Analysis Cybersecurity Hospitality

The cybersecurity risks hotels need to address, and usually don't

A mid-size hotel holds more sensitive data per customer than most banks. It has a name, home address, passport number, payment card, email, travel patterns, dietary preferences, and sometimes family details. That concentration makes hospitality a consistent target, and the sector's historically low investment in IT security makes it a relatively easy one.

CT
Cyvra Team
Cyvra Consultancy
10 May 2026
6 min read
Key takeaways
  • The Marriott breach exposed 383 million guest records. Hospitality is a primary target for state actors and organised crime
  • Hotels run four high-value attack surfaces simultaneously: PMS, POS systems, guest WiFi, and OTA booking platforms
  • GDPR requires notifying your supervisory authority within 72 hours of discovering a personal data breach
  • Storing passport scans beyond the check-in purpose is almost certainly unlawful under GDPR Article 5
  • Ransomware is the dominant threat. MGM's 2023 attack disrupted operations across 30+ properties and cost over $100 million

Why hospitality is a persistent target

The Marriott Starwood breach, disclosed in 2018, exposed up to 383 million guest records accumulated over four years. A second Marriott breach in 2020 affected 5.2 million guests. MGM Resorts suffered a ransomware attack in 2023 that took down reservation systems, hotel key cards, slot machines, and ATMs across multiple properties, with reported losses in the hundreds of millions. These are the incidents that made the news. Dozens of smaller hotel groups face breaches every year that receive no coverage at all.

The pattern across these incidents is consistent: attackers target hospitality because the reward is high (payment card data combined with personal identifiers), the defences are often weak (fragmented IT infrastructure, legacy systems, and high staff turnover that makes security training difficult to maintain), and the operational pressure to stay online is extreme. A hospital can take a system offline during an incident. A hotel with 500 guests checking in cannot.

383M
guest records exposed in the Marriott Starwood breach, accumulated over four years undetected
Top 5
hospitality is consistently among the most targeted sectors for data breaches globally
72h
GDPR deadline to notify your supervisory authority after discovering a personal data breach

The four attack surfaces that matter most

Hotel IT environments are unusually complex for their size. A single property typically runs a Property Management System, a Point of Sale system, a booking engine, a channel manager, a restaurant reservation platform, guest WiFi, access control for room keys, and back-office finance and HR systems. Each of these is a potential entry point, and in most hotels they are inadequately segmented from each other.

Property Management Systems

The PMS is the core of hotel operations. It holds guest profiles, reservation history, payment card tokens, room assignments, and check-in/check-out records. PMS platforms like Opera and MICROS are widely deployed, often in versions that are years behind on security patches. Attackers who compromise the PMS have access to the full guest database. In several documented incidents, attackers maintained access to hotel PMS environments for over a year before detection.

Access controls on PMS systems are frequently inadequate. Shared administrator credentials, no multi-factor authentication, and broad user permissions across the front desk team are common. Every member of the front desk team does not need access to historical guest payment records.

Point of Sale systems

POS malware attacks on hotel restaurants, bars, and spas have targeted brands including Hilton, Hyatt, and Mandarin Oriental. The attack method is consistent: malware installed on the POS terminal captures card data at the point of swipe or insert, before it reaches the payment processor. These attacks persist for months because the POS system appears to function normally throughout.

POS systems that are not on an isolated network segment create a wider problem. An attacker who compromises a bar terminal can use it as a pivot point into the broader hotel network. Network segmentation between POS, PMS, and guest WiFi is the single most impactful technical control hotels can put in place.

Guest WiFi

Guest WiFi is not just a risk to guests. In most hotels, the guest network and the corporate network are not adequately separated. A guest who launches an attack from the hotel WiFi, or an attacker who compromises a guest's device and uses it as a pivot, can sometimes reach internal hotel systems directly. This is not a theoretical risk: hospitality-focused threat groups specifically target properties where network segmentation is weak.

The fix is not complicated, but it requires deliberate architecture. Guest WiFi should be fully isolated with no route to internal systems. The fact that a guest can reach the internet from their room does not require any connection to the hotel's internal network.

Booking platforms and OTA integrations

Hotels typically receive bookings through multiple channels: their own website, Booking.com, Expedia, and other online travel agencies. Each of these integrations is an API connection that processes guest data. Compromising a hotel's booking API has been used to harvest reservation data at scale, including names, email addresses, phone numbers, and in some cases partial payment card details.

Phishing attacks targeting front desk staff frequently impersonate Booking.com or other OTAs. Staff receive a message appearing to be from the platform asking them to log in to address a guest complaint. The credential theft that follows gives attackers direct access to the hotel's OTA management account, and sometimes to the booking system itself.

GDPR obligations hotels commonly overlook

A hotel operating in the EU is a data controller under GDPR for every piece of guest data it collects. That includes data collected by third-party booking systems on your behalf: you remain the controller, and the third party is your data processor. You need Data Processing Agreements in place with every platform that handles guest data: your PMS vendor, your channel manager, your restaurant booking system, and every OTA you work with.

Retention is the area most hotels handle worst. Guest records, including payment card tokens, are routinely kept indefinitely. GDPR requires that personal data be kept only as long as necessary for the purpose it was collected. For most transactional guest data, a defined retention window with automated deletion is required. Loyalty programme data has different rules, but even that is not indefinite.

Important

If a breach exposes guest personal data, you have 72 hours to notify your supervisory authority (the AP in the Netherlands, the ICO in the UK). That clock runs from when you become aware of the breach, not when you finish investigating it. Hotels without an incident response plan that includes a regulatory notification step will miss this deadline. Fines for late notification are separate from, and in addition to, fines for the underlying security failure.

Passport and ID scans create a specific obligation. Many hotels photograph or copy passports at check-in. A scanned passport is a highly sensitive document under GDPR. If you collect them, you need a lawful basis, a stated retention period, and secure storage. Keeping passport scans in a shared folder on the front desk computer, which is common, satisfies none of these requirements.

What a credible security baseline looks like for hotels

The following controls are achievable for any hotel group, independent of size. None requires enterprise-grade infrastructure. All address the actual attack patterns seen in hospitality breaches.

1
Segment your networks
Guest WiFi, POS systems, PMS, and back-office IT should be on separate VLANs with firewall rules preventing lateral movement between them. This is the single highest-impact control for reducing breach scope.
2
Enable MFA on every external-facing system
PMS admin access, email accounts, booking platform logins, and any system accessible outside the hotel network must require multi-factor authentication. Front desk credential theft is the most common initial access method in hotel breaches.
3
Patch PMS and POS systems on a defined schedule
Many hotels run PMS versions that are years behind vendor patches, often because the vendor requires paid upgrade cycles. Document your patching status and work with your vendor to close gaps. Legacy systems should be isolated if they cannot be patched.
4
Run quarterly phishing simulations for front desk staff
Front desk teams are the primary target for OTA impersonation attacks. Regular simulations, with immediate training for staff who click, reduce susceptibility over time. Annual security awareness training alone is not sufficient for a team with high turnover.
5
Define and enforce guest data retention periods
Set a specific retention period for transactional guest data (typically 12 to 36 months after the stay) and implement automated deletion. Passport and ID scans should be deleted within days of check-out unless a specific legal basis requires longer retention.
6
Write an incident response plan that accounts for hotel operations
A hotel incident response plan needs to address what happens when the PMS goes down during check-in, how you notify guests whose data is compromised, and who contacts the supervisory authority within 72 hours. Generic IT incident plans do not cover these scenarios.

Hotels that have implemented these six controls are in a fundamentally stronger position than those that haven't. They are also better placed when a regulator or insurance provider asks for evidence of security practices following an incident, which in hospitality is a matter of when rather than if.

Frequently asked questions

Why are hotels a prime target for cybercriminals?

Hotels aggregate several high-value data types in a single location: payment card data, passport and identity documents, loyalty programme credentials, travel itineraries, and corporate account information. This concentration of sensitive data, combined with complex IT environments spanning property management systems, point-of-sale terminals, guest WiFi, and third-party booking platforms, creates a large attack surface. The hospitality sector also tends to have lower cybersecurity investment than financial services, making it an attractive target.

What GDPR obligations apply to hotels after a data breach?

Under GDPR Article 33, hotels must notify their supervisory authority within 72 hours of becoming aware of a personal data breach. If the breach is likely to result in a high risk to individuals. If payment card data or identity documents were exposed, GDPR Article 34 also requires notifying the affected individuals without undue delay. Failure to notify within the 72-hour window has been a factor in several EU enforcement actions.

How long can hotels keep copies of passport scans?

Retention of passport scans must be grounded in a specific legal basis and limited to the minimum period necessary. In most EU jurisdictions, the legal basis for collecting passport information is compliance with a legal obligation, such as guest registration requirements. Retaining scans beyond the purpose of that obligation (for example, keeping them indefinitely in a shared folder) is very likely unlawful under GDPR Article 5(1)(e). Documented retention policies, deletion schedules, and access controls are required.

What is the biggest cybersecurity risk for hotel property management systems?

Property management systems (PMS) are the central nervous system of a hotel: they hold reservation data, guest profiles, payment history, and room access control. The main risks are stolen credentials from phishing or credential stuffing attacks, unpatched software vulnerabilities, and lateral movement after an initial compromise of a less-protected endpoint. PMS systems are also typically integrated with dozens of third-party systems, each representing an additional entry point. Network segmentation and strict access control are the most effective mitigations.

What does a basic cybersecurity baseline look like for a hotel?

A credible baseline includes: multi-factor authentication on all administrative and PMS access; network segmentation separating guest WiFi, operational systems, and payment card environments; regular patching of PMS and POS software; annual staff phishing awareness training; an incident response plan with a 72-hour GDPR notification checklist; encrypted backups tested on a regular schedule; and a review of all third-party integrations to ensure vendors meet minimum security standards.

Talk to Cyvra

Concerned about your hotel's security posture?

We work with hospitality groups across the Netherlands and UK to close security gaps before attackers find them, not after.

Get in Touch Hospitality Services