Product Family


Claims Specialist,Cyber & Technology

Between May 2014 and December 2015, six high-profile companies within the hospitality industry suffered customer data breaches. Malware, compromised card processing systems, gift shop point-of-sale registers, and hotel payment systems were all to blame for the spate of breaches.

From reservations and payment processing to rewards programs and guest services, customers are interacting with hotels and hospitality entities in a wide array of methods. The industry has built a business model of many points of contact with their customers.

These methods of reaching customers on many levels has become more than touch points in a customer service process – they have become vulnerabilities that could result in serious cyber breaches.

The Vulnerabilities

Such vulnerabilities are making the hotel and hospitality industry easy targets for hackers. As a result, every hospitality business – hotels, restaurants, reservation system vendors, and more – is facing the very real threat of a security incident.  A restaurant chain with over 3,600 stores in 45 states had their customers’ payment card information stolen. A breach at a global hotel group impacted more than 1,200 of its properties. Another hotel chain had two breaches in two years, with customer data once again being compromised.


Businesses most targeted by hackers are ones that collect significant amounts of personal data on their customers. The hospitality industry is a frequent target because they collect payment card data, addresses, phone numbers, and other identifiable information that are sought by cyber thieves.

The problem is compounded by the lack of segregation of data that exists within the industry. For example, a hotel may operate separately than the restaurants housed on the property, but in far too many cases, the third party vendor systems are linked, allowing for a smoother transaction for guests, such as charging the restaurant tab to the guest’s hotel stay.

Therefore, a breach of a hospitality company can have far-reaching effects. Third party systems are particularly vulnerable, potentially threatening not only the vendor’s data, but the data of its customers, many of whom are large hotel and hospitality chains.   Given all the individuals and companies involved, this kind of situation can produce a domino effect that can be felt well beyond the initial entity that was breached.   In one notable breach in 2017, thieves gained access to a third party reservation system vendor, exposing payment and customer information. The system is used by over 32,000 hotels and lodging entities.


By far one of the most vulnerable segments of the hospitality industry – and most targeted for point-of-sale intrusions – are accommodations. According to a 2017 Verizon Data Breach Investigations Report, hotels account for 92 percent of all point-of-sale intrusions.

Hotels tend to be more vulnerable than other segments of the hospitality industry because of the number of touch points that hotel marketing processes attempt to establish with their customers. Customers make online reservations, sign up for loyalty programs that link to their cards, present payment cards for the front desk to make an imprint of, and purchase meals onsite.

For hotels offering a wide array of guest services, the threat is multiplied exponentially. Due to the interconnectedness of other business entities within a hotel – shops, restaurants, dry cleaning services, business centers, and more – breaches can spread quickly across the enterprise and be complex and costly to remediate.

The costs of these breaches are mounting. Six or even seven figure settlement costs are not uncommon.  A fast-food restaurant had millions of payment card records for customers stolen and being offered for sale on the internet. The four-year average cost per breach in the hospitality industry is .

Due to the interconnectedness of other business entities within a hotel – shops, restaurants, dry cleaning services, business centers, and more – breaches can spread quickly across the enterprise and be complex and costly to remediate.

Securing the Data

For those in the hospitality industry, prevention is critical. Hotels and hospitality companies should apply the following measures:

Know what to protect. A review of data collection can help companies identify the information that is most vulnerable in the hands of hackers.

Upgrade and update. Old systems and those that aren’t receiving the latest security updates are particularly vulnerable to compromise. Regularly update relevant systems and retire systems that are no longer supported. Also, prohibit the downloading of apps or unauthorized programs onto company systems.

Segregate data and limit access. Avoid connecting all networks under one system. Also, limit access permissions to only those employees who are working with the data. Create an access hierarchy that limits full permission to management-level employees and adds restrictions to lower-level employee access.

Limit data. The less data stored, the lower the impact should a breach occur. Collect and store only that data that is necessary to conduct business. Review what data is being collected to ensure that the company is not storing sensitive data that has no business purpose.

Strengthen vendor contracts. Know what data security measures vendors have in place and how they are handling data. Review all contracts and agreements to ensure that risks are transferred to vendors and that data security requirements are spelled out.

Reinforce existing security processes. Continue to follow existing rules, and review them regularly to ensure that the protocol keeps up with the evolution of data security risks. Train employees on how to detect malware or phishing emails, and how to report them. Revoke permissions of employees who have left the company. Require password updates regularly.

Get an insurance check-up. Review policy limits to ensure coverage is not outpaced by the severity of the risks. Policies should be sure to include coverage for ransomware, business interruption, and cyberextortion as well as crisis response costs and third party liability coverage. Additionally, it is important to consider dependent business interruption and System Failure coverages as well as broadened definitions of Privacy Regulatory Coverage and Personal Identifiable Information (PII) to comply with new regulations such as the European Union’s impending  GDPR.  (See The Impact of GDPR: EU data protection meets US-based business for more info.)

Data breaches within the hospitality industry have become a serious threat that is growing in scope and severity. As companies conduct global business, the risks are compounded through shared data and systems. Hackers are becoming more sophisticated in carrying out breaches, and hotels and hospitality groups can expect the frequency and severity of such attacks to continue to increase.

By increasing diligence around the handling, storing, and sharing of customer data, hotels and hospitality companies can help reduce the likelihood of a breach or at the very least limit the scope of its impact. Placing requirements in contracts and working with vendors that take cyber security seriously, restricting the amount of personal data collected, and segregating systems can help keep customer data safe and keep the bad guys at bay.


About the Author

 Brooke Gartner is a claims specialist in XL Catlin’s Cyber & Technology business.  She can be reached via email at

To contact the author of this story, please complete the below form

Invalid First Name
Invalid Last Name
Country is required
Invalid email
Invalid Captcha

More Articles

Global Asset Protection Services, LLC, and its affiliates (“AXA XL Risk Consulting”) provides risk assessment reports and other loss prevention services, as requested. This document shall not be construed as indicating the existence or availability under any policy of coverage for any particular type of loss or damage. AXA XL Risk. We specifically disclaim any warranty or representation that compliance with any advice or recommendation in any publication will make a facility or operation safe or healthful, or put it in compliance with any standard, code, law, rule or regulation. Save where expressly agreed in writing, AXA XL Risk Consulting and its related and affiliated companies disclaim all liability for loss or damage suffered by any party arising out of or in connection with this publication, including indirect or consequential loss or damage, howsoever arising. Any party who chooses to rely in any way on the contents of this document does so at their own risk.

US- and Canada-Issued Insurance Policies

In the US, the AXA XL insurance companies are: AXA Insurance Company, Catlin Insurance Company, Inc., Greenwich Insurance Company, Indian Harbor Insurance Company, XL Insurance America, Inc., XL Specialty Insurance Company and T.H.E. Insurance Company. In Canada, coverages are underwritten by XL Specialty Insurance Company - Canadian Branch and AXA Insurance Company - Canadian branch. Coverages may also be underwritten by Lloyd’s Syndicate #2003. Coverages underwritten by Lloyd’s Syndicate #2003 are placed on behalf of the member of Syndicate #2003 by Catlin Canada Inc. Lloyd’s ratings are independent of AXA XL.
US domiciled insurance policies can be written by the following AXA XL surplus lines insurers: XL Catlin Insurance Company UK Limited, Syndicates managed by Catlin Underwriting Agencies Limited and Indian Harbor Insurance Company. Enquires from US residents should be directed to a local insurance agent or broker permitted to write business in the relevant state.