Cybersecurity expert shares what guests, hotels should know in wake of Omni breach

Cybersecurity expert shares what guests, hotels should know in wake of Omni breach
The Omni Houston Hotel at Four Riverway, Dec. 31, 2020, at in Houston. (Karen Warren/Houston Chronicle via Getty Images)

(NEW YORK) — In the wake of a recent cyberattack on Omni Hotels & Resorts that prompted a “shut down [of] its systems to protect and contain its data,” experts are reminding people of the actions guests can take to preserve their digital safety and weighing in on risks facing the hospitality industry at large.

“We are currently working to determine the scope of the event, including impact to any data or information maintained on Omni systems,” the company said in an statement following the cyberattack on Friday, March 29. “Our investigation into the incident remains ongoing and we are working with external specialists in this process.”

When Omni learned of the issue, the company said it shut down certain systems, “most of which have been restored” and “launched an investigation with a leading cybersecurity response team, which is ongoing.”

The Dallas-based luxury hospitality chain with over 50 properties across the U.S. and Canada first confirmed the outage on social media. Omni said it would “post relevant updates” to its cyber attack update page “as new communications can be shared,” and in the meantime said guests could contact travel planners or the hotel directly with any questions about a stay or guest experiences.

“As our team works diligently to restore the remainder of the systems to full functionality, we continue to welcome our guests and accept new reservations,” the company’s statement continued. “We apologize for the disruption and inconvenience this cyberattack is causing. The care and comfort of our guests remains our highest priority and we are grateful for the hard work of all our teams who are doing everything possible to deliver the Omni experience expected by our guests.”

Omni and TRT Holdings, the owner of the hotel chain, did not immediately respond to ABC News’ request for additional comment.

Initially, the outage included a shut down of reservations, hotel room door locks and point-of-sale systems.

How guests can stay safe if hotels fall victim to cyberattacks

BlackCloak CEO Chris Pierson, a cybersecurity expert with more than 25 years of private and government experience in the industry, which has included clients in hospitality, told ABC News’ Good Morning America what steps people should take to protect themselves after a breach.

“Every single company is going to be targeted by cybercriminals,” Pierson said. “Data breaches, ransomware attacks, extortion, stolen credit card information, all these things are a fact of life. The important thing is knowing what to do about it — what should they do and what should they know.”

“If you are a consumer of a hotel that has had a breach, the biggest immediate impact could be on the financial side,” he continued. “Making sure that you know what credit card information was included or was used for that hotel is going to be critical. Monitoring that credit card for any signs of fraud or identity theft, perhaps switching that credit card are also things that you should think about doing.”

“The second thing is going to be the information that you’ve given or transmitted to the hotel,” he continued. “Have you given them your name, address, phone number and email address information? … Be on the lookout for scams like phishing and other types of social engineering attacks.”

For domestic travelers, Pierson said to check if you provided your driver’s license information, and for international travelers, any passport information.

“That information can then be used for additional forms of onward identity theft or making you susceptible to scams,” Pierson added.

What makes hotels, hospitality industry more susceptible to cyberattacks

Pierson, a former cybersecurity adviser to the Department of Homeland Security, explained what makes the hospitality industry so susceptible to cyberattacks like the one on Omni Hotels & Resorts.

When cyber criminals target specific industries and companies, “they are seeking the largest payout in the most expedient time possible,” Pierson said, adding that with service-oriented businesses, “that does cause a time clock to speed up on their end in terms of every hour, day, week, that that industry is down.”

“Especially for the hospitality industry or transportation — if those are unable to be up and running and operational, then they are literally losing money each and every minute, hour, day and week,” he said. “That can bring about swifter decisions [by a company] to get back up and get clients back onto the platform, back into their hotel rooms, back into their kind of service experience.”

Hotel responses to cybersecurity attacks

“All of these different hotels that have been in the news are victims, [guests] trust that their information is going to be secure.” said Pierson, who now specializes in digital executive protection for corporate executives, boards and other high value targets including employees and their families.

“When there is a breach, obviously some trust is lost there. However, cybercrime, cyber attacks, ransom, data breach, and all the rest are facts of life, they will hit most major companies,” he continued. “What consumers need to pay attention to is, ‘Is the company communicating with me? Has the company communicated with me in a manner that is clear and ethical and consistent? Have they provided me with an explanation as to what is happening to the best of their knowledge at that given point in time?'”

Pierson said that the current updated U.S. Securities and Exchange Commission guidance stating that “publicly traded companies must disclose a material cyber incident within four days” could “potentially cause more confusion in consumers.”

“Every initial statement is going to say: ‘We’re investigating something that has happened, we can’t tell you exactly what has happened because we’re at the beginning stages of the investigation, and as a result, we don’t know or have any other further details,'” Pierson said. “Providing that type of a disclosure can actually cause more frustration than having waited a week until you had more details.”

Pierson said that every data breach response can take “about seven to 14 days until a company actually knows all the proper details that it needs in order to more fully disclose what has happened.”

Preventative steps companies take to ensure guest, customer information is safe

Pierson explained some of the steps business leaders might want to take to prevent attacks.

First among those is “making sure you have a cybersecurity program that is in place at the company, that is at least updated annually, and the threats and risks around it are known,” he said.

Second, he said, is “making sure you have have governance and supervision, in terms of enterprise risk management, over that program from a board level and from an executive level.” He added that risks need to be “absolutely clear” to best ensure “they’re being mitigated.”

“Number three, making sure that you have all of the right things in place for incident response, because events will happen,” he said. “Making sure that you know what they are, when they are, what to do when they happen and how to respond is going to be the other critical part.”

Copyright © 2024, ABC Audio. All rights reserved.