Cyber Security

Revealed: the secret cyber scams targeting the hospitality sector

We’re all aware of the risks around customer data theft in the hospitality industry. But the fact that such a wide range of sensitive information is held by hospitality firms — everything from credit card details to car registration numbers — hasn’t gone unnoticed by cybercriminals who use every trick in the book to hack into hotel computer systems.

What doesn’t tend to get so much airtime is what hackers do with all this information once they’ve stolen it. A quick trawl of the internet, including its murkier corners known as the dark web, however, reveals how criminals make money from this patchwork of stolen customer data.

One of the biggest scams employed by organised crime gangs is to use hacked data to set up what are effectively dark web travel agencies. A recent report by Vice.com reveals how these illegal agencies use a wide range of stolen data to sell super-cheap holidays which can include five-star hotel stays, business-class flights, restaurant meals, shopping, entertainment and guided tours.

Seriously out of pocket

Hackers often offer discounts of more than 70% thanks to hacked customer loyalty point accounts, employee discount schemes and credit card details, leaving law-abiding customers and businesses seriously out of pocket.

These black-market travel agents can be found on dark web market places such as Dream Market, with threads written predominantly in Russian, English and Arabic. Even where these market places are closed down, given the demand, new dark web sites rapidly spring up.

Typically, the travel agents advertise their prices along with other information such as how many days in advance of travel the client can book. Some underground travel agencies offer all-inclusive services, with flights, hotels, and taxis all covered by one price.

Most of the adverts for these agencies are highly designed with images portraying what some may consider the high life: attractive women, fast cars, speed boats and international landmarks. Once a customer contacts a black-market agent they are most likely directed to a messaging app where a service agent or bot will discuss hotel and travel arrangements.

Dark web travel agents

A common method is to provide the agent with a screen shot from a hospitality aggregation site such as Trivago, with all the necessary hotel check-in and check-out dates added. The agent then uses stolen data to secure a hugely discounted stay and adds a commission for themselves. Another method is to sell hacked loyalty points so the customer can make the booking themselves.

As you can imagine all of these transactions are carried out using fake identities, which are also readily available on the dark web, and bitcoin to ensure the buyer remains anonymous.

Buyers’ attempts to remain anonymous don’t always work, however. In May 2019 British hacker Grant West was jailed by UK law enforcement after he used stolen data to fund gambling holidays to Las Vegas.

There are no official figures for the amount of money lost by the hospitality industry every year to this kind of crime but all the estimates run into the billions.

If you’ve ever tried to justify the cost of enhanced cyber security to your budget holder or company board it may make sense to take them on a short shopping excursion to the dark web to show them the very real dangers of data theft. It’s certainly a sobering experience.