Cybersecurity training for managers and employees working in the hospitality industry


For decades, when we were using the words “hotel security”, we were usually referring to “physical security”. It was all about guest protection, locks, safes, and surveillance.

Guests and hotel employees today expect that the same level of protection extends to the digital assets that reside not only on their laptops and smartphones, but also on the hotel’s systems. Hotels are obliged to respect this expectation, especially after the new privacy regulations, including the General Data Protection Regulation (GDPR).

Hotels and subsidiaries of hotel chains must comply with cyber security and privacy laws and regulations, and must follow international standards and best practices that protect their guests and employees.

A new cybersecurity culture is necessary. It refers to the knowledge, beliefs, perceptions, attitudes, assumptions, norms, values, and expectations of hotel guests regarding cybersecurity.

Cybersecurity awareness for all managers and employees of a hotel is necessary, in order to make information security considerations an integral part of an employee’s job, habits and conduct, embedding them in their day-to-day actions.

We tailor the program to meet specific requirements. You may contact us to discuss your needs.

Modules of the tailor-made training


- Important developments in the hospitality industry after the new privacy regulations, including the GDPR and the revised Data Protection Act (DPA).

- Understanding the challenges.

- An overview of some of the attacks described below, that are suitable for the objectives of the training. At the end of the presentation we will cover one or more of these attacks in depth.

- August 2000, Ritz hotel data breach. Attackers posed as hotel staff and phoned people with exact details of their restaurant bookings, asking them to confirm card details.

- December 2015, Hilton announced that it has removed malware from their point of sale (PoS) systems at restaurants and shops in certain Hilton hotels, including Waldorf Astoria, Embassy Suites, and Hampton Inn and Suites. Hilton customers’ personal information such as cardholder names, payment card numbers, security codes, and expiration dates are believed to have been compromised by the PoS malware.

- November 2015, Starwood Hotels & Resorts suffered a data breach caused by malware that stole payment card information from point of sale (PoS) systems. Customers of the 54 hotels who paid with debit and credit cards at on-site bars, gift shops, restaurants, and other retail stores were likely to be affected by the breach, which compromised information such as names, payment card numbers, security codes, and expiration dates.

- April 2017, InterContinental Hotels Group Plc said that 1,200 of its franchised hotels in the United States, including Holiday Inn and Crowne Plaza, were victims of a three-month cyber attack that sought to steal customer payment card data.

- January 2017, Romantik Seehotel Jägerwirt experienced a ransomware attack that shut down their entire system. The hotel was fully-booked with 180 guests. The hotel paid ransom in Bitcoin to access its reservation system or issue new key cards to guests. Hotels digitize and automate more, but this leads to the risk that malicious actors can commandeer those functions.

- October 2017, Hyatt Hotels Corporation suffers the second card data breach in two years. 41 hotels impacted across Asia and the Americas. This was caused by an insertion of malicious software code from a third party onto certain hotel IT systems.

- June 2022, Marriott International has reported that it has suffered the third data breach of the past eight years, as hackers gained access to one of its customer databases, when attackers used social engineering to gain access to an employee’s computer.

- January 2022, Marriott International was fined around $23.8 million for data breach that occurred in 2014 that compromised credit card details, passport numbers, and birthdates of guests stored in the brand’s global guest reservation database.

Who is the “attacker”?

- Countries, competitors, criminal organizations, small groups, individuals, employees, insiders, service providers.

- Hacktivists and the hotel industry.

- Professional criminals and information warriors.

How they attack hotels?

- Step 1 – Collecting information about persons and systems.

- Step 2 – Identifying possible targets and victims.

- Step 3 – Evaluation, recruitment, and testing.

- Step 4 - Privilege escalation.

- Step 5 – Identifying important clients and VIPs.

- Step 6 – Critical infrastructure.

Employees and their weaknesses and vulnerabilities.

- Employee collusion with external parties.

- Blackmailing employees: The art and the science.

- Romance fraudsters and webcam blackmail: Which is the risk for the hotel?

Specific risks for the hospitality industry, and best practices to protect the hotel.

- What guests need, and which are the cyber risks?

- a. Speed and convenience.

- It is difficult to balance speed, convenience, and security.

- b. Effective and efficient web site and reservation system.

- Examples of challenges and risks.

- c. Great customer service.

- Example - how it can be exploited.

- d. A nice room and housekeeping.

- Example - “The cleaning staff’s hack”.

- e. Food, drinks, and entertainment.

- Point-of-sale (POS) fraud and challenges.

- Credit card cloning.

- f. Internet access.

- Honeypots, rogue access points, man-in-the middle attack.

- g. Security.

- Unauthorized access is a major problem, and social engineering is a great tool for attackers.

- h. Privacy.

- The hotel industry is considered one of the most vulnerable to data threats.

- i. Money (if they can sue the hotel for negligence).

What must be protected?

- Best practices for managers and employees in the hospitality industry.

- What to do, what to avoid.

- From customer satisfaction vs. cyber security, to customer satisfaction as the result of cyber security.

- The DarkHotel group.

Social Engineering.

- Reverse Social Engineering.

- Common social engineering techniques

- 1. Pretexting.

- 2. Baiting.

- 3. Something for something.

- 4. Tailgating.

Phishing attacks.

- Spear-phishing.

- Clone phishing.

- Whaling – phishing for executives.

- Smishing and Vishing Attacks.

Keyloggers, ransomware, insider threats, identity theft in the hospitality industry, and best practices to protect the hotel.

- Understanding keyloggers.

- Keyloggers in hotels.

- Best practices, Keylogger Malware in Hotel Business Centers, from the US Homeland Security, in collaboration with the National Cybersecurity and Communications Integration Center (NCCIC) and the United States Secret Service (USSS).

- Understanding ransomware.

- Types of ransomware.

- Ransomware in the hospitality industry.

- Ransomware prevention best practices.

- Understanding insider threats.

- How do insider threats operate?

- Types of insider threat activity.

- Who could be an insider threat? (colleagues, contractors, business partners).

- Insider threats in the hospitality industry.

- Understanding identity theft.

- The types of identity theft.

- How to prevent and reduce the risk of identity theft.

- Identity theft in the hospitality industry.

Cyber Hygiene.

- The online analogue of personal hygiene.

- Personal devices in the hotel.

- Untrusted storage devices.

Case studies.

We will discuss the mistakes and the consequences in one or more of the following case studies:

- August 2000, Ritz hotel data breach.

- December 2015, Hilton breach.

- November 2015, Starwood Hotels & Resorts data breach.

- April 2017, InterContinental Hotels Group Plc cyber attack.

- January 2017, Romantik Seehotel Jägerwirt ransomware attack.

- October 2017, Hyatt Hotels card data breach.

- June 2022, Marriott International data breach.

- January 2022, Marriott International data breach.

- What has happened?

- Why did it happen?

- Which were the consequences?

- How could it be avoided?

Closing remarks and questions.

Target Audience

The program is beneficial to all managers and employees working in hotels and subsidiaries of hotel chains.


One hour to half day, depending on the needs, the content of the program and the case studies.

Delivery format of the training program

a. In-House Instructor-Led Training,
b. Online Live Training, or
c. Video-Recorded Training.


Our instructors are working professionals that have the necessary knowledge and experience in the fields in which they teach. They can lead full-time, part-time, and short-form programs that are tailored to your needs. You will always know up front who the instructor of the training program will be.

George Lekatis, General Manager of Cyber Risk GmbH, can also lead these training sessions. His background and some testimonials:

Terms and conditions

You may visit:

Cyber Risk GmbH, some of our clients