A new year often brings a surge in bookings that engage the hospitality industry’s interconnected services, including hotel reservations, flights and car rentals. But while we settle into the start of 2025, cybercriminals are just heating up.

While integrated services create a better customer experience, it also opens up the threat landscape, offering cyberattackers more opportunities to exploit weaknesses across the industry.

For travelers, this means being more aware of where their personal information is being stored, while travel and hospitality companies must enhance security measures to protect their consumer data. With cybercriminals becoming more creative in exploiting software across entire industries, the stakes for these industries are higher than ever.

Growing Hospitality and Travel Threats

As travel demand rises, so do cyber threats, particularly for businesses in the travel and tourism industry.

The hospitality industry has grappled with numerous high-profile data breaches in recent years. Last year, Omni Hotels & Resorts, which operates more than 50 properties in the United States and Canada, suffered a cyberattack that forced a system shutdown to protect and contain sensitive data, disrupting reservations, hotel room door locks and point-of-sale systems.

Unfortunately, these attacks have become more common in the hospitality industry. A recent Hotel Management report found that 31% of hospitality organizations have experienced a data breach. Beyond the immediate financial losses, which can amount to millions, these breaches can severely damage a company’s reputation—an especially significant blow in an industry reliant on customer loyalty. As hotels and travel companies adopt more interconnected systems to enhance the guest experience, the threat landscape will only continue to grow, making cybersecurity a top priority for the industry.

Unique Challenges of the Hospitality Industry

A cyberattack poses significant risks for any business, but each sector faces unique challenges. Some travel booking sites handle customer complaints remotely, but disruptions in the hospitality industry are more immediate and personal. For many travelers, a hotel serves as a respite, a home away from home; therefore, an incident could mean losing internet access or, even worse, being unable to enter their rooms. Even a single cyberattack can overshadow an otherwise great experience, resulting in negative reviews for an industry that prides itself on taking the best care of its clientele so that they can focus on their travels and why they are traveling.

Furthermore, high employee turnover rate and the widespread use of easily accessible point-of-sale systems increase the risk for these organizations. While data is crucial for growth in the hospitality sector, a larger volume of personal data makes these companies more appealing targets for cybercriminals.

So, what vectors do cyberattackers exploit?

Based on our 8th Annual Hacker-Powered Security Report (HPSR), cross-site scripting attacks continue to pose a significant threat to the hospitality industry, which reports higher-than-average occurrences of these vulnerabilities. This surge can be attributed to the vast attack surfaces presented by companies within the sector paired with the varying levels of asset maturity as organizations work to unify their tech stack and SDLC processes. Additionally, the rise of artificial intelligence tools, such as booking chatbots, has raised new security concerns; a recent survey found that 48% of security professionals view AI as a major risk to organizations.

Frequent mergers and acquisitions in the hospitality industry further exacerbate vulnerability, as it is common for each hotel property to maintain its own web presence, increasing exposure to potential attacks. The industry’s focus on customer loyalty programs has also led to a rise in information disclosure and Insecure Direct Object References (IDOR), which IDOR itself can attribute to the increased information disclosure, making data security a priority. As cybercriminals become innovative in exploiting vulnerabilities that impact the hospitality sector, the stakes for the hospitality industry are higher than ever.

What Hospitality Organizations Can Do

Despite the need for heightened security, many companies are barely increasing their security budgets and stalling on hiring at a time when resources are most necessary. According to a recently published Ians Research report, one-third of companies either had flat budgets or made cuts to their security budgets in the last year. Contributing factors include the ongoing IT skills gap that has worsened in the past few years, resulting in critically understaffed IT teams during one of the most precarious periods in cybersecurity history.

Security researchers can play a crucial role in bridging these gaps by identifying vulnerabilities before malicious actors can exploit them. Notably, 70% of survey respondents in the HPSR reported that hacker efforts helped them avert significant security incidents, emphasizing that only skilled hackers possess the expertise needed to outsmart attackers and protect hospitality organizations. Moreover, security researchers often provide their services at a fraction of the cost of hiring additional full-time staff or entering into expensive third-party partnerships.

Across industries, the cost of identifying a bug averages between $1,000 and $4,000—a fraction of the financial impact a breach can cause. Since Hyatt Hotels launched its public bug bounty program in 2019, the company has resolved over 500 potential security risks and awarded more than $800,000 in bounties. As Hyatt senior analyst Robert Lowery noted: “Security researchers help us reduce risk by constantly testing our production environments… While it’s challenging to quantify a potential attack, we’re confident that the remediations based on their reports have strengthened our security posture.”

The urgency of engaging security researchers increases with the rise of generative AI tools, which experts warn could lead to more than sophisticated cyberattacks targeting hospitality companies. Unsurprisingly, 55% of respondents indicated that generative AI will become a significant focus for them in the coming years, with 14% already viewing it as a substantial concern. If recent history is any indicator, the dire circumstances necessitating the involvement of hackers are unlikely to improve anytime soon.

As the hospitality industry enjoys a well-deserved rebound, it is crucial—albeit uncomfortable—to remain vigilant and prepare for worst-case scenarios. In the current threat landscape facing the hospitality sector, security researchers play an indispensable role in safeguarding businesses against cyber threats.