Hotels are attractive targets for cyber criminals because they possess data that can easily be abused: names, (e-mail) addresses, mobile phone numbers, credit card details and (copies of) passports and driving licences. Data about a planned visit to a hotel are also valuable for criminals. With these data they can commit identity fraud or pose as the data subject’s bank or as the hotel itself. The risk of a large-scale incident is not imaginary: one of the greater data breaches in the past years occurred at the Marriott Hotel Group. The data of over 327 million hotel guests were stolen.
In this article we will discuss what exactly a cyber-attack is, how you can prevent your organization from being affected, and which steps you can take if you do fall victim.
What is a cyber attack?
In the media the word ‘data breach’ is often used. In short, there is a data breach if the confidentiality, integrity, or availability of data have been compromised. This occurs not only if data fall into the hands of persons who should not have access to them, but also if data have been made inaccessible or deleted, or if unauthorized adjustments have been made to them. Besides data on natural persons, such as customers or employees, a data breach may naturally also concern company-sensitive information, such as commercial deals.
There are different forms of data breaches. Some are physical: medical information is stolen from a doctor’s bag, or a postal item is misdelivered. However, nowadays data breaches occur mostly as a result of an attack on digital systems by means of hacking, phishing and/or ransomware. This is called a cyber attack. Employees can be lured into clicking on a hyperlink, downloading an attachment, or logging in to a counterfeit portal. Criminals will then infiltrate the computer systems, download as many data as possible, and then encrypt these data. The criminals will demand a ransom in exchange for the decryption key; if the victim does not pay, he will often see his data published on the internet.
What can you do to prevent a cyber attack?
Prevention is better than cure: here are some practical tips to prevent a cyber attack. The main thing is to invest in good ICT security. You can engage a cybersecurity expert to do this. Measures like mandatory strong passwords and two-factor-authentication will contribute to the security of your ICT. You can also have software installed to secure your data. A specific measure to prevent phishing is to check the identity of a discussion partner and to check suspicious links, web addresses and mail addresses of a sender.
Two other measures are the deletion of data you no longer need, and the limitation of the number of places where the data are retained. This will limit the damage if things happen to go wrong. It is also a good idea to make cyber security a topic of discussion in your organization; what is an incident, what can employees pay attention to, what can you do to prevent this from happening? The overwhelming majority of cyber incidents could have been prevented by greater human attentiveness.
To make quick action possible if things do go wrong, you can draft an incident response protocol to have at hand as a manual if an incident occurs. Experience shows that a clearly devised division of roles, communication structure and priorities list will save valuable time in the first response to an incident.
Finally, you may consider taking out a cyber insurance. This will ensure you of receiving technical and legal support in an incident and allows you to limit the (financial) loss for your organization.
What should you do if you fall victim to a cyber attack?
When you fall victim to a cyber attack, your first interest will be to obtain information on the incident and to limit the damage it does. Engaging experts immediately is not a bad idea. For example, you may engage an Incident Response Team (IRT) if you notice there is something wrong. This team consists of several disciplines, including forensic IT experts and lawyers. They will offer targeted help to fight the negative consequences of an incident effectively. It may be possible to restore data, and it is important in any case that any unauthorized access will be blocked and that repetition of such access is prevented.
The next question to be decided on is whether external parties must be informed of the incident. This may be required by law or contractual obligations, or it may be a voluntary choice. Pursuant to the General Data Protection Regulation (GDPR), a data breach may have to be reported within 72 hours from its discovery to the Dutch Data Protection Authority (‘AP’), and sometimes also ‘promptly’ to the data subjects. It depends on the impact of the data breach on the persons whose data are involved whether these “obligations to report” from articles 33 and 34 GDPR apply. In the event of data theft as a result of a ransomware attack, the AP dictates that this should always be reported to the data subjects as well. Specific organizations and sectors may be subject to other or additional reporting obligations, e.g. to the National Cyber Security Centre. In addition, many contracts nowadays set out obligations to report cyber incidents to clients.
It may have big consequences if an incident is reported late or not at all. Booking.com, for instance, was fined 475,000 Euro by the AP for its late reporting of a data breach that involved the data of 4000 customers. In 2020, Marriott had to pay a fine of over 20 million Euro, albeit for defective security. Contracting parties may also claim compensation of the loss they have suffered from a cyber incident, for example as a result of inadequate provision of information. This is a good reason to map out in advance which obligations to report may play a role in a cyber incident.
As cyber criminals are getting ever smarter, the risk of a cyber attack gets ever bigger. Please make sure that you take measures to prevent incidents and that you know what to do if you fall victim to cybercrime.
