With so many IoT devices connected to the internet and hotel servers, hotel hacking has become a growing risk. Hackers will exploit weak points unless hotels take extra care to protect guest data and connected devices. 

The proliferation of data in smart hotels has made security an even greater concern for hoteliers. Skilled hackers have always exploited vulnerabilities in data systems and even major groups like IHG, Hilton and Marriott have been compromised. With the Internet of Things (IoT) increasingly embedded in hotels, the amount of vulnerable personal data collected has increased exponentially – making hotel hacking one of the biggest cybersecurity concerns in the hospitality industry. 

In smart hotel rooms, everything from smart TVs to light switches, thermostats and alarm clocks can be connected to the internet, the hotel’s servers and guest devices. The Marriott hotel group, for example, claims to have nearly 2,000 connected rooms in the US and is constantly adding more. 

Guests enjoy the high-tech convenience and it brings in more revenue for hotels. But there’s a downside. Connected devices are generally vulnerable to security breaches. The sheer number of IoT devices in hotel rooms, which will only increase, provides hackers with significant opportunities to invade guests’ privacy and access their personal devices. 

Ethical hackers have done a good job exposing vulnerabilities. When a researcher at security experts LEXFO was irritated by a noisy neighbour in a hotel, he hacked into his room at night. He taught him a lesson by turning his lights on and off and making his bed collapse. 

The researcher told the Black Hat USA 2021 conference how he hacked the iPads controlling the room and found six vulnerabilities. He informed the hotel and they fixed the weaknesses. 

But the threats are even greater now. There was an eloquent illustration of the new data vulnerabilities from so-called white hackers at Black Hat USA in Las Vegas in 2019. The German team, called the Chaos Computer Group, hacked into a high-end hotel through an IoT-connected mobile key system that guests used in lifts, rooms and fitness centres. This case became one of the most cited examples of hotel hacking and showed the scale of the problem. 

Even when ethical hackers reveal risks, hotels can be complacent. A couple of years ago, security researcher Lance R. Vick hacked into customer service robots at Henn-na Hotel in Nagasaki and made them spy on guests by controlling their cameras and microphones. Vick told the hotel, but they did nothing for 90 days and he went public. 

Hoteliers tend to hush up details of hacks of IoT devices, but the scale of attacks suggests they’re happening often. According to security experts Kaspersky, there were 1.5 billion attacks against IoT devices in the first six months of 2021 alone. Kaspersky says 43% of businesses fail to protect their full suite of IoT devices. 

September 2022, Holiday Inns by IHG was hit by a cyber-attack as it investigated “unauthorised access” to a number of its technology systems, causing disruption for “booking channels and other applications”. 

One of the most extraordinary cases involved hackers using a connected fish tank in a North American casino hotel to access the data of high-rolling gamblers in 2017. The hackers gained entry to the hotel servers through the fish tank’s thermostat. They extracted 10GB of personal data to a device in Finland. 

Another shocking example was when hackers spied on private discussions about the Iran nuclear deal at a five-star hotel in Geneva in 2015. One of their methods was to access the talks through smart TVs in the meeting rooms – a stark reminder of the dangers of hotel hacking. 

Guests might feel protected from hackers if they stay at hotels run by reputable household brands. But the evidence suggests any hotel can be hacked. 

• Starwood Hotels was compromised in 2014, but the hack went unnoticed until 2018. By that time, Marriott owned the group. The hackers had been in the system for years, stealing millions of records including passport numbers and VIP status. 

• Hyatt suffered compromised data in 2017 when hackers accessed payment card information worldwide. 

• Radisson suffered a data breach in 2018 that exposed personal details, including names, addresses and email accounts. 

• In March 2022, the “Conti” hacker group breached the IT systems of German hotel group – Welcome Hotels, forcing a full IT rebuild. 

Weak points in hotel systems can be loopholes in software or poorly designed networks. But there are also major threats from careless employees who leave systems logged on or use personal devices for official tasks. 

Other threats include malware on unprotected hotel computers, careless disposal of guest data, and insider threats from untrustworthy employees. 

So what can hotels do to mitigate the risks? 

• Trustworthy tech partners – Work with providers like SIHOT that comply with strict data security standards. 
• Cyber-security training – Train employees to identify threats such as phishing emails. 
• Select the right security tools – Firewalls, monitoring systems and IoT protection are essential. 
• Get the basics right – Change default usernames and passwords on all devices. 
• Screen your staff – Prevent insider threats with thorough checks and access policies. 
• Isolate IoT devices – Separate them from core hotel servers and unplug devices when not in use. 

SIHOT works with hotels as long-term partners to ensure technology not only provides efficiencies but also protects businesses from hotel hacking and outside threats.