Don’t Let a Data Breach Disrupt Your Hospitality Business
By Natalia Santiago, Senior Vice President and Claims Manager, Executive Risk Advisors
Average Cost
The average cost of a hospitality data breach in 2023 was $3.36 million, up from $2.94 million in 2022. That’s a 14% increase in the space of a year. At the same time, where the hospitality industry accounted for just 2% of data breaches in 2019, it now accounts for 4%. [Source 1]
Frequency
A recent report found that almost a third (31%) of hospitality organizations have reported a data breach in their lifetime. Of those, 89% had been affected more than once in a year. [Source 2]
Three Recent Hospitality Cyberattacks
1. MGM Resorts Hack Costs Over $100 Million [Source 3]
2. Motel One Hacked, Credit Card Data Stolen [Source 4]
3. Caesars Entertainment Pays $15 Million Ransom [Source 5]
Case Study: Ransomware Attack Against a Large Hospitality Client
What would you do if you suddenly got locked outside of your system? What if the elevators and keycards to rooms in your organization stopped working?
What happened?
An employee at a large hospitality client receives what they assume is a seemingly normal email from a well-known partner. It doesn’t have any spelling mistakes or other suspicious signs that phishing emails often have. The email instructs the recipient to download an attachment containing an Excel file inside of a .zip file. In reality, it turns out that the sender had been infected and did not actually send the email – threat actors did. The attachment was in fact not an Excel sheet, but ransomware.
Once the attachment was opened, the client’s system was infected and the ransomware disabled the hotel chain’s antivirus software. This allowed the ransomware to further infect their system. After gaining access, the threat actors collect sensitive information about employees, guests and other clients and encrypt a significant number of files on the hotel computers.
The encryption ensures that all files could no longer be accessed by the company. Another result of the attack was that very essential physical systems for a hotel chain, such as elevators and keycards, no longer work. With a $40 million demand, the threat actors seek to extort the company into paying them to restore their systems back to normal working order.
The threat actors leave the following digital note, explaining what happened and demanding the ransom: “Your files are encrypted. If you do not submit payment to us of $40 million — within three days, your files will be lost forever.”
Shortly thereafter, employees begin reporting that their systems are not working. Bookings can’t be processed in their systems or online. Guests are unable to check in or out or even enter their room.
The aftermath of the attack
After the attack, hotel staff must resort to manual approaches for check-ins and providing access to rooms. The kitchen and other facilities have to be closed since the hotel doesn’t have a way to charge customers.
Hotel security sets up a crisis response team and assigns it the task of figuring out how to get the systems back online as soon as possible. Previously, the company had decided to migrate from its Windows system to Google Chrome for their internal operations. Now they decide to fast-track this migration as a way to restore their systems. In the first 72 hours following the attack, they managed to carry out the first migration on one of their computers. This allowed the first hotel to manage bookings and check-ins again. Nonetheless, there was still a lot of hard work to do.
With the help of the incident response team, in five days the client manages to migrate 500 computers in five hotels across five different countries. However, while they’re busy working on regaining access to their systems, the threat actors start posting sensitive information about their employees and customers on the dark web. They do this in an attempt to coerce the company to pay the ransom, posting 10% of the total stolen information at a time.
To pay or not to pay?
As critical data is held hostage and systems are rendered inoperable, the client finds itself in an untenable situation. The technology that powers their hotels is down, bringing all operations to a halt. Employees cannot perform critical tasks.
With several operational challenges and contractual obligations left unmet, the company is losing money — every hour, every minute, every second.
Should they pay? Several factors should be considered, including the criticality of affected data and systems, availability and integrity of data backups, cost of the ransom compared with the estimated cost of restoration, the likelihood of a successful restoration (whether the ransom is paid or not), and regulatory implications.
Paying the Ransom
The client makes the decision to pay the ransom after determining that a timely restoration of its systems, files, and data is not possible. McGriff helps the organization quickly engage privacy counsel and vendors to serve as an incident response team.
Computer forensic teams actively investigate the incident and try to determine its scope while working to limit the spread of the malware. Crisis management and public relations teams are engaged to manage reputational harm. Meanwhile, the client is busy preparing necessary internal authorizations and working with third parties to prepare for a cryptocurrency payment.
Legal and regulatory checks must be performed, such as a review of whether payment is possible under rules established by the Office of Foreign Assets Control, which prohibits payment to certain sanctioned foreign parties. A ransomware response vendor, meanwhile, begins negotiating with the attackers on the hotel chain’s behalf for a reduction in payment demands and a later deadline.
The vendor’s specialists have seen this strain of ransomware before and understand how the threat actor group operates. After initial communication with the threat actors, extension is granted, and the payment was negotiated down to $5 million. Before the payment is made, a decryption tool is tested and then the payment is transferred.
Recommended by LinkedIn
The work, however, is far from over. It may take weeks to deploy the decryption keys across the network and restore all impacted systems to full functionality. Additional forensics may be necessary to confirm there are no remnants of the malware, that backdoors are identified and eliminated, and that systems have been scrubbed clean. Backups will need to be reconfigured and tested and data may need to be restored. To prevent another incident, new hardware or software may also be needed. The goal is to improve the overall security environment and support improved cybersecurity monitoring.
Cyber insurance coverage, secured with the help of McGriff, proved to be key. The policy reimbursed the ransomware payment and covered the costs of the vendors. Data restoration costs are also recovered, along with lost income during downtime and extra expenses that might have been incurred in order to continue operating. McGriff also assisted in preparing a business interruption claim to ensure that the client maximized its coverage and recovery.
Two weeks after the incident, the client returned to near normal operations, although a lot of recovery remediation efforts remain.
Case Study: The Importance of Network Security in Hospitality
What happened?
Hotels, a big hospitality organization with properties in all 50 states, reports a significant data breach. The breach impacts 75 hotels across the U.S. The threat actors exploited vulnerabilities in point-of-sale locations such as restaurants, spas, and hotel reception areas. The malware designed to collect payment card data is sophisticated enough to evade the existing security measures, highlighting a critical oversight in network security.
The organization discovers the breach based on signs of unauthorized payment card data access. They conduct a thorough investigation with cybersecurity experts approved by cyber insurance, collaborate with law enforcement, and enhance their security. They also offer free identity protection services to affected customers and transparently communicate their remedial actions and preventive measures.
The aftermath of the attack
After the hotel organization decides not to pay, their information was exposed on the dark web. It took more than two months to restore 40% of their operations; the overall recovery and remediation efforts went on for over six months. Business Interruption and Extra Expense losses totaled over $10 million.
Applicability of Privacy and Data Security Laws in Hospitality
Comprehensive consumer privacy laws have now been enacted in 17 states, and more states are in the process of passing similar legislation. Even if the state in which a hotel is located has not yet adopted a consumer privacy law, a hotel may be subject to the privacy laws of other states because the guest making a booking is located in a state that has enacted a consumer privacy law.
While a hotel is a brick-and-mortar operation in a specific location, patrons of course are often from other states. As a result, hotels are often simultaneously subject to privacy and data security laws from multiple jurisdictions.
Hotel owners and operators in the United States could also be subject to non-U.S. privacy laws, such as the EU/UK General Data Protection Regulation (GDPR), as a result of advertising their services to hotel guests from the European Union or the United Kingdom. To properly assess and negotiate potential liability relating to data and security laws with respect to a hotel, hotel owners and operators should examine the applicability of such laws to their operations and consider whether additional compliance obligations are triggered.
Sources:
Additional Resources:
Read McGriff’s It Benefits You, a monthly newsletter containing information on HR best practices, employee benefits industry trends and regulatory requirements. McGriff provides employers with tools and resources to help your company identify and manage the risks inherent with employees and the valuable benefits needed to recruit and retain people.
About McGriff - Never settle for less.
When it comes to protecting your most valuable assets, at McGriff we believe no one should settle for less than the best. We’re a get-it-done broker, rooted in relationships and driven by a passion to serve. For more than a century, we’ve relied on our experience, resources, and relationships to deliver insurance and risk management solutions focused on our clients’ priorities and what they value most.
Read our story on McGriff.com.
Business Insurance • Risk Management • Employee Benefits • Personal Insurance
© 2024, Marsh & McLennan Agency LLC. All rights reserved. CA license #0H18131
DISCLAIMER: All McGriff risk services are advisory in nature and are designed to assist the client in the establishment and maintenance of a safe workplace. The responsibility to provide safe and healthful work conditions and operations free from known risk and harm to employees, third parties, and the environment is, and shall remain, that of the client. This proposal, and any subsequent reports, is not a warranty that reliance upon them will prevent accidents and losses or satisfy local, state or federal regulations.
Published Compliance Author and Expert for Financial Compliance | Risk | Governance | Intellectual Property Strategy and Valuation | Licensing & Negotiation
2wLove the meticulous layout of the information in this article. Very informative.