Addressing the hospitality industry’s weakest data security link

We are proud to partner with Singapore Hotel Association (SHA) to hold the “Is your Hotel at Risk of Non-Compliance – PDPA, GDPR & GST?” seminar for a full-house crowd of 100 SHA members. Topics of interest covered include securing sensitive data and reducing outsourcing, legal and GST risks in the hospitality industry.

Digital Forensics & Investigation Director Anthony Lee shared lessons from major hotel data breach incidents. A major hotel was fined $700,000 for providing a late warning to guests for its data mishandling breach. In another case, malware infected front-desk computer systems to capture payment card information during guest check-in. Hackers are targeting sensitive hotel data such as payment card details at check-in counters and restaurant POS systems, guest personal data and membership rewards. An unsecured system can invite data theft and result in violations of compliance, contractual breaches, malware infections and loss of time, revenue and reputation.

Anthony recommended additional data encryption for highly confidential data. He added that time bombs can reside inside data storage systems in the form of unused old personal identification or payment card details in the servers. This increases the business risks and consequent penalties in the event of a data breach and data cleansing is an important process to reduce such risks.

“Your service providers could be the weakest link,” said Business Consulting Director Hoi Wai Khin. It is crucial for the outsourced service provider to provide accurate and timely information to hospitality companies to perform due diligence in assessing associated risks when reviewing outsourcing arrangements. Wai Khin highlighted the importance of conducting proper due diligence during the vendor selection process. “You can outsource the function but not the accountability,” he said.

Wai Khin shared a case study where a client was hit by a malware attack that encrypted its system after the installation of a vendor file. RSM’s incident response team was brought in to perform recovery by restoring systems. RSM reviewed the company’s network infrastructure for residual risk and conducted vulnerability assessment to ensure that all risks were eradicated. RSM also assisted the client with employee security awareness training and provided incident response advisory and planning.

Lionel Tan, Equity Partner at Rajah & Tann Singapore LLP, shed light on the legal issues and liabilities that may arise from cyber breaches and gave useful tips for PDPA compliance. “Any person who suffers loss or damage as a result of infringement of the data protection law can institute civil proceedings against the infringing organisation,” he said.

As cybersecurity is no longer just an IT department issue, hotels have to consider the potential costs and reputational harm that can result from a cybersecurity breach. Lionel advised that key steps have to be taken after a data breach to limit legal liability. He stressed the importance of having in place PDPA and IT security policies, complemented by staff training to increase cyber awareness. Hotels can also engage qualified cybersecurity vendors to test the system, put in place a data breach plan and conduct cyber breach simulation exercises to better prepare for any breach occurrence.