Cyberattacks are draining millions from the hospitality industry

Every day, millions of travelers share sensitive information like passports, credit card numbers, and personal details with hotels, restaurants, and travel services. This puts pressure on the hospitality sector to keep that information safe and private.

Cybersecurity challenges in the hospitality industry

The industry itself is booming. The hotel segment alone is expected to reach a new peak of $511.91 billion in 2029. It’s no surprise that cybercriminals are taking notice.

The growing financial impact

The average cost of a data breach in hospitality rose from $3.62 million in 2023 to $3.86 million in 2024.

Expanding attack surface

Recent analysis uncovered 95,040 vulnerabilities across hospitality companies, including 3,884 unique CVEs. Of these, 14,318 were classified as critical, with 1,521 listed in the CISA Known Exploited Vulnerabilities catalog.

Complexity of hospitality networks

Part of the challenge lies in the complexity of hospitality networks, which connect guests, employees, vendors, and a wide range of devices such as smart locks and payment terminals. Each connection can serve as a potential entry point for attackers.

Regulatory pressure and compliance

Adding to the pressure, privacy laws such as GDPR and other region-specific regulations are forcing hotels to raise their standards for data protection and be more transparent about how they handle guest information.

Real-world incidents

In 2024, Omni Hotels & Resorts experienced a cyberattack that led to a prolonged IT outage, disrupting core systems including reservations, payment processing, and electronic room access.

In another incident from the same year, a threat actor breached the Otelier hotel management platform, compromising customer data from hotel brands such as Marriott, Hilton, and Hyatt. The attack exposed 437,000 customer email addresses, along with names, physical addresses, phone numbers, travel booking details, purchase records, and, in some cases, partial credit card information.

A lot of this data often finds its way onto underground forums, Telegram groups, and private marketplaces. In these places, underground “travel agencies” pop up, offering discounts on hotels, flights, and car rentals. These services are used by many people, from criminals to those simply looking for cheaper options, although some may be unaware that this is illegal.

Human factors and social engineering

The hospitality industry hires a lot of temporary workers, so staff turnover is high. With new people coming in all the time, it’s hard to keep everyone up to speed on security. Gaps in training and enforcement create openings for attackers, who may exploit human error by impersonating IT staff or sending phishing emails.

For example, the 2023 MGM Resorts breach occurred when attackers impersonated an MGM employee and deceived help desk staff into granting them access. The breach cost about $100 million, not counting legal settlements.

According to Keepnet, new hires are more likely to fall for phishing attacks and social engineering than longer-term employees.

Using AI

“AI can help organizations improve their threat protection, response times, and overall resilience in the face of growing cyber risks – but only if it’s adopted thoughtfully and strategically,” noted Aditya K Sood, VP of Security Engineering and AI Strategy, Aryaka.

That said, AI isn’t perfect. Sometimes it gives false alarms or misses subtle attacks. Using AI also means spending money, having the right skills, and managing it regularly, which can be a challenge for some hotels.

If a hotel depends too much on AI without proper checks, security gaps or privacy problems can happen. For hospitality providers, AI should be viewed as a supportive tool, not a standalone solution. When paired with well-trained staff and defined policies, it can be a powerful component of a broader cybersecurity strategy.

At the same time, AI also empowers criminal groups. They are already improving phishing emails, creating convincing deepfakes, and cloning voices. With the advancement of AI tools, we can expect an increasing number of attacks for which the hospitality industry will need to prepare.

How ready is your hospitality business?

To see how well your cybersecurity holds up, ask yourself these questions:

• Do we have a written cybersecurity policy that everyone on staff knows and follows?
• How often do we train new and current employees on security best practices?
• Are all our third-party vendors and partners checked to make sure they meet our security standards?
• Do we regularly review and update our security measures to keep up with new threats?
• Does leadership support investing in cybersecurity and employee training?

If you hesitated on any of these, it might be time to take a closer look at your security plan.