaches even if the breach occurs via a third-party vendor.
Add to this the current challenge that hotels face in attracting customers in the age of COVID-19. More than ever, they need a mix of channels and partners to maintain high levels of occupancy and average daily rates (ADRs). These channels have also increased the number of partners that hotels now use to reach source markets. In addition, as integration and mapping to new channels are now becoming more complex, it is more difficult for chains to change suppliers completely. This, in turn, creates another critical issue of data protection, as not all providers have the same security standards.
There are some immediate steps that hotels can take to protect their data. First, they should reduce the temptation to focus on standalone point solutions. Instead, they should look at technology providers that help in securing the entire data value chain by focusing on having a security framework that stops data from moving outside of the country (which is where it is typically misused). Second, hotels should know the storage practices and policies of all providers, insisting on a zero percent storage rate to reduce the chance of personal data getting exposed. This means that sensitive data such as emails/or personally identifiable information (PII) is only passed through distribution systems and not stored. Similarly, hotels should make sure that partners do not store any credit card information locally, which will reduce the risk of exposure. The hotels should look to PCI or similar standard verifications, checking for common best practices, such as firewalls and encryption of data transmission and storage. Also, with most companies using some form of cloud infrastructure, hotels should know the structure used by any partner (private, hybrid, public) as well as what protections are in place. Finally, hotels should look for partners with continuous security monitoring as well as a trail for third-party audits.
Those hotels that undertake these security reviews and measures will be ensuring that customer data remains protected. They will also be taking an important step in protecting their brand identity, as brand will be essential as the recovery from the COVID-19 fallout continues.