Never Trust a Hotel to Protect Your Personal Data
by Robert McGarvey
The Hotel Management headline caught my eye: What hoteliers need to know about protecting guest data. To be candid my instant reaction was one word: Everything. Given how many documented hotel data breaches there have been in this century, to call hotels data sieves is to flatter them.
Now matters may be worsening, mainly due to the labor crisis that is engulfing US hotels.
But hotel already are documented bad at data protection. Here’s a hotel breach timeline dating back to 2010 in Hotel News Now. What is stunning is how many breaches go undetected for many months. For instance, in 2019 Choice Hotels reported a data leak that “inadvertently” disclosed customer info to business partners. How often? Per Hotel News Now: “Overall, this issue occurred approximately 88,000 times from June 2015 through 12 November 2019.”
Read the HNN timeline and the victims are a roll call of hotel management companies, from Marriott to Trump, Hilton to White Lodging.
You want to laugh at their ineptitude but hold that chuckle because it is your data that is in play, your info that is getting sucked out and put in the hands of criminals.
Surely, matters are improving, data will be more scrupulously guarded. You might think so.
Lots of companies – including the several profiled in the Hotel Management article – offer contemporary data protection technology and practices. The availability of protection is not in doubt. The readiness of hotels to spend the money and the readiness of their staff to implement the procedures very much are in doubt.
How many stories have you read about hotel labor shortages? This impacts everything from front desk clerks to gardeners and housekeepers. It definitely means there is a shortage of IT security staff who probably have migrated into industries with better pay and superior technology. See this April 2022 Law.com article, Hackers’ Path Eased as US Cybersecurity Jobs Sit Empty. Per the article: “About 1 million people work in cybersecurity in the U.S., but there are nearly 600,000 unfilled positions, data from CyberSeek shows.” You can bet that a lot of those unfilled positions are in hospitality where, as a rule, pay lags. If you have an in demand skill, the smart move of course is to go where the money is and that will rarely be hospitality.
Assume any hotel you stay in has cybersecurity openings and it has struggled and generally lost out in efforts to keep their best cybersecurity staffers.
More bad news is that the professional cyber criminal organizations are in full gear to attack travelers and hotels because the criminals – who have been staffing up – believe the odds increasingly favor them.
Current events play into this. Attacks out of Russia are skilled and they are growing in number.
Your cyber safety depends upon an understaffed and possibly under talented workforce.
Check into a hotel and the property hoovers up lots of data from you – a credit card number, probably a driver’s license number, business address, possibly also home address. That is ample info to enable a crook to make purchases on your credit card, possibly to attempt opening new accounts in your name.
Know this: although it is tempting to use a fake id at a hotel most (possibly all) states have laws making it illegal. I am no lawyer but my guess is that without evidence of criminal intent, no one would prosecute a worried traveler who used a fake ID and a credit card in the same name to check into a hotel in order to minimize risks of data theft. And I seriously doubt many hotels would have any interest in a prosecution going forward when the guest did not defraud them and the guest intends to mount a defense built around hotels and their data leaks. But caveat emptor.
I am not presently using a fake ID but I put hotel related charges on a credit card where I check the activity frequently (several times a week). It’s also a credit card issued by a company with generally good security practices.
I suggest you do likewise. Put all hotel related expenses on one card that you check frequently. If you travel a lot this year – between hotel staff shortages and what seems to be chronic under investment in cyber by hoteliers – your data is at risk.
Keep that in mind with every transaction at a hotel. Incidentally, hotel bars and restaurants seem especially leaky – think hard about paying cash. Ditto hotel gift shops.
I wish I had better news for you but the best I can say is. assume your data may be breached everytime you stay in a hotel. With that attitude you will stay on the defense and that’s now a traveler’s must.
You know how savvy travelers brace themselves against pickpockets when in crowded train stations especially in Europe? Me, I will literally keep a hand on my pocket touching my wallet. Paranoid? Nah. Just careful.
Do likewise with your data in a hotel.
Maybe you can’t cuddle it but you can be mindful about it and that’s the next best thing.