In the wake of the incident where hackers intruded into the IT system of a famous Austrian resort, thus rendering it unable to program keycards for guests, experts are calling on hotel operators to make relevant risk assessment measures and develop crisis response plans to protect themselves from and respond to cyberattacks.
In January, the resort, the Seehotel Jaegerwirt, was subject to a cyberattack, which affected the hotel’s IT system. The incident somehow received a lot of press coverage, with some even going so far as to say the hackers took control of the hotel’s lock system and locked guests in their rooms. The owner later came forward to clarify the situation, saying the doors were not remotely locked at all.
What did happen, however, was hackers did break into the hotel’s IT system, including the keycard-making component of it, by planting a ransomware – encrypting the system to deny access to the user until a ransom is paid, according to a report by The Verge. The hotel ended up paying a ransom of 1,500 euros, the report said.
According to the report, the hotel switched back to the traditional mechanical locks and keys after the incident – actually the fourth time such incident has happened at this resort. The owner decided to come forward to talk about it this time to raise industry awareness, the report said.
In fact, It is well-known that hotel computer systems are high targets for hackers. “It is probably rare to see extortion using ransomware causing the hotel guests being locked out like what happened in the Austrian hotel. However, it is rather common to see hotel network intrusion aiming for personal data, credit card data theft or infecting computers of business executives who stay at the hotels,” said Tam Thien Huynh, Senior Director of Cyber Security and Investigations for APAC at Kroll, adding a hotel’s open Wi-Fi network, the inexperience of staff and other factors can all put hotels at high risk.
Ilya A. Umanskiy, Associate Managing Director for Critical Asset Protection at Kroll, added: “In cases when hotel networks/computer systems are administered by limited in-house IT staff or third-party IT service providers, vulnerability level is quite high. This is because in-house and outsourced IT personnel may be lacking sufficient computer and network security skills. Another issue for large hotel chains is the use of global standards for property construction and set-up. Such standards may not be updated frequently enough considering fast changes in attacker capabilities."
It is recommended that hotel operators go through proper risk assessment with the goal of identifying and addressing the relevant cyber threats in their environment, and that they develop their cyber incident response plan and test it regularly.
“Hotel properties should understand their available resources and develop response measures in accordance with asset criticalities and likely loss scenarios. Preparedness for incidents should be addressed on a frequent basis – at least quarterly,” Umanskiy said. “Frequent simulation exercises can help designated responders with their incident management capabilities. It would be too late to ponder on how to deal with an incident when an incident happens. Likely scenarios affecting critical assets should be addressed, and response protocols understood, well in advance. Once an incident is identified, isolation of the affected asset and prevention of negative effects on other assets should be a top priority. Speed, effectiveness, and efficiency of remediation is of utmost importance. For this, the value of preparedness cannot be overstated.”