The hospitality industry has long been a favorite target of cybercriminals.

Attacks in the industry are near-universally financially motivated, with the majority aiming to steal information that can either be sold or used to make a profit. Credit card information is a primary target, but cybercriminals also aim to steal sensitive guest information to commit fraud and use it as leverage for ransom demands.

The 2023 Data Breach Investigations Report identified malware (e.g., ransomware and RAM scrapers), web application attacks, and social engineering as the most significant threats to hospitality organizations.

This article discusses why cyberattacks in the hospitality industry have become so common and looks at three recent examples of serious breaches of hotels and online reservation systems.

Why are Cyberattacks a Concern in Hospitality?

Hospitality organizations including hotels and casinos rely on a broad range of connected technologies to provide a seamless guest experience. From check-in kiosks and digital keycards to automated lights, temperature sensors, and minibars, Internet of Things (IoT) technology is essential to operations.

However, historically, the hospitality industry was slow to adapt to the realities of modern cybercrime. Many hospitality organizations took a long time to recognize the importance of a robust cybersecurity program—and, as a consequence, became enticing targets for cybercriminals.

The average cost of a hospitality data breach in 2023 was $3.36 million, up from $2.94 million in 2022. That’s a 14% increase in the space of a year. At the same time, where hospitality accounted for just 2% of data breaches in 2019, it now accounts for 4%.

That may not sound like much… but it represents a massive increase in attacks worldwide.

A recent report found that almost a third (31%) of hospitality organizations have reported a data breach in their lifetime. Of those, 89% had been affected more than once in a year.

3 Recent Hospitality Cyberattacks

1. MGM Resorts Hack Costs Over $100 Million

In mid-2023, MGM Resorts International reported a massive cyberattack that resulted in over $100 million in costs and the theft of an unspecified amount of personal guest information.

Security researchers have attributed the hack to a social engineering attack carried out by Scattered Spider, a threat group working with AlphV/BlackCat. It began with a Vishing call to the company’s helpdesk, where an attacker impersonated an employee. The attacker was able to convince a helpdesk employee to help them gain access to “their” account—the account of a super administrator with advanced privileges across MGM’s systems.

MGM attempted to cut the attack short when they noticed the attackers were “lurking around their Okta Agent servers, sniffing passwords” but it was too late. The attackers were able to encrypt some of the company’s data—“more than 100 ESXi hypervisors,” according to the attacker, though this may be exaggerated. MGM was served with a ransom demand in exchange for the decryption key.

In a statement, the company’s CEO stated:

“…criminal actors obtained certain personal information belonging to some customers who transacted with us prior to March 2019. This includes name, contact information, gender, date of birth, and driver’s license number. […] We also believe a more limited number of Social Security numbers and passport numbers were obtained.“

In addition to the stolen data, guests were unable to use digital room keys, payment systems were non-functional, and hotel restaurants could only accept cash. MGM Resorts stated hotel occupancy fell to 88% during September (compared to 93% the previous year) largely as a result of the attack disrupting the company’s website and mobile applications used for reservations.

In response to the attack, MGM notified law enforcement and brought in a specialist IT security firm to support its investigation and recovery. It’s believed the company received a ransom demand but refused to engage with its attackers.

The company claimed the attack would impact its third-quarter financial results by around $100 million, including $10 million in costs for technology consultants, legal fees, and other third-party advisors. Note that these figures don’t include the cost of any legal proceedings by affected individuals, which could be considerable.

2. Motel One Hacked, Credit Card Data Stolen

Motel One, a budget hotel chain operating in Europe and the U.S., was hacked in late 2023 by cybercrime group AlphV/BlackCat.

The group infiltrated Motel One’s network, intending to launch a ransomware attack. The company claims the attack had “limited success” thanks to its effective security posture. However, the attack resulted in downtime for the company and the theft of an unspecified amount of customer data such as postal addresses, e-mail addresses, and telephone numbers. The attackers also accessed data linked to 169 customer credit cards and their corresponding addresses.

In a statement on its website, the AlphV/BlackCat cybercrime group stated the breach was significantly worse than Motel One let on, claiming to have stolen over 24 million files. The alleged six terabytes of data supposedly included:

“PDF & RTF booking confirmations for the past 3 years containing names, addresses, dates of reservation, payment method, and contact information. Additionally, there is a significant amount of your customers’ credit card data and internal company documents, which undoubtedly hold sensitive information.”

The group issued a ransom demand to Motel One, threatening to publish the stolen data online if the company didn’t pay. It’s unclear whether Motel One engaged with the group or paid the ransom, however, in a statement, the company claimed:

“The hacker group had published the stolen data on the Dark Net. However, as far as we are currently aware, the corresponding page on the Dark Net has since been removed.”

The company’s primary strategy appears to have been to downplay the incident—however, the fact remains that a considerable amount of personal data was stolen, and there is no doubt the incident will have been costly and embarrassing for Motel One.

3. Caesars Entertainment Pays $15 Million Ransom

In September 2023, Caesars Entertainment confirmed a major breach in which attackers stole the company’s loyalty program database—the largest of its kind in the industry. The database contains highly personal information, including driver’s license details and social security numbers for “a significant number” of customers.

According to some reports, the attack was conducted by the threat group Scattered Spider. The attackers initially compromised a third-party IT vendor using social engineering techniques, before using the vendor’s privileged access to acquire Caesars’ loyalty program database.

Once it had stolen the database, the group initially demanded a $30 million ransom, threatening to publish the stolen database online if it wasn’t paid. Ultimately, Caesars agreed to pay a $15 million ransom to avoid the publication of the stolen data.

In accordance with new SEC rules, Caesars Entertainment filed an 8-K report within days of the attack. The report states: “We have taken steps to ensure that the stolen data is deleted by the unauthorized actor, although we cannot guarantee this result. We are monitoring the web and have not seen any evidence that the data has been further shared, published, or otherwise misused.”

In an attempt to mitigate potential harm to affected customers, Caesars also offered credit monitoring and identity theft protection services to all members of its customer loyalty program.

Beyond the $15 million ransom payment, this incident has had a significant financial impact for Caesars Entertainment. At the time of its 8-K filing, the company stated:

“We have incurred, and may continue to incur, certain expenses related to this attack, including expenses to respond to, remediate and investigate this matter. The full scope of the costs and related impacts of this incident […] has not been determined.”

Protect Your Hospitality Organization from IoT Threats

Securing a hospitality organization is far from straightforward. So, while the attacks described here are concerning, they’re hardly surprising.

Many cyberattacks against hotels, restaurants, and other hospitality organizations go unreported. Most likely, the frequency and severity of attacks in the industry are higher than the figures suggest.

So, what can you do?

One of the major causes of cybersecurity risk in hospitality is the high prevalence of connected devices—everything from online booking systems and digital keycards to automated lights, temperature sensors, minibars, and more.

Securing network access and managing vulnerabilities across such a diverse network environment is tough. But that’s where we come in. Asimily’s platform streamlines IoT security, making it easy to lock down traffic, monitor traffic sources, and identify unusual connections. 

Hospitality organizations can use Asimily’s Risk Simulation to assess mitigation options for individual vulnerabilities and devices before implementing fixes. This can help you prioritize your efforts, identify high-risk devices, and avoid wasted effort.

Asimily understands your unique environment and provides real-time, actionable remediation steps to reduce risk and save time—making our customers 10X more efficient at resolving IoT security risk.

To find out how Asimily can help minimize the risk of connected devices at your organization, download our white paper: IoT Device Security in 2024: The High Cost of Doing Nothing whitepaper. To get started immediately, contact us today.