IE 11 is not supported. For an optimal experience visit our site on another browser.

Bed and Break-In: Hotel Industry Tries to Show Hackers the Door

The hotel industry, which has seen numerous reports of data-stealing malware on computer systems in recent months, is trying to shore up its cybercrim
Carlos Cantres works at the front desk at The Jane Hotel, Wednesday, March 18, 2009 in New York.
Carlos Cantres works at the front desk at The Jane Hotel, Wednesday, March 18, 2009 in New York.Mary Altaffer / AP file

The hotel industry, which has seen numerous reports of data-stealing malware on computer systems in recent months, is trying to shore up its cybercrime defenses to keep travelers’ personal information out of the hands of hackers.

While the hospitality industry has not been hit as hard by cybercrime as many others -- notably the financial, defense and health-care sectors -- the malware attacks show that it is emerging as a favored target of hackers because of the high-volume of credit card transactions that hotel chains perform and the store of personal information they keep on travelers, experts say.

In just the past year alone, data breaches, suspected hacks and incidents of malware discovered on payment systems were reported by hotel chains Hyatt, Hilton, Starwood, Mandarin Oriental and Trump, among others.

Cybercrime costs for the industry have averaged $5.18 million over the past six years, but topped $8.2 million in 2015, according to the Ponemon Institute.

Michael Blake, CEO of Hotel Technology Next Generation, a trade association of hotel and technology groups, said investigations into the malware attacks indicate that they apparently were the work of different hacker groups, many of them based in “Eastern bloc countries."

“These aren’t kids in a basement anymore,” he said. “This is truly organized crime. They’re very well capitalized, they have motivation and some of their targets are pretty easy.”

Hyatt issued a report to customers Thursday, shortly after NBC News inquired about the status of the malware investigation, which said the attack to steal payment card data occurred between August 13 and Dec. 8. It also lists affected locations and dates where signs of unauthorized access to card information were detected and the steps being taken to inform customers who may have at-risk transactions.

Hyatt Says 250 Hotels Hit By Malware Last Year

“We worked quickly with leading third-party cyber security experts to resolve the issue and strengthen the security of our systems in order to help prevent this from happening in the future,” Chuck Floyd, Hyatt’s global president of operations, said in the statement. “We also notified law enforcement and the payment card networks. Please be assured that you can confidently use payment cards at Hyatt hotels worldwide.”

The hotel chain, which is controlled by the billionaire Pritzker family, disclosed in December that its payment processing system was infected with malware but did not mention how long its network was infected.

Hyatt, said Thursday it still has not determined the number of customers whose data was comprised.

Starwood did not immediately respond to NBC News’ requests for updates on its malware investigation. Hilton, Mandarin Oriental and Trump have released reports on their intrusions similar to the Hyatt report.

Hotels are attractive targets because they process more than a billion credit card transactions a year and collect and keep not just credit card information, but personal data about guests’ preferences.

Hotel Rooms Get Even Tinier: Check In, Then Squeeze In

They also may be vulnerable to older hacks because many individual hotels are operated by franchisees, where the owners may not be paying enough attention to security, said Blake, the hotel and technology group executive.

Efforts are underway to try to fight back.

When breaches happen, a working group of hotel chain chief information security officers gathers to share information about the threat.

“Sometimes that call takes place in real time,” while the attack is underway, said Blake.

Credit card companies also help flag network break-ins.

"Reporting and notification from card issuers are one of the many tools used to help identify breaches, Blake said. “However, most of the reporting you get from these agencies highlight a localized problem within a geography or potentially a bad actor within a specific hotel."

Eduardo Perez, senior vice president, Payment System Risk, Visa Inc., said credit card companies also are working proactively to secure systems before hackers can strike.

“Over the past year, we issued security alerts specifically about malware targeting hotels and retailers as well as what businesses can do to identify, mitigate and prevent attacks.,” he said via email.

Bedrock Bunks: Hotel Booking Apps Offer New Twists for Cut-Rate Rooms

Hotels are also getting better about giving timely information about security incidents to customers and the industry is working closer with both government and law enforcement to stay on top of threats, said Rosanna Maietta, a spokeswoman for the American Hotel & Lodging Association.

“We also working with the payment card industry to aggressively roll out chip and PIN technology, which will reduce credit card fraud, and ensure payment card security stays ahead of bad actors,” she said.

Beyond the financial damage a data breach can have at a hotel or a hotel chain, there are issues of trust.

“Travelers often have a greater sense of a relationship with a hotel brand than they do with a retailer,” said Bjorn Hanson, a clinical professor at New York University's Preston Robert Tisch Center for Hospitality and Tourism. “There is a greater sense of obligation to protect information of a personal nature when sleeping, bathing, dressing, eating and other private matters are involved.”

Of course, travelers shouldn’t just rely on hotels or the credit cards companies to protect their personal data.

“When at a hotel, monitor your folio every day,” said Blake. “Check your credit card charges and, when you register for hotel loyalty programs, use unique passwords at every site.”