How to avoid security issues while developing hotel management software?

8 min readDec 2, 2022

When developing a hotel management system (HMS), it’s crucial to ensure that your company’s information is safe and secure. Using strong passwords, sharing information carefully, and providing educational programs for employees are the basics of data protection. However, apart from the human factor, you should also consider vulnerabilities coming from the technical side.

  • Does your hotel management app have strong encryption?
  • Is it developed according to SSDLC?
  • Is it compliant with PCI DSS requirements?

All these things matter for app security. So, if you want to create a reliable and brand-supporting system, learn how to avoid security issues when developing a hospitality app.

Hotel data breach cases

It may seem that hotel data is not of particular interest to intruders, but that is not the case. The hotel industry has experienced enormous data breaches over the last few years. According to IBM, hospitality is on the list of the most vulnerable areas, following healthcare, finance, and retail.

The main reason for hotel software breaches is that such systems collect a lot of sensitive data from their guests. This includes credit card numbers, addresses, passport information, and more. If this data falls into the wrong hands, it can be used to commit identity theft or fraud.

The most high-profile cases of hotel system hacks are associated with big names like Marriott, IHGl, and MGM Resorts. Below, we give some detail on these breaches.

The Marriott data breach

Marriott International is a leading company in the hotel services market, with 2,800 hotels located worldwide. It experienced data theft cases three times: one in 2014, which was revealed only in 2018, one in 2020, and one in 2022.

The first data breach happened because of a security gap in the hotel operations software, which allowed a Remote Access Trojan to gain entry. As a result, the company was fined $123 million by GPG, while the total cost of the breach reached $1 billion.

The second breach happened when an unauthorized party used the login credentials of two hotel employees to copy and encrypt sensitive information, including customer names, addresses, passport numbers, and travel bookings. More than 5 million guests were affected then.

On the third occasion, hackers gained access to the hospitality management system using social engineering and accessed the data of 400 people. The attackers demanded a ransom to not disclose the data, but Marriott refused to pay.

Marriott International informs their customers about a huge data breach

InterContinental Hotels Group data breach

InterContinental Hotels Group (IHG) is behind brands like Holiday Inn, Crowne Plaza, and Kimpton Hotels & Resorts. It is a large British operator of hotel chains with headquarters in Washington.

Like Marriott International, IHG has experienced data leaks on several occasions.

In 2017, their hotel management application was attacked over a period of three months. As a result, intruders gained access to the credit card data of IHG guests and used it for fraudulent transactions. IHG was ordered to pay $1.5 million in a class action lawsuit.

In 2022, IHG was hacked again. This time, it resulted in an outage of the booking channels and mobile apps. Even though IHG officials did not comment on the nature of the attack, some cybersecurity experts suggested it was caused by ransomware.

MGM Resorts International data breach

MGM Resorts International specializes in hospitality, entertainment, casinos, and resorts. It operates in the majority of US states and cities including Las Vegas, Detroit, New Jersey, Maryland, and more.

In 2019, a hacker attack was carried out on the company’s cloud server. This allowed attackers to gain access to 1 billion accounts of MGM Resorts’ customers. The stolen data was posted on the hacker forum and contained:

  • name of person
  • date of birth
  • home address
  • email address
  • telephone

The good news is that the hacked data did not contain payment information. However, the affected people have become potential victims of spear phishing, SIM card swapping, and other types of cyberattacks.

Third-party integrations and other risks

Third-party integrations are an important part of hotel management solutions. They allow hotels to connect with different systems and platforms to manage their operations more effectively. This can include everything from online booking systems to accounting and HR platforms.

The most common integrations in the hotel system software are:

  • Payment gateway
  • Customer relationship management (CRM)
  • Business intelligence (BI)
  • Accounting and taxation
  • Customer support platforms
  • Know Your Customer (KYC) tools

The benefits of third-party integrations are many. They can help hotels improve efficiency, increase customer satisfaction, and optimize their operations. By connecting with different systems, hotels can get a more holistic view of their business and make better decisions based on data collected from all aspects of their operation.

Although third-party integrations can be a huge help, they also come with a certain amount of risk. When you integrate your hospitality management software with a third party, you’re essentially giving that company access to your data and systems. And if your partner company does not have high-security standards in place, you risk encountering a data breach through no fault of yours.

Take, for example, a payment gateway. On the one hand, it is a great way to streamline the checkout process for your customers. On the other hand, there is a potential risk that payment information may be leaked. So, how do you know if the payment gateway provider meets stringent security requirements? Here is what you need to check:

  • PCI DSS compliance
  • Data encryption
  • Secure Socket Layer (SSL)
  • Secure Electronic Transaction (SET)
  • Tokenization

When you are sure that your potential partner follows rigorous security protocols, you can proceed to integrating the third party system into your hotel platform.

Top 5 technical reasons for security vulnerabilities

There are always technical reasons why cyberattacks on HMSs succeed. It’s important to understand them in order to either prevent their success or promptly fix them.

Poorly configured systems and applications. According to a recent cyber security report, 80% of pentests on software systems have detected configuration mistakes that can be used for malicious penetration. Another report claims that at least 50% of IT specialists are not sure of the reliability of the security tools they have installed.

Insufficient security testing. This can happen when developers don’t test their code for all possible inputs, or when they rely on automated tools that don’t simulate real-world conditions. To avoid this, it’s important to have a comprehensive security testing plan that covers all aspects of the application. This plan should be designed to find both known and unknown vulnerabilities. And it should be executed by trained security professionals who understand how to find and exploit weaknesses in code.

Inadequate security monitoring. If you’re not monitoring your hotel management system 24/7, you’re leaving yourself open to attack. And even if you are monitoring it, there’s a chance that you’re not doing it properly, which is why it’s always a good idea to outsource this critical task to a software development company that specializes in security.

Lack of incident response plan. An incident response plan (IRP) is a document that outlines the steps your company will take in the event of a data breach, hacking, or product malfunction. It’s essential for two reasons: first, it ensures that your team will act quickly and efficiently in the event of an incident; and second, it helps protect your company from legal and financial penalties.

Lack of secure software development life cycle (SSDLC). A SSDLC is a process that helps you ensure the security of your hotel’s management system from the very beginning. It includes steps like designing for security, testing for security, and remedying any vulnerabilities found. By implementing a secure SDLC, you can protect your software from hackers and avoid costly security breaches.

Why cyberattacks succeed

Disadvantages of ready-made hotel management software tools

Hotel management software tools have become popular in the past few years. There are good reasons for that: they help hotels keep track of their bookings, reservations, and finances, and they make the process of managing a hotel much easier.

There are many different ready-made hospitality CRMs and other systems on the market these days. While several of them are great, there are a few disadvantages to using these tools.

1. They can be expensive, especially for smaller businesses. For example, the price of GuestPoint software starts from $125.00 per month, and Skyware charges $5,000 and higher.

2. They can be time-consuming to set up and configure. In the majority of cases, you will need the help of software developers to set up a hotel app.

3. They often lack flexibility. Hotel management software tools are often very rigid in their design, which can make it difficult to make changes or updates down the road. So it is often easier to develop an app like CloudBeds or SevenRooms from scratch than learn how to customize an off-the-shelf solution.

4. They don’t fit the specific needs of a hotel. They may be too simplistic or too complex, or they may not have all the features that the hotel needs.

5. They make you dependent on a third-party organization. If your lodging management system provider has technical, legal, or economical problems, they will directly affect your hotel business.

Cons of off-the-shelf software systems

Custom hotel management app development

In today’s digital age, it’s essential to have a top-notch solution to manage your hotel operations quickly and efficiently.

A custom hotel management app can streamline your workflow, improve communication with guests, and provide a better overall guest experience.

A business-tied hotel software may have whatever features you like, including

  • check-in system
  • booking tools
  • revenue management system
  • room management
  • housekeeping management
  • rate management
  • group reservations
  • invoicing
  • etc.

Also, the app may be developed for the platform of your choice. It can run on the web or mobiles and be implemented as SaaS or on-premises apps.

During the hotel app development, it is essential to evaluate security risks and ensure your guests’ data are securely protected. The four tips below will help you avoid security issues and develop a robust hotel app:

Do your research. Make sure you understand the hotel industry and the specific needs of your hotel business before starting the development process. This will help you identify any potential security risks and address them early on.

Work with a reputable development company. Choose a software development company that has experience in developing hotel management apps. Ask them about their security procedures and make sure they are up to date with the latest security standards.

Test the app thoroughly. Once the app is developed, make sure there are no security vulnerabilities. Hire a third-party security expert to test the app if necessary.

Keep your app up to date. Use the latest security patches and updates. This will help prevent any new security risks from appearing.

If you’re looking for a technology partner to outsource hotel app development, look no further. At Erbis, we have 10+ years of experience in developing hospitality solutions. Contact us today, and let’s create an outstanding HMS together!