Second only to retailers, hotels have become the one of favourite targets of cybercriminals in terms of credit card and personal data breaches.
Speaking at the launch of the PwC Hotels Outlook 2018 in Johannesburg, Kris Budnick, Lead Partner for PwC Cyber Africa, said there were several complexities unique to the hospitality sector that had delayed the process of implementing adequate cybersecurity systems.
Hotel groups are often very widely distributed and can include a range of independently managed infrastructures not managed by the hotel chain, such as restaurants, bars and spas. “This creates a very large footprint for cybercriminals and is why cybersecurity is an area that deserves attention,” said Budnick.
“At the same time, personal data is receiving a lot of attention. In terms of Europe’s GDPR laws, if a hotel is collecting data from a European person, the implications of a data breach can be very serious. The fine can be as high as 4% of total revenue,” he added.
He also pointed out that increased legislation around data privacy can counter-intuitively result in an uptick in cybercrime. For example, a cybercriminal is aware that if they publish the personal data of a hotel’s customers, it could cost the company a fine of up to 4% of total revenue, so the criminal can offer to charge the hotel 1% of total revenue not to disclose the information.
In terms of preparedness, said Budnick, about a month before GDPR came into effect (with over two years to get ready for compliance) the general health of businesses in terms of cybersecurity was “sub-par”. It is only now with looming punitive threats that we are starting to see more action.
Straight after GDPR came to effect, two very high-profile lawsuits followed. “There is a scramble to comply now as hotels realise that some of these regulations have teeth,” he said.
Locally, while POPI is not yet in effect, now that the regulator has been appointed, the work will begin in terms of setting down the regulations. “The regulator is vocal and, for right now, they are just having conversations with businesses, but this will change soon. There is a lot of work being done and we need to accelerate progress.
“This should raise urgency in this space – hospitality is not doing well in terms of keeping pace with what is coming. We have a very large and very distributed target, and a very slow time to discovery of data breaches compounds the damage associated with loss of personal and card data. It is time to act,” said Budnick.
