Technological advances have made it easier to manage a wide range of information about customers, vendors, and employees. Virtually all businesses that use computer systems are to some extent vulnerable to costly exposures associated with system breaches.
Hotels and restaurants are no exception and, in fact, have much higher levels of exposure because they collect vast amounts of private data from customers as a part of their day-to-day operations through credit card transactions, online reservations, and rewards programs. Private data may be both personal (names, physical addresses, email addresses, passport details) and financial (credit card and banking).
Malicious Cyber Events are often the hardest to predict and can cause the most reputational harm. With the intent of disruption to operations resulting financial loss, these events can materialise in a number of ways:
- Data or system degradation
- Cyber extortion
- Privacy breaches or network security events
E-Cyber is designed to protect against these malicious cyber attacks providing comprehensive coverage for crisis management in identifying and resolving the cause of the cyber or extortion event, as well as offering the financial protection for any fallout, such as:
- the increased cost of working or direct loss of net income due to the covered event; or any
- defence costs and any subsequent damages or fines which may be incurred as a result of the event.
Data manipulation, ransom, and breaches are a major concern for the hospitality sector given the high volume of credit card transactions. This data is shared across an extensive employee network.
Whether the data is corrupted, exposed, or held ransom E-Cyber is designed with an understanding of the exposure to the hospitality industry. The policy is designed to cover the cost to the company of managing through a data breach, or a ransom event, as well as data restoration in the event of a cyber event. The policy further extends to consider the legal and regulatory implications of data breaches or any damages due to third parties not being able to access data.
A system failure by human error, programming error or computer malfunction can cause disruption to customers and extensive financial losses to the company. Any downtime can erode a company’s competitive edge, affecting their reputation and losing bookings. Getting systems back online can be costly.
Much like data management, maintaining network integrity presents a serious challenge, as inadvertent System Failures can be just as disruptive as malicious cyber attacks. Whether the failure is caused by negligence or mistake in managing the company’s system, a programming error, or a malfunction or failure of the company’s system, any outage will cause financial loss.
Many of these system exposures are intended to be covered within the E-Cyber policy as the triggers for business interruption and the liability sections extend beyond malicious acts and to the practicalities of managing a centralised network. As a result we handle many of these system interruptions as if they were malicious and would look to provide coverage for event management to identify and resolve the system failure, the increased cost of working or direct loss of net income due to the covered event, or any defence costs and any subsequent damages or fines which may be incurred as a result of the event.
November 2015 – A major hotelier was the subject of a cyber attack. Malicious software was found on some point of sale systems and affected franchised restaurants, coffee bars and gift shops within their hotels and properties. The breach persisted over a 17 week period. The data stolen include credit card information and social security information.
March 2015 – A restaurant chain was closed for over a week after its point of sale and back office systems were infected by ransomware. The restaurant was unable to operate without access to these systems. A hefty ransom was demanded.
June 2014 – A large takeaway pizza company was a victim of a ransomware attack. 650,000 customers records were compromised and a ransom of €30,000 was sought as a bribe.
September 2013 – A large restaurant chain with 33 restaurants in various locations suffered a significant data breach over an 8 month period. During this time, credit card details and personal data had been stolen as part of a highly sophisticated criminal operation.
March 2015 – A large hotel group was subject to a cyber attack affecting 10 of its hotels worldwide. The hacker used malware to acquire the credit card numbers of individuals who used a credit card for dining, beverage, spa, guest rooms, or other products and services.
February 2015 – A large hotel lodging company reported two data breaches in a year, following a number of complaints of fraud on customer credit and debit cards that were all recently used at a string of hotel properties run by hotel franchise firm. The company suspected breach of point-of-sale systems at 10 locations.
Throughout 2011 – Two men from Romania admitted to participating in an international conspiracy that hacked into credit-card payment terminals at more than 150 fast food restaurant franchises and stole data for more than 146,000 accounts.
2006 – Failures with an online booking system left a hotel unable to accurately manage its bookings resulting in financial loss from under occupancy and damage to reputation.