Hotel database security

International hotels are a fantastic target for identity thieves. Hotel databases don’t just hold credit card numbers and billing addresses (which are held for weeks in advance of a stay and for weeks afterwards to cover incidentals), but for many customers the hotel also has their home address, mobile phone number, driver licence number, airline memberships and arrival flight details. And even passport number is routinely collected by hotels in Asia. It’s a complete cornucopia for criminals.

And the most dangerous, most difficult to control threat vector in the hotel industry won’t be war-driving or SQL injection attacks or any of the other high tech hacking tools used by organised crime. It will be the inside job. Thousands of itinerant hotel workers in every corner of the world have the opportunity to access office systems after hours, and simply download the contents of central databases to a thumb drive.

The vulnerability of hotel databases to identity thieves has clear implications for national security. I trust that counter terrorism agencies are working on this problem? These databases reveal the forward travel plans for thousands of VIPs worldwide.

We should expect that organised criminals and terrorist organisations are tapped into hotel databases as we speak, and are mining them systematically.