Holiday Inn building showing cyber attack impact on hotel chains

It Should Not Take a Cyberattack To Force Changes at Our Biggest Hotel Chains

Picture this: You have spent years building a small business through painstaking labor, even sleeping at the property many nights, when without warning a cyberattack stops your business in its tracks. Frustrated that they cannot get through, your customers turn to your competitors, and you lose thousands of dollars.

Now consider this: There was nothing you could have done to prevent the cyberattack, which apparently came from a Vietnamese couple exploiting a weak password, Qwerty1234. That is because your small business, a Holiday Inn hotel, relies on the Holiday Inn franchisor IHG Hotels & Resorts for guest room booking systems like the one that crashed for several days last month.

Members of the Asian American Hotel Owners Association (AAHOA), where I serve as the President and CEO, were doubly victimized. First, hotel room reservations slowed to a trickle as IHG’s online booking  channels, reservations & customer care call centres, and internal systems were offline for more than 48 hours, an outage that also took down third-party reservations through sites like booking.com. Secondly, hotel owners have been left to guess what caused the outage – IHG has never confirmed that it was a ransomware attack – and whether IHG is taking any steps to prevent such attacks in the future. The U.K.-based company has communicated very little about the incident, other than vague assurances that it will “review and further enhance our security measures.”

Hotel owners deserve better. Many AAHOA members are first- and second-generation immigrants, staking their life savings and their children’s futures on investments in hotel brands like IHG’s InterContinental, Kimpton, Crowne Plaza, Holiday Inn and Staybridge Suites. Hotel owners can rightly ask what they get for the expensive monthly technology fees that IHG charges them per room, if it does not cover measures to protect the booking systems and assure guests of the integrity of their data. IHG also charges hotels 8 cents per credit card transaction. What do hotel owners get for those fees? Not only systems vulnerable to cyberattacks, but a corporate office that does the bare minimum when it comes to communicating to hotel owners.

Unfortunately, this attitude is all too familiar to AAHOA’s 20,000 members, who own 60 percent of U.S. hotels including such popular brands as Marriott, Hilton and Holiday Inn. While guests see these global brands on billboards and building facades, the person behind the front desk could be the hotel owner: perhaps the child of immigrants raising children of his or her own, who attend the same school as your children. Hotel owners are part of the lifeblood of any community, and AAHOA members are responsible for 1.7 percent of the nation’s GDP. Hotel owners opened their doors to first responders and others involved in relief efforts from Hurricane Ian, much as they have done with prior disasters.

Yet, for their contributions, hotel owners often are treated as afterthoughts by the big chains. Whether on cybersecurity, unfairly low reimbursement rates for loyalty points redeemed by guests, or kickbacks from vendors mandated by corporate offices, the hotel chains try to dictate terms that are favorable to them rather than the owners. The chains have made it harder for owners to reinvest in their properties to ensure positive guest experiences and long-term growth. This is why AAHOA members stand behind our 12 Points of Fair Franchising to ensure a balanced relationship between franchisors and franchisees – which is critical to sustaining our industry during a time of pandemic-wrought changes in business travel and app-based short-term home rentals.

Hotel owners need the chains to act as true partners in helping our industry meet the challenges of today and tomorrow.

One of those challenges is staying at the leading edge of technologies that make it easier for guests to book rooms and customize their experiences. That is much harder to do when systems are vulnerable to hacking – as we saw with IHG last month and in 2016. The earlier attack, which IHG also sought to downplay, lasted three months and compromised guests’ credit card data. Hotel systems are a prime target for hackers, due to their perceived weak defenses and troves of user data, and chains need to take the threat more seriously. It should not take lawsuits, like one filed by some AAHOA members, to compel IHG to share with hotel owners what happened and what is being done to protect systems and guest data. Our members hold themselves to high standards. So should the big chains.