Cybersecurity in the hospitality industry

Hospitality, one of the most vulnerable industries

People strongly believe that travel is an essential ingredient of long-lasting happiness. They want to open their lives to new paths of excitement and adventure, visit new places, experience new cultures, grow into better and happier individuals. Travel builds self-confidence, brings people closer, provides with new experiences and memories, breaks routine, and allows to meet people from all over the world. Travellers expect friendship, love, adventure, surprises. A nice hotel room and everything else that the hospitality industry can offer, is the most important part of this experience.

Unfortunately, managers and employees of firms and organizations of the public and the private sector staying in hotel rooms are main targets of foreign intelligence services (including but not limited to the intelligence service of the destination country), state-sponsored groups, the organized crime, even foreign businesses that exploit all opportunities to acquire sensitive or classified information.

People travelling are vulnerable due to the limited control they exercise over their immediate surroundings. The hospitality industry must protect its clients, and the majority of safety and security related challenges can be managed through good security planning, sound security practices, and security awareness and training of managers and employees in every venue and hotel chain.

A new cybersecurity culture for the hospitality industry is necessary. It refers to the knowledge, beliefs, perceptions, attitudes, assumptions, norms, values, and expectations of managers and employees in every venue and hotel chain, regarding security and cybersecurity. Managers and employees must be involved in the prevention, detection, and response to deliberate malicious acts that target systems, persons, and data.

During the past decades, hotels and hotel chains have made substantial investments in security systems and IT infrastructure. Unfortunately, they have not paid so much attention in training their staff to protect these systems from cyber attacks. Cybersecurity awareness and training for all managers and employees that have access to sensitive or confidential information is necessary, in order to make information security considerations an integral part of every business.

Hospitality is one of the most vulnerable to cyber attacks industries. Adversaries have usually the following objectives:

1. To make money.

2. To have access to confidential information (business intelligence, espionage).

3. To attack the country and the critical infrastructure.

Our training programs

Cyber Risk GmbH is offering training programs for managers and employees in the hospitality industry. We also offer tailored-made training that assist the Board of Directors and the CEO in understanding cybersecurity challenges.

The Board of Directors and the CEO of entities in the hospitality industry must understand that they are high value targets. For them, standard security awareness programs are not going to suffice. The way they are being targeted is anything but standard or usual. They are the recipients of the most sophisticated, tailored attacks, including state-sponsored attacks. These are attacks that are often well planned, well crafted, and employ advanced psychological techniques able to sway a target towards a desired (compromising) behavior without raising any alarms.

Countries expand their global intelligence footprint to better support their growing political, economic, and security interests around the world, increasingly challenging existing alliances and partnerships. They employ an array of tools, especially influence campaigns, to advance their interests or undermine the interests of other countries. They turn a power vacuum into an opportunity.

Countries use proxies (state-sponsored groups, organizations, organized crime, etc.) as a way to accomplish national objectives while limiting cost, reducing the risk of direct conflict, and maintaining plausible deniability.

With plausible deniability, even if the target country is able to attribute an attack to an actor, it is unable to provide evidence that a link exists between the actor and the country that sponsors the attack.

For our training programs, you may visit:

Hotel Cybersecurity Training.

Hotel Cybersecurity Board Training.

Case Study: September 12, 2023, MGM Resorts International

MGM Resorts International (NYSE: MGM) is an S&P 500® global entertainment company with national and international locations, featuring best-in-class hotels and casinos, state-of-the-art meetings and conference spaces, live and theatrical entertainment experiences, and an extensive array of restaurant, nightlife and retail offerings.

September 12, 2023 - MGM Resorts International issued the following statement:

"MGM Resorts recently identified a cybersecurity issue affecting certain of the Company's systems. Promptly after detecting the issue, we began an investigation with assistance from leading external cybersecurity experts. We also notified law enforcement and are taking steps to protect our systems and data, including shutting down certain systems. Our investigation is ongoing, and we are working diligently to resolve the matter. The Company will continue to implement measures to secure its business operations and take additional steps as appropriate."

Hotel Cybersecurity 1
Hotel Cybersecurity 2

October 5, 2023 - FORM 8-K, report to the Securities and Exchange Commission (SEC):

On September 12, 2023, MGM Resorts International (the “Company”) issued a statement that it had recently identified a cybersecurity issue affecting certain of the Company’s U.S. systems.

Promptly after detecting the issue, the Company responded swiftly and shut down its systems to mitigate risk to customer information, which resulted in disruptions at some of the Company’s properties but allowed the Company to prevent the criminal actors from accessing any customer bank account numbers or payment card information. Since that time, operations at the Company’s domestic properties have returned to normal and virtually all of the Company’s guest-facing systems have been restored. The Company continues to focus on restoring the remaining impacted guest-facing systems and the Company anticipates that these systems will be restored in the coming days.

The Company believes that the operational disruption experienced at its affected properties during the month of September will have a negative impact on its third quarter 2023 results, predominantly in its Las Vegas operations, and a minimal impact during the fourth quarter.

The Company does not expect that it will have a material effect on its financial condition and results of operations for the year. Specifically, the Company estimates a negative impact from the cyber security issue in September of approximately $100 million to Adjusted Property EBITDAR for the Las Vegas Strip Resorts and Regional Operations, collectively.

While the Company experienced impacts to occupancy due to the availability of bookings through the Company’s website and mobile applications, it was mostly contained to the month of September which was 88% (compared to 93% in the prior year period). The Company believes it is well-positioned to have a strong fourth quarter, with record results expected in November primarily driven by Formula 1. The Company is further forecasting occupancy to be 93% in October (compared to 94% in the prior year period) and to fully rebound in November for the Las Vegas Strip Resorts.

The Company has also incurred less than $10 million in one-time expenses in the third quarter related to the cybersecurity issue, which consisted of technology consulting services, legal fees and expenses of other third party advisors. Although the Company currently believes that its cybersecurity insurance will be sufficient to cover the financial impact to its business as a result of the operational disruptions, the one-time expenses described above and future expenses, the full scope of the costs and related impacts of this issue has not been determined.

Based on the ongoing investigation, the Company believes that the unauthorized third-party activity is contained at this time. The Company has determined, however, that the criminal actors obtained, for some of the Company’s customers that transacted with the Company prior to March 2019, personal information (including name, contact information (such as phone number, email address and postal address), gender, date of birth and driver’s license numbers). For a limited number of customers, Social Security numbers and passport numbers were also obtained by the criminal actors.

The types of impacted information varied by individual. At this time, the Company does not believe that customer passwords, bank account numbers or payment card information were obtained by the criminal actors. In addition, the Company does not believe that the criminal actors accessed The Cosmopolitan of Las Vegas systems or data. The Company also has no evidence that the data obtained by the criminal actors has been used for identity theft or account fraud.

The Company has established a dedicated help line to address questions about this incident, which can be reached at 800-621-9437 toll-free Monday through Friday from 8 am – 10 pm Central, or Saturday and Sunday from 10 am – 7 pm Central (excluding major U.S. holidays). Please reference engagement number B105892 when calling. The Company also has set up a webpage with additional information. In the coming weeks, the Company will provide notification by email to individuals impacted by this issue as required by law and will offer those individuals free identity protection and credit monitoring services.

While no company can ever eliminate the risk of a cyber attack, the Company has taken significant measures, working with industry-leading third-party experts, to further enhance its system safeguards. These efforts are ongoing.

Cyber Risk GmbH, some of our clients