Hotel IT security: quo vadis?

The newly disclosed Darkhotel APT campaign will surely draw increased scrutiny to hospitality systems’ security worldwide. Hoteliers acknowledge the existence of security problems in their software systems, and many are opting to move these systems into the cloud. Is this a viable solution?

The newly disclosed Darkhotel APT campaign will surely draw increased scrutiny to hospitality systems’ security worldwide. Even at a glance it looks like there are a lot of well-recognized problems. For instance, back in 2009, Visa released a security alert called “Targeted Hospitality Sector Vulnerabilities”, regarding malicious attacks taking place in the hospitality industry – specifically on payment systems and hotel networks. In a nutshell, malware attacks lead to the clients’ data getting stolen, including payment credentials.

It was a problem in 2009, and it was an even bigger problem in 2013-2014 when the largest retailers fell prey to massive breaches due to the malware seeded over PoS terminals. For hotels, it may be an even bigger issue. Retailers usually have access to the payment card information, and that is what gets leaked. However, guests at a hotel share information that’s a lot more personally identifiable, and the breach of that data has higher consequences.

The earliest examples of PoS malware, Trackr a.k.a. Alina, was the RAM scraper that compromised PoS systems in a university and in a number of hotels back in 2011.

In 2012, the FBI issued a warning about malware being installed on travelers’ laptops through software updates on hotel Internet connections (something very similar to the Darkhotel issue).

Recently, vendors of property/reservation/hospitality management software put great emphasis on security concerns.


There is a new trend being formed over the last two years: software hospitality solutions are migrating into the cloud. Why? Security and economy. It’s much more lucrative to lease a ready-to-use infrastructure, more or less protected from technical mishaps and unexpected downtimes (cloud providers promise over 95% of uptime), than to strengthen the servers in-house.

Migration to the cloud, while offering certain big advantages, also brings up new challenges. We reviewed them in this blog post a year ago. Now, we’ll just list the most important and most common issues across all industries with sensitive data bound for clouds:

– The degree of control over the data reserved by the client company of the cloud service provider. In other words, it’s a question of who actually owns and controls the data in the cloud.

– Third-party access to the outsourced data. With hoteliers working with personally identifiable and payment data, protecting their client privacy is paramount.

– Safe transition of data between the local and cloud resources. Unfortunately, we have seen examples of malware oozing from the leased facilities into the client networks, while there should be absolutely no malware in the clouds.

Clouds themselves may improve business, reducing costs and the IT maintenance burden, but are they a panacea? Barely. Just like any other technology, they are only as trustworthy as they are auditable, and the clients should have the right solutions to protect their data – in and out of the cloud.

Yet another problematic aspect of IT security in the hospitality industry is the use of WiFi networks. In this highly competitive environment where the user experience is everything, free WiFi today is a must, but it also generates some issues. We’ll talk about them in one of our future posts.