The hotel cybersecurity threat landscape in 2025 looks fundamentally different from 2015. Buildings that were once managed through physically isolated control systems are now connected via IP networks — BAS/BMS platforms, HVAC controls, access control systems, elevator management, and parking systems all communicate over the same infrastructure that carries guest WiFi and front desk POS terminals. This convergence of operational technology (OT) and information technology (IT) creates attack surfaces that did not exist in previous generations of hotel building systems.

High-profile hotel cybersecurity incidents have included ransomware attacks that encrypted hotel management systems and demanded payment for decryption, guest data breaches that exposed millions of loyalty member records, and proof-of-concept demonstrations that building systems like HVAC could be compromised through connected network vulnerabilities. For hotel facility managers, cybersecurity is no longer a pure IT department concern — it is a building operations concern.

The Converged IT/OT Attack Surface

Traditional hotel cybersecurity focused on:

  • PMS (Property Management System) and reservation data
  • Payment card systems and PCI compliance
  • Guest WiFi and internet access
  • Email and office productivity systems

The 2025 threat surface additionally includes:

  • Building Automation Systems: BAS platforms with internet-connected management interfaces are a documented attack target. Compromised BAS access could allow attackers to disable HVAC systems, unlock access-controlled doors, or create guest safety incidents.
  • IoT devices: In-room smart thermostats, connected TVs, door access readers, and occupancy sensors may run outdated firmware with known vulnerabilities. Mass exploitation of unsecured IoT devices is a demonstrated attack technique.
  • Parking management systems: Internet-connected PARC systems with web-based management interfaces require the same network security attention as PMS platforms.
  • Video surveillance systems: IP camera systems with poor password hygiene or unpatched firmware are among the most commonly compromised building systems — used as initial access points or as components of botnet attacks.
  • Elevators and life safety systems: Some modern elevator and fire alarm systems have remote management interfaces that, if compromised, could affect building operations in ways that go beyond data theft.

Fundamental Security Controls

The following controls address the most common attack vectors in hotel environments:

Network segmentation: Guest WiFi, hotel operational systems (PMS, POS), building systems (BAS, access control), and payment card environments should be on separate, firewalled network segments. Traffic between segments should be restricted to only what is operationally required. A compromise on the guest WiFi network should not provide access to the BAS or PMS.

Strong credential management: Default passwords on network devices, BAS platforms, camera systems, and IoT devices are the most common initial access vector in building system compromises. Establish a policy requiring non-default, strong passwords on all network-connected systems, with documented credential storage in a password manager.

Patch and update management: Firmware updates for building system components — BAS controllers, IP cameras, access control panels, EVSE networks — address security vulnerabilities identified after initial installation. Establish a quarterly review of pending firmware updates for all connected building systems; prioritize security-rated updates for immediate application.

Multi-factor authentication (MFA): Any system accessible from outside the hotel network — PMS with cloud management, remote BAS access, email — should require MFA. Credential theft via phishing is the leading cause of hotel data breaches; MFA prevents stolen credentials from being sufficient for unauthorized access.

Endpoint detection: Modern endpoint detection and response (EDR) tools on all hotel servers and management workstations provide visibility into malicious activity and contain threats before they spread. Antivirus alone is insufficient against current ransomware variants.

Staff security awareness training: The majority of hotel cybersecurity incidents begin with phishing emails — staff who click malicious links or provide credentials in response to convincing impersonation emails are the most common initial access vector. Annual security awareness training, with quarterly phishing simulation tests, is the most cost-effective investment against this threat.

Ransomware: The Operational Continuity Threat

Ransomware has emerged as the most operationally disruptive cybersecurity threat for hotels. Ransomware encrypts hotel data — PMS records, financial files, email archives — and demands payment (typically in cryptocurrency) for decryption. Hotels that cannot access their PMS data may face inability to:

  • Look up existing reservations and guest history
  • Process new check-ins and check-outs
  • Post charges to folios
  • Issue key cards (if key encoding system is integrated with PMS)

The LODGIQ, 2023 MGM Resorts, and Caesars Entertainment incidents demonstrated that even major hospitality companies with significant IT resources are not immune to ransomware attacks.

Ransomware resilience measures:

  • Offline backups: Critical data (PMS database, financial records, network configurations) should be backed up to offline media (not accessible from the network during an attack) on at least a daily schedule. Test backup restoration quarterly.
  • Incident response plan: A documented playbook for ransomware events — who to call (legal counsel, cyber insurance provider, incident response firm, brand IT security, payment processor), what systems to isolate, how to continue operations manually — should exist before an incident occurs, not be developed under pressure.
  • Cyber insurance: Cyber liability insurance covers ransomware response costs, breach notification, regulatory fines, and business interruption losses. Review coverage annually; cyber insurance market terms change significantly year to year.
  • Tabletop exercises: Annual tabletop exercises simulating a ransomware event — working through the response steps with key management, department heads, and IT — build response muscle memory that pays dividends in an actual event.

Building System Specific Security

BAS and building controls: Work with your BAS vendor to understand the remote access model for your systems. Building control systems should not be accessible directly from the internet — remote management should require VPN with MFA. Review all cloud-connected BAS features with your vendor and disable any that aren’t actively used.

IP cameras: Change all default passwords. Segment IP cameras on their own network VLAN. Disable UPnP on cameras and routers (this protocol is a frequent source of unintended internet exposure). Keep camera firmware updated.

Access control systems: Physical access control systems that have web-based management interfaces require network security treatment equivalent to PMS platforms — they control who can physically access guest rooms.

EVSE networks: Internet-connected EV charging equipment may have web-accessible management portals. Verify these portals require strong authentication and are not internet-accessible without VPN. EVSE network providers should be asked about their security practices and patch cadence.

Frequently Asked Questions

Who is responsible for cybersecurity in a hotel — IT or facilities? Cybersecurity responsibility has traditionally sat with IT, but the convergence of building systems and IT networks requires shared ownership. Facility managers must understand cybersecurity requirements for the building systems they manage (BAS, access control, EVSE, CCTV) and work with IT to ensure these systems are appropriately secured. Neither IT nor facilities can effectively secure the converged environment independently.

What is the first thing a hotel should do if it suspects a ransomware attack? Immediately disconnect affected systems from the network (unplug network cables; disable WiFi on affected devices) to prevent spread to additional systems. Do not turn off systems — forensic investigation requires powered-on system state in many cases. Contact your cyber insurance carrier’s incident response line (their panel firms should be engaged before you engage outside consultants). Contact legal counsel. Do not pay any ransom without legal counsel review — ransomware payment is a complex legal question under current US Treasury guidance.

Do small hotels face the same cybersecurity threats as large chains? Yes — small hotels are targeted by opportunistic attackers who scan the internet for vulnerable systems regardless of property size. Small hotels often have weaker security controls than large chains (limited IT resources, older systems) and are less likely to have cyber insurance or incident response planning. The relative impact of a serious incident is also higher at a smaller property where business disruption directly threatens solvency. Size does not provide protection.

How can hotels that lack dedicated IT staff manage cybersecurity effectively? Managed Security Service Providers (MSSPs) offer outsourced security monitoring, patch management, and incident response at monthly subscription rates that are typically affordable compared to hiring in-house security staff. An MSSP with hospitality experience can provide 24/7 monitoring, regular patch management, and incident response capability for $500–$3,000/month for a mid-size hotel — a fraction of a dedicated security staff member. Brand-affiliated properties should also leverage brand IT security resources and guidelines.