Hotel cybersecurity after a year of AI attacks and vendor failures
Hotel cybersecurity after a year of AI attacks and vendor failures
Hotel cybersecurity is no longer a niche IT topic but a core security and risk agenda item for every serious hospitality group. When a large majority of hotels in North America report cyberattacks in a single summer, as highlighted in the 2023 VikingCloud State of Hospitality Cyber Report, the hospitality industry has to treat cyber threats as routinely as fire safety drills and evacuation plans. Cybercriminals now target every hotel system that touches guest data, payment processing or operational control, from cloud based property management platforms to mobile key applications and access network infrastructure.
Attackers use AI scaled phishing to gain initial access, then pivot through weak network segmentation to reach high value systems such as PMS, CRS, and payment card environments. Ransomware campaigns no longer focus only on encrypting data but on operational disruptions, locking door locks, sabotaging HVAC controls, or corrupting booking interfaces to force rapid ransom decisions. These threats create direct legal exposure for directions générales and risk management teams, because a single incident can combine data protection violations, business interruption, and bodily safety issues if guests cannot exit secure areas during a lockout.
Recent breaches at global brands showed how third party vendors and cloud based integrations became the dominant entry points for unauthorized access to hotel data. Phishing emails sent to revenue managers or finance teams often imitate partner extranets, leading to credential theft and silent access to booking systems over long periods of time. In parallel, deepfake audio targeting finance directors has been used to manipulate payment approvals, turning classic fraud into a cybersecurity and incident response problem that insurers now scrutinize closely.
From IT hygiene to insurability: what cyber insurers now expect from hotels
Cyber insurance underwriters have quietly rewritten the rules for hotel cybersecurity, and many hospitality groups only realise it at renewal time. Insurers now treat basic security controls such as multi factor authentication, endpoint detection and response, and tested backup restoration as non negotiable conditions for coverage. For risk managers and juristes, the question is no longer whether these controls are a good solution but whether the group remains insurable at acceptable cost.
Underwriting questionnaires drill into how hotels manage access to critical systems, how quickly they can identify potential security threats, and whether incident response plans are tested with realistic tabletop exercises. Carriers ask whether payment processing environments are segmented from guest Wi Fi and back office networks, and whether penetration testing is performed at least annually on both property and corporate infrastructure. They also examine how the group handles vendor management, including contractual security requirements, right to audit clauses, and obligations to report malicious activity or data breaches in real time.
For directions générales, this shift means cyber budgets must be aligned with the minimum security posture required by insurers, not just internal IT preferences. A reasonable property level budget now includes secure Wi Fi with proper access network controls, managed firewalls with network segmentation, and centralised log management feeding a cloud based detection platform. At group level, investment priorities include a 24/7 security operations capability, structured incident response playbooks, and strategic hotel IT support as a shield for risk and legal teams, as explored in this analysis on strategic hotel IT support for hospitality risk leaders.
One page insurer readiness checklist for hotel groups
Risk and legal teams can quickly benchmark insurability by confirming that the group has: (1) multi factor authentication on email, remote access, and administrator accounts; (2) documented backup and restoration tests for PMS, POS, and payment systems; (3) an incident response plan naming insurer contacts and breach counsel; (4) annual penetration testing and vulnerability management; (5) vendor contracts with minimum security controls and notification duties; and (6) centralised logging with alerting for suspicious activity across key hotel systems.
NIS2, data protection and cross border liability for hotel groups
For hotel hospitality brands operating in or near the European Union, the NIS2 directive and the Cyber Resilience Act have turned cybersecurity into a regulatory compliance obligation, not just a best practice. Even US based hospitality industry groups with a handful of EU properties must now show structured management of cyber risks, including clear accountability, documented policies, and technical controls aligned with recognised standards. Regulators expect boards and directions générales to understand how hotel cybersecurity failures can cascade into systemic risks for guests, partners and critical tourism infrastructure.
NIS2 emphasises the need to identify and manage security threats across the entire network, including third party providers that process guest data or operate cloud based systems. This means legal teams must map data flows from booking engines to PMS, from mobile apps to loyalty platforms, and from payment processing gateways to acquirers, then ensure contracts allocate responsibilities for detection, incident response and notification. When a vendor suffers a breach that exposes hotel guest data, regulators will still look first at the hotel group’s governance, its due diligence, and its ability to help protect affected individuals in a timely and transparent way.
For IT and innovation leaders, compliance with NIS2 and data protection rules is an opportunity to rationalise fragmented systems and reduce unnecessary entry points for cyber threats. Consolidating access management, enforcing strong authentication for all staff, and standardising logging across PMS, POS and mobile applications makes it easier to identify potential anomalies in real time. It also supports a more resilient architecture where network segmentation, encryption, and modern APIs limit the blast radius when threat actors inevitably compromise one component of the ecosystem, as detailed in our work on how hospitality mobile applications reshape risk and legal assurance.
Illustrative vendor security clause for cross border hotel operations
A practical example for contracts is a clause stating that the provider must maintain security controls aligned with recognised industry standards, notify the hotel group of any suspected data breach without undue delay, cooperate with forensic investigations, and support regulatory notifications. The clause can also require annual security attestations, penetration testing on systems processing guest data, and a clear allocation of responsibilities for incident response, including who communicates with affected guests and authorities.
Inside the attack chain: how threat actors actually breach hotels
Understanding how cybercriminals move through hotel environments is essential if you want to design controls that work under pressure. Most campaigns start with social engineering against staff who handle reservations, finance, or vendor portals, because these roles have broad access to systems and payment data. Phishing emails, malicious attachments and fake login pages are still the primary tools, but AI generated content and cloned partner branding make detection by untrained staff extremely difficult.
Once attackers gain initial access, they typically explore the network to identify potential paths towards PMS, POS, and payment card environments, exploiting weak segmentation and shared credentials. They look for unpatched servers, exposed remote access tools, or misconfigured cloud based storage that can be used as entry points into more sensitive systems. In many documented cases, threat actors spent weeks inside hotel networks, quietly exfiltrating guest data and mapping payment processing flows before launching ransomware to maximise leverage and operational disruptions.
A well known illustration is the MGM Resorts incident in 2023, where attackers reportedly used social engineering against a third party support provider to obtain access, moved laterally through internal systems, and disrupted hotel operations, loyalty programmes and digital room keys before containment and recovery. This kind of attack chain shows why hotel cybersecurity must integrate continuous monitoring for malicious activity, not just annual audits. A mature security operations function correlates logs from door lock controllers, Wi Fi controllers, PMS, and mobile key platforms to identify real time anomalies, such as unusual access patterns, suspicious data transfers, or repeated failed logins from foreign locations.
Condensed incident timeline for a typical hotel ransomware case
Day 0: a finance employee clicks a phishing link imitating a partner extranet and enters credentials. Day 2: attackers log in remotely, deploy tools, and scan the network. Day 5: they obtain domain administrator rights and access PMS and payment systems. Day 10: guest and card data are exfiltrated quietly to external servers. Day 14: ransomware is triggered on PMS and file servers, door lock integrations fail, and check in operations are disrupted. Day 15: the hotel activates its incident response plan, notifies insurers and regulators, and begins recovery from clean backups.
Controls that actually move the needle: MFA, segmentation and payment governance
With finite budgets and rising expectations from insurers and regulators, hotel leaders need to prioritise the controls that materially reduce risk. Multi factor authentication across all remote access, email, and administrative systems remains the single most effective way to block account takeover, especially when combined with phishing resistant methods. Extending MFA to vendor accounts, finance workflows, and cloud based management consoles closes many of the gaps exploited in recent hospitality incidents.
Network segmentation is the second high impact control, separating guest Wi Fi, back office, operational technology, and payment processing into distinct zones with tightly controlled access. In practice, this means door locks, CCTV, HVAC and building management systems should never share the same access network as PMS or corporate email, and payment card environments must be isolated with strict firewall rules and monitoring. Proper segmentation also supports faster incident response, because security teams can contain malicious activity within a limited segment while keeping other hotel operations running safely.
The third control with exceptional return is a robust payment governance framework that treats any change to bank details, payment instructions or refund processes as a high risk event. Implementing out of band verification for payment changes, enforcing dual approval, and logging every exception gives risk managers and auditors a clear trail when investigating fraud or cyber enabled theft. Combined with regular penetration testing focused on payment systems and APIs, these measures help protect both revenue and reputation while aligning with card scheme expectations and insurer requirements.
Building a cyber resilient hospitality organisation: people, playbooks and partners
Technology alone will not save a hotel group when a major cyber incident hits during peak season. The organisations that recover fastest are those where security and risk management are embedded into daily operations, from front desk to finance and from housekeeping to legal. Training programmes that simulate real phishing attempts, payment fraud scenarios and system outages create muscle memory so that staff recognise and escalate issues before they become crises.
Effective hotel cybersecurity also depends on clear, rehearsed incident response playbooks that define roles for IT, operations, communications, legal, and insurance contacts. These playbooks should cover scenarios such as ransomware on PMS, loss of access to cloud based booking systems, compromise of mobile key platforms, and suspected data exfiltration from loyalty databases. Regular tabletop exercises with directions générales, risk managers and external partners such as security consultants and law enforcement agencies ensure that decisions about shutdowns, guest communication and regulatory notification can be made in real time under pressure.
Partnerships matter as much as tools, which is why many groups now invest in managed detection and response services that monitor networks and systems around the clock. These services combine automated detection with human analysts who can identify potential security threats, correlate weak signals, and advise on containment steps when malicious activity is detected. For legal and risk teams, this capability underpins duty of care to guests and owners, supports negotiations with insurers, and reinforces guest trust alongside physical safety measures highlighted in our analysis of advanced hotel room safety features for risk and legal professionals.
Key figures shaping hotel cybersecurity strategies
- Industry research such as the VikingCloud State of Hospitality Cyber Report indicates that a very high proportion of hotels have faced attempted cyberattacks in recent peak seasons, with some segments reporting exposure rates above 80%, illustrating that cyber threats are now a near universal experience for the hospitality industry rather than isolated events.
- Recent editions of the Verizon Data Breach Investigations Report show that ransomware is involved in a substantial share of hospitality breaches, with the 2023 report attributing roughly one quarter of analysed incidents to ransomware, confirming that operational disruptions and extortion have become central tactics for threat actors targeting hotel systems.
- The IBM and Ponemon Institute Cost of a Data Breach studies consistently report multi million dollar average breach costs for U.S. companies, with the 2023 edition citing an average total cost of around USD 9.5 million, a figure that underscores why even a single incident involving guest data and payment card information can be financially devastating for hotel groups.
- Major historical hotel breaches, including the Marriott incident exposing hundreds of millions of records between 2014 and 2018 and the MGM Resorts leak affecting more than ten million guests, demonstrate how long term unauthorized access can remain undetected without strong detection and monitoring capabilities.
- Industry surveys show a sharp rise in AI enabled phishing, IoT exploits and vendor side compromises, which together explain why insurers now require multi factor authentication, endpoint detection and response, and documented incident response plans as baseline conditions for cyber coverage.
FAQ about hotel cybersecurity for risk and legal teams
How can hotels protect against cyberattacks ?
Hotels can protect against cyberattacks by implementing strong security protocols, such as multi factor authentication, network segmentation, and regular patching, combined with targeted staff training. Technical controls must be supported by clear incident response plans, tested backups, and vendor management processes that extend security expectations to third parties. Continuous monitoring for malicious activity across PMS, POS, Wi Fi and cloud based systems is essential to detect and contain attacks before they cause major operational disruptions.
What data is at risk in hotel cyberattacks ?
The primary data at risk in hotel cyberattacks includes personal guest information such as names, contact details, identification documents, and stay history. Financial data, including payment card numbers, billing addresses and loyalty points balances, is also highly targeted because it can be monetised quickly. In many incidents, attackers also seek internal hotel data such as contracts, rate plans and corporate credentials, which can be used for further fraud or extortion.
Are small hotels also targeted by cybercriminals ?
Small hotels are just as vulnerable as large brands, because cybercriminals often automate attacks and scan the internet for exposed systems without distinguishing by size. Independent properties may have weaker security controls, limited IT staff and less formal risk management, which can make them attractive targets. For insurers and regulators, the expectation of reasonable cybersecurity measures applies to all hotels that process guest data and payment information, regardless of their scale.
Which hotel systems are most attractive to threat actors ?
Threat actors focus on systems that combine valuable data with high operational impact, such as property management systems, point of sale platforms, and payment processing gateways. They also target remote access tools, email systems and vendor portals, because compromising these entry points can provide broad access across multiple hotels. Increasingly, attackers look at operational technology such as door locks and building management systems, using them to create pressure during ransomware incidents.
What role do guests play in hotel cybersecurity ?
Guests are both beneficiaries of strong hotel cybersecurity and active participants in reducing risk when they follow basic digital hygiene. They can help protect their own data by using strong, unique passwords for loyalty accounts, avoiding public Wi Fi for sensitive transactions, and monitoring bank statements regularly for suspicious charges. Clear communication from hotels about secure Wi Fi access, privacy practices and incident handling builds trust and encourages guests to behave in ways that support overall security.