Cybersecurity in hospitality: what every hotelier needs to know

Hotels have always been in the business of trust. Guests hand over their passports, their credit cards and years of personal data. They expect everything to be safe.  

But in the latest episode of Matt Talks Hospitality, Mews CEO and former hotelier, Matt Welle, sat down with two cybersecurity experts to discuss a reality that's becoming harder to ignore: hospitality is a prime target for cybercrime, and much of the industry isn't ready. 

Fleur van Leusden is a Chief Information Security Officer with a background in some of the earliest internet investigations at the Dutch National Police. Terry Brown is a Senior Director of Engineering at Mews, who leads the technology thousands of hotels rely on every day. Here’s what they said. 

Why hospitality is in the crosshairs 

The value of hotel data isn't a secret – at least not to criminals. As Fleur puts it plainly: "Hotels have a lot of gold to be mined. They have payments data. They have personal information, email addresses, physical addresses, and they have lots of it. And that makes them a really interesting target for criminals to try and attack." 

Terry adds a layer of context that should prompt a hard look inward. "The hospitality industry has typically been relatively slow on adoption of technology in general," he says. "A lot of hotels didn't prioritize IT security as part of their day-to-day operations. I think hospitality has been quite lucky that it's flown under the radar for quite some time. What attackers are starting to realize is that there is a market here that has underinvested for a while, and that is making it ripe pickings for the low-hanging fruit." 

Fleur frames it in stark terms: "If you, as an industry, underinvest or have had other priorities than security, you will automatically be more vulnerable to attack. It's a combination of the two. There's gold to be mined, and there's a very high chance of success." 

Attacks have changed and defences haven't kept pace 

You may remember the large-scale hospitality breaches of a decade ago – massive, unencrypted credit card databases stolen in single events. Today's attacks are more sophisticated and, in some ways, more insidious. Attackers don't need to break down the door when they can trick someone into opening it. 

Terry outlines one of the most common strategies for hotel phishing attacks. 

"They will spin up a fake landing page – a login page. They advertise it on Google, and they can one hundred percent mimic what it looks like. Users just look for a PMS login page, and then they get to the ad. They get to the page, they log in, then they go to the two-factor authentication. They copy that token from the Google app into the page, which the hacker simultaneously copies live as well." 

The problem isn't just technical. Terry gives a telling example that highlights the importance of security awareness and education: "Even recently, we've had a customer in Europe who got an email to say, 'Oh, you're logging in from the US. You haven't logged in here from here before. Is that okay?' And they clicked yes." 

Security by design, not by checkbox 

One of the most important points in the conversation is one that challenges how software is often built and sold. Fleur argues that security shouldn't be something users opt into – it should be the path of least resistance. "Make the most secure way the default way," she says. 

However, despite the importance of phishing awareness training, Fleur believes it is only one piece of the security puzzle. "If one click on one link can destroy your entire network, then maybe the click on the link is not really the problem."  

Systems need to be built so that one compromised account can't bring down everything. That's the philosophy behind how Mews has evolved its own approach to authentication. The platform offers passkeys and single sign-on (SSO) – now provided free to customers – as the recommended default.  

Passkeys specifically represent a step-change. Their combinatorial set-up makes them hugely phishing resistant. Unlike a six-digit time-based one-time password (TOTP) code that a user can unknowingly hand to an attacker, passkeys bind authentication to the device, the person and often a biometric factor. Providing a passkey to a fake login page simply doesn't work. 

Security is a shared responsibility 

Both experts agree that technology providers like Mews can only do so much. Hotels have a role to play too. 

"There's only so much you can do as a provider," says Fleur. "At some point, you have to also take responsibility yourself as a company to work with the software you've bought as securely as possible." 

That extends to knowing your own IT landscape. Fleur recommends every property build a map of vendors and dependencies – understanding which systems are essential, which cloud providers they rely on, and what happens to operations if any of them go down.  

Her advice: "Have a business continuity plan in place. What are you going to do if the internet doesn't work for two days? You have a hotel to run, you have everything in the cloud, all your data, all your guest information – now what?" 

It's a scenario that doesn't require an attack to occur. Outages happen. Migrations go wrong. The hotels that handle these moments well are the ones that planned for them. 

Where to start 

For any GM, owner-operator or IT lead wondering where to focus first, both experts offer clear direction. 

Fleur's recommendation: "Look at that dashboard with the security posture and see if you can get it to a higher level, because that's going to really, really make a difference. Because that's where your crown jewels are." She also urges teams to map their vendor dependencies and put business continuity plans in place before they're needed. 

Terry keeps it simple: "Invest a little time and effort. Security is always a compromise with usability. But without taking some of these simple steps like enabling passkeys or the alternatives, you're ultimately leaving yourself far more at risk from a GDPR and a breach perspective." 

The guests who trust you with their passport, their credit card and their personal data are banking on hotels to take this seriously. The tools are there. The steps are clear. It's a question of whether security makes it onto the agenda before something forces it there. 

For more insights and detail on hotel data security, watch or listen to the full episode of Matt Talks Hospitality.  

Watch the episode