Amid cyber threats faced by hotels, preparedness matters

In the wake of the incident where hackers intruded into the IT system of a famous Austrian resort, thus rendering it unable to program keycards for guests, experts are calling on hotel operators to make relevant risk assessment measures and develop crisis response plans to protect themselves from and respond to cyberattacks.

In January, the resort, the Seehotel Jaegerwirt, was subject to a cyberattack, which affected the hotel’s IT system. The incident somehow received a lot of press coverage, with some even going so far as to say the hackers took control of the hotel’s lock system and locked guests in their rooms. The owner later came forward to clarify the situation, saying the doors were not remotely locked at all.

What did happen, however, was hackers did break into the hotel’s IT system, including the keycard-making component of it, by planting a ransomware – encrypting the system to deny access to the user until a ransom is paid, according to a report by The Verge. The hotel ended up paying a ransom of 1,500 euros, the report said.

According to the report, the hotel switched back to the traditional mechanical locks and keys after the incident – actually the fourth time such incident has happened at this resort. The owner decided to come forward to talk about it this time to raise industry awareness, the report said.

In fact, It is well-known that hotel computer systems are high targets for hackers. “It is probably rare to see extortion using ransomware causing the hotel guests being locked out like what happened in the Austrian hotel. However, it is rather common to see hotel network intrusion aiming for personal data, credit card data theft or infecting computers of business executives who stay at the hotels,” said Tam Thien Huynh, Senior Director of Cyber Security and Investigations for APAC at Kroll, adding a hotel’s open Wi-Fi network, the inexperience of staff and other factors can all put hotels at high risk.

Ilya A. Umanskiy, Associate Managing Director for Critical Asset Protection at Kroll, added: “In cases when hotel networks/computer systems are administered by limited in-house IT staff or third-party IT service providers, vulnerability level is quite high. This is because in-house and outsourced IT personnel may be lacking sufficient computer and network security skills. Another issue for large hotel chains is the use of global standards for property construction and set-up. Such standards may not be updated frequently enough considering fast changes in attacker capabilities."

It is recommended that hotel operators go through proper risk assessment with the goal of identifying and addressing the relevant cyber threats in their environment, and that they develop their cyber incident response plan and test it regularly.

“Hotel properties should understand their available resources and develop response measures in accordance with asset criticalities and likely loss scenarios. Preparedness for incidents should be addressed on a frequent basis – at least quarterly,” Umanskiy said. “Frequent simulation exercises can help designated responders with their incident management capabilities. It would be too late to ponder on how to deal with an incident when an incident happens. Likely scenarios affecting critical assets should be addressed, and response protocols understood, well in advance. Once an incident is identified, isolation of the affected asset and prevention of negative effects on other assets should be a top priority. Speed, effectiveness, and efficiency of remediation is of utmost importance. For this, the value of preparedness cannot be overstated.”

The information on this page may have been provided by a contributor to ChinaGoAbroad, and ChinaGoAbroad makes no guarantees about the accuracy of any content. All content shall be used for informational purposes only. Contributors must obtain all necessary licenses and/or ownership rights from the relevant content owner(s) before submitting such content (including texts, pictures, photos and diagrams) to ChinaGoAbroad for publication. ChinaGoAbroad disclaims all liability arising from the publication of any content/information (such as texts, pictures, photos and diagrams that infringe on any copyright) received from contributors. Links may direct to third party sites out of the control of ChinaGoAbroad, and such links shall not be considered an endorsement by ChinaGoAbroad of any information contained on such third party sites. Please refer to our Disclaimer for more details.