The hospitality sector’s embrace of digital transformation has left it increasingly vulnerable to cyber threats, according to Trustwave’s 2025 Risk Radar Report for the Hospitality sector.
As hotels, resorts, and restaurants integrate advanced technologies like mobile check-in, smart room controls, and AI-powered guest services, they’re also creating expansive attack surfaces, often without the security infrastructure to match.
High Value Targets, Low Quality Defenses
Hospitality organizations manage massive amounts of personal data, including names, credit card details, passport numbers, and travel itineraries. This makes them a prime target for cybercriminals; 81% admitted experiencing a cyber incident in the past year, while 57% suffered multiple attacks.
Despite the apparent risk, hospitality organizations remain underprepared to deal with cybersecurity incidents. Only 57% said they are confident in their ability to detect and respond to cyber attacks in real time, and 24% still don’t have an incident response plan in place.
Ransomware, Phishing, and Insider Threats Top the Risk List
According to the report, ransomware continues to dominate the threat landscape, cited as the number one by respondents. Phishing and business email compromise (BEC) follow close behind, which is unsurprising considering the high volume of email communications and staff turnover in hospitality environments.
Insider threats are also on the rise, particularly in franchise models and organizations with high numbers of seasonal or temporary workers. Many respondents flagged concerns over accidental data exposure and poorly managed access permissions.
Retail Breaches Foreshadow Sector-Wide Risks
The hospitality sector’s growing cyber exposure comes amid a wave of high-profile breaches across adjacent industries. Recent cyberattacks on major UK retailers – including Harrods, Marks & Spencer, and Co-op – serve as a warning to hospitality organizations.
“Both sectors share similarities that make them attractive to cybercriminals,” says Ed Williams, VP of Consulting and Professional Services at Trustwave. “Yet hospitality faces unique challenges that could amplify its exposure in certain contexts.”
Those challenges include outdated infrastructure, fragmented IT systems, and the strain of peak-season demand. During high-traffic periods, hotels and restaurants often struggle to maintain consistent patching and access controls, providing attackers with ideal conditions to exploit system weaknesses.
Unsecured Wi-Fi and IoT: Open Doors for Attackers
As with so many industries, public-facing technology is a critical blind spot for the hospitality sector. According to the report, guest Wi-Fi networks – often unsecured or poorly configured – are a common attack vector. Threat actors frequently use tactics like man-in-the-middle attacks or create spoofed Wi-Fi networks to intercept data or deploy malware.
“Guests may also connect to fake Wi-Fi hotspots set up by attackers, compromising their devices and data,” warns Williams. “These situations are often amplified during peak seasons when booking volumes are high and people are travelling or utilizing hospitality businesses more frequently. This causes a strain on systems and staff, which can increase errors and vulnerabilities.”
The widespread use of insecure IoT devices, such as smart thermostats and keyless entry systems, in the hospitality sector compounds this risk. According to the Trustwave report, 60% of unsecured IoT devices in hospitality environments had been exploited during a cyber incident.
Leadership Gap Undermines Security Progress
While awareness of cyber risk is growing – 72% of respondents said cybersecurity is a high priority – strategic oversight is still lacking. Only 22% of UK hospitality organizations surveyed have assigned board-level responsibility for cybersecurity. This leaves a critical gap in governance and resource allocation.
“Asset management is critical in the UK hospitality sector,” Williams notes. “It ensures operators identify, track, and secure all digital assets – such as POS systems, booking platforms, IoT devices, and guest Wi-Fi – reducing vulnerabilities and enabling rapid response to cyber incidents.”
However, the report reveals many organizations are still struggling with visibility over their infrastructure. Without a clear understanding of their digital assets, businesses are slower to detect anomalies and less prepared to contain and recover from threats like ransomware and phishing attacks.
Building Resilience Starts with the Basics
Amidst this increasingly complex and treacherous threat landscape, Trustwave recommends hospitality organizations take several foundational steps to minimize risk and reduce exposure.
- Establish board-level ownership of cyber risk.
- Implement structured asset management programs.
- Secure public Wi-Fi with modern encryption and user authentication.
- Apply regular patching protocols, particularly for IoT devices.
- Train staff regularly to spot phishing and social engineering attempts.
As attackers evolve their methods, hospitality businesses must match that pace with smarter, more consistent defenses. With millions of customer records and brand reputations at stake, hospitality organizations can no longer afford to do cybersecurity by half measures.
Josh is a Content writer at Bora. He graduated with a degree in Journalism in 2021 and has a background in cybersecurity PR. He's written on a wide range of topics, from AI to Zero Trust, and is particularly interested in the impacts of cybersecurity on the wider economy.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.