When identity thieves walk into a hotel lobby they see opportunity: distracted business travelers and relaxed vacationers who are paying little attention to their wallets, private documents or their personal security; a workforce with high turnover and minimal background checks if any; and easy access to hotel guest areas, guest rooms, and hotel computers. They also know that the wireless systems are likely outdated and vulnerable to even a novice hacker.
Few industries provide identity thieves such rich targets as the hospitality industry. As the economy worsens, the risk of identity theft grows, and so does the likelihood that hospitality companies will face major unplanned financial penalties for failing to safeguard consumers' information in the midst of the growing threat.
Perfect environment for attack
Identity theft is a growing concern for hospitality providers because every hotel, resort, casino or restaurant offers the elements necessary for a successful attack.
- Motive. Many hospitality workers are high-turnover and working in close proximity to guests of higher economic means.
- Access. Travelers often carry important financial documents. They often fail to protect their property, leaving credit cards and sensitive business information on the desk or in the room safe. They access hotel business centers that may be compromised by keystroke loggers that steal passwords and credit card numbers, and they use Ethernets that may have inadequate security controls. Guests regularly give their credit card information over the Internet, by phone and in person. This data often is stored in databases easily accessed by employees whose criminal backgrounds may not have been checked prior to hiring. In addition to these internal threats, hospitality companies are vulnerable to external attacks, in which a hacker breaks into billing and reservation systems to steal customer information.
- Low risk. Since many hospitality chains rarely track computer system users, they usually cannot discover, investigate and prosecute identity thieves.
The rising threat
The risk of identity theft attacks in this industry is growing, for many reasons. Many hotels, resorts and casinos provide guests with convenient amenities, including Ethernet and business centers, without securing them against malicious users. More than ninety percent of hotels offer wireless network connections to guests, according to a recent study by Cornell University's Center for Hospitality Research. But many of those networks are simply unsafe.
"Hotels in the U.S. are generally ill-prepared to protect their guests from the security problems inherent in the Ethernet," the report found.
The current economic climate only serves to compound the problem. The risk of identity theft grows as the recession makes people desperate. In a time when it might be more difficult to obtain credit, identity thieves must find new sources of private information. Credit card companies that once, in flush times, accepted identity theft-related charges as a cost of doing business are now less tolerant of the added expense and may look to sue hospitality companies that fail to secure private data. Consumers hurt by identity theft will likely find class-action attorneys willing to take their case.
Hospitality providers, too, are reacting to the economy in ways that may not be entirely beneficial. Some hotel chains hope to cut costs by using automated check-in systems. This is a dangerous trend. The most important part of any security system is face-to-face interaction between guests and responsible employees.
As travel budgets drop and vacancy rates climb, more hotels and resorts lay off security personnel to cut costs. But operating without security is like entering a battle unarmed. Already-busy managers simply cannot keep up with the ever-changing technology of identity security. Trained security personnel, supported by identity theft and computer safety experts, can best prevent the financial and publicity disaster caused by a massive identity theft attack.
In this economy, the hospitality industry is more competitive than ever. Hotels and resorts already compete aggressively on price. But what happens if a hospitality company is targeted by a major identity theft attack, especially if it's later proven that the company failed to take basic precautions to protect consumer data? Customers will vote with their feet, choosing to stay in other hotels and avoiding companies that don't seem to take their privacy seriously. And in a downturn, no company can afford the crippling blow to brand identity that comes with a major security breach.
Protect your guests, protect your business
Protecting private guest information starts with restricting access to sensitive files, which should only be granted on a need-to-know basis, and tracked with user-specific passwords. The hiring office should screen out job applicants with criminal records, or at least assure that such people cannot access private records. Employee Handbooks should remind all staff that compromising guest data or information will result in termination and prosecution. Business center computers must be monitored closely by Hotel IT and Security Departments. Older Ethernets may require complete overhauls to guarantee security.
Recessions always push companies to cut costs, especially in low-margin industries like hospitality. But scrimping on security now could result in an identity theft attack and cost your company millions of dollars down the road in lawsuit damages, sullied reputation and lower sales. Making your business resistant to identity thieves ensures it will remain an inviting place for paying guests, and is simply a smarter business decision in the long-term. The added expense now can save you a fortune later.
The most important steps your company can take to protect private guest information, and to preserve your company's reputation and bottom line:
- Screen every job application for criminal history. Use the employee handbook and regular reminders to tell employees that identity theft and privacy compromises will not be tolerated.
- Data on internal computer systems should only be accessed by employees who need it to perform their jobs. That access should be password controlled, and the data should be encrypted.
- External computer systems for guest use should be inspected daily and closely monitored. Business center computers must be protected against and routinely screened for malicious software and hardware. Older Ethernets may need to be replaced.
- Regularly train staff to watch for warning signs of identity theft. These could include unauthorized employees accessing computers, waiters keeping small credit card readers in their pockets, or inaccurate charges showing up on guests' bills.
- Prevent panic by balancing short-term and long-term costs. Quick check-ins and no security staff may keep costs low and attract guests, but not enough to cover damages from plaintiff lawsuits when those systems fail.
Richard G. Hudak has been employed in chief security officer positions with MBank (Texas), Bank Administration Institute (Chicago), ITT Sheraton Corporation (Boston), and Loews Corporation (New York City). Hudak is a member of the International Security Management Association, American Society for Industrial Security, Society of Former Agents of the FBI, the Loss Prevention Committee for the American Hotel & Lodging Association.
Adam K. Levin is the chairman and co-founder of Identity Theft 911. A consumer advocate, educator, regulator, business owner and identity theft expert for over 30 years, Levin has dedicated his life to promoting financial literacy, protecting consumers, and encouraging greater competition in the marketplace. He served as Director of the New Jersey Division of Consumer Affairs.