The modern traveller moves through a digital minefield. Every tap of their phone, every swipe of their keycard, every scan of their passport creates a digital footprint that cybercriminals are increasingly eager to exploit. The tourism industry, once concerned primarily with bed occupancy and customer satisfaction, now faces an existential challenge: how to protect the vast troves of personal data that fuel today’s travel experience whilst maintaining the seamless convenience that travellers demand.
The travel and tourism sector ranked third in cyberattack incidents, a sobering statistic that reflects the industry’s transformation into a prime target for cybercriminals. This isn’t merely about stolen credit card numbers, it’s about the comprehensive personal profiles that modern travel requires: passport details, biometric data, location histories, financial information, and behavioural patterns that collectively create incredibly valuable datasets.
The numbers tell a stark story. The average cost of a hospitality data breach in 2023 was $3.36 million, up from $2.94 million in 2022. More concerning is the repeat victimisation: 89 percent of hospitality businesses that experienced a data breach suffered repeat breaches, with the per-breach cost averaging $3.4 million. This suggests that many tourism organisations are failing to learn from their cyber-security failures.
When Las Vegas Went Dark
The September 2023 cyberattack on MGM Resorts provides a masterclass in how cyber-security failures can devastate tourism operations. The attacks left many hotel guests locked out of rooms, disrupted casino operations and temporarily impacted online reservations. The financial impact was staggering: MGM suffered a financial loss of roughly 8.4 million dollars a day in revenue due to this cyber attack, with the company ultimately expecting a $100 million hit to its third-quarter results.
The MGM incident illustrates the interconnected nature of modern tourism infrastructure. When hackers penetrated the system, they didn’t just steal data—they paralysed the entire guest experience. Elevators stopped working, slot machines went offline, and guests couldn’t access their rooms. The attack demonstrated how cybersecurity isn’t just about protecting data; it’s about maintaining operational continuity in an industry where guest experience is paramount.
The Hospitality Vulnerability
The hospitality sector’s vulnerability stems from its unique operational characteristics. Hotels and resorts operate 24/7 with minimal IT staffing, rely on legacy systems that are difficult to secure, and handle vast amounts of guest data across multiple touchpoints. In 2024, Omni Hotels & Resorts fell victim to a cyberattack that necessitated a system shutdown to safeguard sensitive data, disrupting various services including reservations and point-of-sale systems. This vulnerability is exacerbated by the industry’s fragmented nature. A single guest journey might involve airline systems, hotel property management systems, restaurant point-of-sale terminals, and third-party booking platforms. Each represents a potential entry point for cybercriminals, creating a complex web of interdependencies that are difficult to secure comprehensively.
Tourism organisations possess exactly the type of data that cybercriminals value most: complete personal profiles linked to financial information and travel patterns. A guest’s hotel stay generates passport details, credit card information, location data, behavioural preferences, and often biometric data. This information is far more valuable than simple credit card numbers, it enables identity theft, financial fraud, and sophisticated social engineering attacks.
The industry’s embrace of personalisation has inadvertently created this vulnerability. The same data analytics that enable hotels to anticipate guest preferences also create comprehensive profiles that are incredibly valuable to cybercriminals. The challenge lies in protecting this data whilst maintaining the personalised service that drives guest satisfaction and loyalty.
Ransomware attacks have become the preferred weapon of cybercriminals targeting tourism. On July 15, 2024, the Disney company was hit by a ransomware attack by the hacker group Nullbulge, resulting in a significant data breach involving 1 TB of sensitive information. The tourism industry’s reliance on operational systems makes it particularly vulnerable to ransomware, as even brief shutdowns can cause massive revenue losses and guest dissatisfaction.
The MGM case illustrates this perfectly. The company chose not to pay the ransom, instead accepting the operational disruption and financial losses. This decision, whilst principled, highlights the impossible choice that tourism organisations face: pay criminals or accept potentially catastrophic operational consequences.
Tourism’s global nature creates additional cybersecurity complexities. Data flows across international borders, different jurisdictions have varying data protection requirements, and coordination between international law enforcement agencies remains challenging. A cyberattack on a hotel chain can affect guests from dozens of countries, each with different legal expectations and regulatory frameworks.
The industry must navigate varying cybersecurity standards across different markets. A hotel company operating in Europe, Asia, and North America must comply with GDPR, local data protection laws, and emerging regulations whilst maintaining consistent security standards across all properties. This complexity creates opportunities for cybercriminals to exploit jurisdictional gaps and regulatory inconsistencies. The same technologies that enhance the guest experience also create new vulnerabilities. Internet of Things devices in hotel rooms, mobile check-in systems, and contactless payment solutions all create potential entry points for cybercriminals. The industry’s rush to embrace new technologies often outpaces its ability to secure them effectively.
Governments worldwide are responding to the tourism cybersecurity crisis with increasingly stringent regulations. Data protection laws now impose significant penalties for breaches, and cybersecurity standards are becoming mandatory for certain tourism operators. MGM Resorts faces a $45 million class-action settlement related to data breaches that occurred in July 2019 and September 2023, demonstrating the long-term legal consequences of inadequate cybersecurity.
The regulatory landscape is evolving rapidly, with new requirements for breach notification, data minimisation, and cybersecurity resilience. Tourism organisations must navigate this complex regulatory environment whilst maintaining operational efficiency and guest satisfaction.
The Path Forward
The tourism industry’s cybersecurity future depends on recognising that digital security is not a technical add-on but a fundamental aspect of modern hospitality. This requires a shift from reactive to proactive security thinking, where cybersecurity considerations are embedded in every operational decision.
Investment in cybersecurity must match the industry’s investment in guest experience technologies. This means not only implementing technical security measures but also developing comprehensive security cultures that recognise every employee as a potential defender against cyber threats.
The industry must also embrace collaboration. Cybersecurity threats affect all tourism operators, regardless of size or market position. Sharing threat intelligence, best practices, and security resources can help the entire industry become more resilient.
Ultimately, tourism cybersecurity is about maintaining the trust that enables the industry to function. Guests who don’t trust hotels with their data will seek alternatives. Those who fear that their personal information will be compromised will curtail their travel. The industry’s long-term viability depends on demonstrating that it can protect the data that guests entrust to it.
The challenge is communicating security measures without creating anxiety. Guests want to feel secure without being reminded constantly of the threats they face. This requires a sophisticated approach to security communication that builds confidence without creating fear.
The tourism industry stands at a crossroads. It can continue to treat cybersecurity as a cost centre and reactive necessity, accepting periodic breaches as the price of doing business. Or it can embrace cybersecurity as a competitive advantage, demonstrating to guests that their data is safer with organisations that take security seriously.
The MGM case shows the cost of the first approach. The companies that thrive in the increasingly connected world of tourism will be those that choose the second path, recognising that in an age where data is the new currency, cybersecurity is not just about protection—it’s about survival.
The future of tourism depends on the industry’s ability to balance the convenience and personalisation that guests demand with the security and privacy they deserve. Those who master this balance will not only survive the cybersecurity challenge but will find it becomes their greatest competitive advantage.
