Cyberthreats Are a Leading Cause of Loss at Hotels and Motels

cyber threats

The nature of the day-to-day business at hotels and motels puts them at high risk of cyberattacks. These organizations handle enormous amounts of personally identifiable information (PII) and personal financial information (PFI), making them lucrative targets for cybercriminals. In fact, Advisen data shows cyber losses account for 18% of all losses at hotels and motels. The following article reviews various cyber risk factors at hotels and motels and provides best practices to protect against cyber threats.

 Hotel and Motel Losses by Category

Hotels and motels are seen as easy and profitable targets for cyberattacks. Here’s why:

  • Technology dependence—Customers rely on online services to make bookings and payments. Digital key access and biometric check-in technology are also commonly used to improve hotel efficiencies.
  • Third-party risk—Most bookings are made through third-party websites. This leaves hotels and motels vulnerable to cyber losses if one of their third-party vendors is compromised.
  • Valuable information—Hotels and motels collect valuable PII, including passport information, addresses, and emails. They also store debit and credit card information from payments, which may be kept for months or even years in advance of a reservation.
  • Connected devices—Digitalization has created a greater surface area for cyberattacks. Smart TVs, elevators, security systems, and ventilation systems have created new vulnerabilities. Each can be used as an entry point for attack.
  • Inadequate security—Most web hosts use low-quality servers that lack adequate security measures. This creates an opportunity for hackers. Heavy reliance on third-party websites also means hotels and motels are exposed to security gaps on external servers.

Hotel and Motel Cyber Losses by Breach Source

Attacks on hotel and motel servers account for half of all industry-related cyber losses, according to Advisen data. Point-of-sale (POS) systems were the second most frequently compromised at 23%, followed by telephone or fax communications at 11%.

Email breaches account for just 5% of cyber losses at hotels and motels. However, Advisen data shows these types of losses have become more frequent in recent years. Common cyberattacks stemming from emails include phishing, spoofing, and social engineering.

 Hotel and Motel Cyber Losses by Targeted Information

According to Advisen data, PFI was targeted in 74% of cyberattacks on hotels and motels. This information is typically seen as a highly promising target for cybercriminals. PII was accessed in 23% of cyberattacks, and personal health information was targeted in less than 3% of all cyberattacks on hotels and motels.

Examples of significant cyberattacks at hotels and motels include the following.

  • A data breach of Marriott’s reservation database from 2014 to 2018 resulted in the information of 500 million guests being accessed. Response costs following the breach were $177 million, Advisen loss data reported.
  • A data breach at 41 Hyatt Hotels in 2015 resulted in the unauthorized access of credit card information for at least 650 guests, according to Advisen.


Here are some of the most significant cybersecurity threats for hotels and motels:

  • Phishing—These attacks are designed to trick employees into clicking links in official-looking emails. Hackers use these attacks to steal sensitive data, such as credit card information or login credentials, or install malware. Sometimes, the malware installed during phishing attacks is ransomware.
  • Ransomware—These attacks, often initiated via a phishing email, are frequently targeted at hotels and motels. A ransomware attack involves a malicious actor gaining control of a company server in exchange for ransom. Sometimes hackers will threaten to leak sensitive information online if the ransom isn’t paid.
  • Distributed denial of service (DDoS)—The heavy reliance hotels and motels place on their networks for daily operation puts them at high risk for these types of attacks. DDoS attacks take advantage of an organization’s limited website capacity. Hackers will send multiple requests to the targeted website to exceed its capacity and prevent it from functioning properly.

Cybersecurity Practices

Here are some best practices to protect against cyberattacks at hotels and motels:

  • Multifactor authentication—This method of protection requires at least two forms of identification to be presented before permitting access to company systems.
  • Employee training—All employees should be trained to recognize and respond to phishing emails and other scams.
  • Data back-ups—In case of a ransomware attack, having data backed up in a separate location may allow your company to return to business quickly without paying a ransom.
  • Install antivirus programs—Antivirus programs should be installed on all connected devices. These include smart TVs, elevators, security systems, and ventilation systems.
  • Encryption—This technique scrambles data to make it unreadable without a key. This will help prevent unauthorized users from understanding important data if they gain access to it.

Proper mitigation can reduce the likelihood of a major cyber loss will occur. Hotels and motels that employ cybersecurity best practices will also likely receive better pricing, terms, and conditions on their cyber insurance policies.

Contact Midwest Insurance Group About Insurance Protection For Cyber Threats

Cyberattacks pose a serious threat to all businesses. For hotels and motels, which rely heavily on online servers for reservations and payments, the risk is often greater. To learn more about what your organization can do to reduce the risk of major cyber losses, contact MIG today at 262-646-5777.