The hospitality industry encompasses a vast ecosystem of businesses dedicated to customer satisfaction and memorable experiences, which includes restaurants, cruise lines, theme parks, casinos, travel agencies, event venues, and hotels. Over the past decade, these sectors have undergone radical digital transformation to meet evolving customer expectations, optimise operations, and maintain competitive advantage.
From contactless payments at restaurants to real-time personalisation across customer touchpoints, the industry has wholeheartedly embraced technology. However, this digital acceleration has created an expansive and complex attack surface that cybercriminals are increasingly exploiting with devastating consequences.
According to a Trustwave SpiderLabs report from 2023, the hospitality sector faces an alarming increase in cyber threats, with nearly 31% of hospitality organisations reporting data breaches. More concerning is that 89% of those affected have experienced multiple breaches within a single year, when the average cost of a data breach in the hospitality sector is estimated at $3.4 million. Their most recent report (2025) noted more than 14,000 publicly exposed vulnerabilities impacting hospitality, with 61.5% of initial access attempts using these during an attack.
You may be using the most secure technology available to protect your systems. However, facing cyber attacks is a matter of “when,” not “if.” Therefore, it is paramount to have a strong overall strategy in place to ensure that even factors outside your direct control, such as compromised third-party vendors and employees do not wreak havoc. With proper planning, these threats can be significantly contained and controlled.
In this article, I examine several major cyber attacks against the hospitality industry over the past decade, explore why this sector is particularly attractive to cybercriminals, and demonstrate how a robust Identity and Access Management (IAM) strategy can effectively secure your organisation.
Notable Cyber Attacks Across Hospitality Sectors
1. Casino and Gaming
MGM Resorts International Ransomware Attack (September 2023)
In September 2023, MGM Resorts, one of the world’s largest casino operators, suffered a catastrophic ransomware attack orchestrated by the cybercriminal groups Scattered Spider and ALPHV. The attack began with a sophisticated social engineering tactic where attackers contacted the IT helpdesk, impersonated an MGM employee, and convinced staff to reset credentials. Using these compromised credentials, they gained access to MGM’s systems, eventually deploying ransomware across more than 100 ESXi hypervisors.
Impact: The attack crippled operations across MGM’s properties for nearly a week, disabling slot machines, digital room keys, reservation systems, and payment processing. MGM reported a direct financial impact of approximately $100 million for the third quarter of 2023, with additional costs for incident response and system remediation.
2. Hotel Chains
Caesars Entertainment Data Breach (August 2023)
In August 2023, Caesars Entertainment fell victim to a social engineering attack targeting an outsourced IT support vendor. The breach was discovered on September 7, when the company determined that attackers had gained access to its loyalty program database containing information on a significant portion of its members. The stolen data included names, driver’s license numbers, and Social Security numbers for many loyalty program participants.
Impact: Caesars reportedly paid approximately $15 million of the attackers’ original $30 million ransom demand to prevent the publication of stolen data. The company now faces numerous class action lawsuits and regulatory investigations related to the incident as a result of this attack.
Omni Hotels & Resorts Ransomware Attack (March 2024)
On March 29, 2024, Omni Hotels & Resorts detected a cyberattack that forced the company to shut down numerous critical systems across its 50+ properties in North America. The attack, later attributed to the Daixin Team ransomware group, caused widespread disruption to hotel operations, affecting reservation systems, digital room keys, and payment processing capabilities.
Impact: The attack occurred during the busy Easter holiday weekend, maximising the operational disruption. While Omni confirmed that customer names, email addresses, and loyalty program information were compromised, the company stated that no payment details, financial information, or Social Security numbers were exposed. Full systems restoration was not completed until April 8, 2024.
3. Restaurants and Food Services
Sonic Drive-In Point-of-Sale Breach (2017)
In September 2017, fast-food chain Sonic Drive-In discovered a major breach affecting payment systems at approximately 325 franchise locations. The attack utilised malware specifically designed to harvest payment card data from point-of-sale terminals. Security researchers identified that customer payment information from the breach was being sold on dark web marketplace “Joker’s Stash” for between $25 and $50 per card.
Impact: The breach compromised approximately 5 million payment cards and resulted in multiple class-action lawsuits. Sonic’s stock dropped 4.4% upon public disclosure of the breach, and the company ultimately reached a $4.3 million settlement with affected customers.
4. Cruise Line Operations
Carnival Corporation Ransomware Attacks (2019–2020)
Between 2019 and 2021, Carnival Corporation, the world’s largest cruise operator, suffered several cyberattacks affecting multiple cruise brands including Carnival Cruise Line, Holland America Line and Seabourn. The first attack (April-July 2019) involved hackers accessing 124 employee email accounts through phishing, exposing data of employees and customers including passport numbers, social security numbers, and credit card information. Subsequent ransomware attacks in August 2020, January 2021, and March 2021 compromised additional customer and employee data through phishing emails and system encryption.
Impact: The New York Department of Financial Services imposed a $5 million penalty for cybersecurity violations, including failure to implement multi-factor authentication and delayed breach reporting. Additionally, 46 states reached a $1.5 million settlement over the initial breach. Carnival surrendered its New York insurance licenses and was required to implement comprehensive security improvements including Multi Factor Authentication (MFA) and employee training.
5. Theme Parks and Attractions
Disney Slack Data Breach (2024)
In February 2024, Disney fell victim to a sophisticated cyberattack when an employee unknowingly downloaded a malicious AI image-generation tool from GitHub. The tool contained hidden malware that gave the hacktivist group “NullBulge” access to the employee’s computer and subsequently Disney’s internal networks. The attackers gained access to Van Andel’s 1Password account, which contained sensitive login credentials, allowing them to infiltrate Disney’s internal Slack channels.
Impact: The breach exposed confidential customer details, employee passport numbers, and over 44 million internal communications across Disney’s global operations. Private information belonging to both Disney employees and customers was leaked online. Disney had to discontinue the use of Slack for internal communications.
6. Travel and Booking Platforms
Booking.com Phishing Campaign (2023–2024)
Beginning in late 2023 and continuing through 2024, Booking.com has been targeted by multiple sophisticated phishing campaigns. The most significant attack involves cybercriminals compromising hotel partner accounts by sending malicious emails to hotel employees. Once clicked, malware infects the hotel’s systems and steals their Booking.com credentials. Using these compromised accounts, attackers then contact hotel guests through Booking.com’s internal messaging system, claiming urgent payment verification is needed to avoid booking cancellation. Victims are directed to convincing fake Booking.com pages pre-filled with their personal information.
Impact: Microsoft identified this as an ongoing campaign as Storm-1865, with the threat actors targeting hospitality organisations across North America, Europe, Asia, and Oceania. Booking.com reported a 900% increase in phishing attacks targeting travellers, leading them to block 85 million fraudulent reservations and over 1.5 million phishing attempts in 2023.
7. Event and Conference Venues
Grand Palais Olympic Venue Ransomware Attack (2024)
In early August 2024, during the Paris Olympics, the Grand Palais, the venue for Olympic fencing and Taekwondo was targeted by a ransomware attack. The Grand Palais is managed by the Réunion des Musées Nationaux – Grand Palais (RMN-GP), a group overseeing dozens of French cultural institutions. The attack specifically targeted the RMN-GP’s central IT infrastructure, disrupting access to financial and administrative systems used by museum shops and internal operations. However, major museums like the Louvre and Musée d’Orsay, while part of the broader RMN-GP network, reported no direct operational impact.
Impact: According to the grand palace director, they immediately disconnected everything that was vital and called on the French Computer Security Agency to deal with the problem, which limited the impact significantly. No Olympic competitions or visitor services at the Grand Palais were cancelled or delayed and RMN-GP confirmed that no sensitive visitor or Olympic athlete data was compromised. French officials also reported over 140 attempted cyberattacks linked to Olympics.
Why Cybercriminals Target Hospitality
The hospitality industry represents a particularly attractive target for malicious actors for several compelling reasons.
- Treasure Trove of Customer Data — Vast stores of personal and financial information, travel patterns, preferences, and loyalty data
- Experience-Over-Security Prioritisation — Reluctance to implement controls that might create friction in guest experiences
- High Staff Turnover — Constant workforce changes making access management particularly challenging
- Operational Complexity and Integration — Interconnected technologies creating numerous entry points (POS, booking systems, CRM, mobile apps, IoT)
- Distributed Management Models — Inconsistent security across franchised or independently managed properties under the same brand
- Legacy Infrastructure — Continued reliance on outdated technologies lacking modern security capabilities
Why Strong Identity and Access Management (IAM) is Essential for Modern Hospitality Operations
- Prevents Unauthorised Access to Critical Systems. Recent attacks on MGM, Caesars, and Omni could have been prevented or significantly limited with proper IAM controls restricting access after the initial compromise.
- Mitigates Insider Threats. With the industry’s high turnover rate (exceeding 70% annually in some sectors), proper access management is essential to prevent former employees from retaining system access.
- Enables Compliance with Regulatory Requirements. Facilitates adherence to PCI-DSS, GDPR, and other regulations specifically targeting the handling of guest data.
- Reduces Attack Surface. Limits potential entry points and lateral movement options for attackers by enforcing least privilege access principles.
- Protects Against Emerging Threats. Provides defence against modern attack vectors including:
- AI-powered social engineering targeting hospitality staff
- IoT device exploitation (smart room systems, digital keys)
- Supply chain compromise through third-party vendors
- Credential stuffing attacks targeting loyalty accounts
Core IAM Strategies for Comprehensive Hospitality Protection
1. Centralised Identity Governance
Implementing unified identity management across diverse hospitality environments.
- Transparent visibility of access rights across properties and systems
- Regular privilege auditing to prevent access accumulation
2. Adaptive Authentication Frameworks
Balancing security with operational efficiency through contextual verification.
- Risk-based authentication requiring stronger verification for sensitive operations
- Location and device-aware authentication policies
- Behavioural analysis to detect anomalous access patterns
3. Streamlined Identity Lifecycle Management
Addressing the industry’s high turnover rates through automation.
- Integration with HR and scheduling systems for automated provisioning
- Role-based access templates for common positions (server, housekeeper, manager)
- Immediate deprovisioning triggered by employment termination
- Temporary access provisioning for seasonal employees with automatic expiration
4. Privileged Access Management
Special protection for administrative systems and sensitive functions.
- Just-in-time privileged access with automatic expiration
- Approval workflows for sensitive operations
- Secure credential vaults eliminating shared passwords
5. Third-Party Access Controls
Managing the complex ecosystem of vendors and partners.
- Limited-scope access for external service providers
- Isolated network segments for vendor connections
- Vendor access monitoring and alerts for unusual activity
- Regular review and certification of third-party permissions
6. Future-Ready IAM Technologies
Preparing for emerging security capabilities.
- Zero Trust Architecture — Designing systems that verify every access request regardless of source
- Passwordless Authentication — Reducing both friction and risk through modern authentication methods
- Decentralised Identity — Exploring distributed identity solutions for secure guest and employee identity verification
- AI-Powered Access Intelligence — Implementing machine learning to detect anomalous access patterns
Conclusion
As digital transformation accelerates across the hospitality industry, effective IAM represents a critical differentiator between secure operations and inevitable compromise. The devastating breaches highlighted across diverse hospitality sectors demonstrate the urgent need for comprehensive IAM strategies that address the industry’s unique challenges. For hospitality executives, investment in strategic IAM isn’t merely a security requirement, it is becoming a fundamental business imperative essential for protecting both operational continuity and the invaluable asset of customer trust.