The rooms might be clean, but is your hotel’s guest identity software?

February 17, 2020
Louisa Bartoszek

In the first of our new Hotels thought leadership series, Louisa Bartoszek discusses how hotels have become custodians of our digital identities and why they urgently need to stop centralising their data.

It’s that time of year where many of us, bored of the grey and cold winter days, start to plan our next summer escape. Our next gloriously sunny vacation.

When choosing a hotel, most of us book online and like to check travel review sites to see what guests thought of their stay.

What were the amenities really like? Were the staff helpful? Were the rooms clean?

Your check list of hotel ‘must haves’ probably does not include checking how a hotel stores its customers data, and asking, is the hotel’s technology ‘clean’ or, is my identity safe if I stay there…?

We take all this for granted and care more about the quality of the breakfast on offer.

But perhaps it’s time we did care. Let me explain.

Hotels have become Custodians of our Identities.

Delivering an outstanding ‘guest experience’ is at the heart of every successful hotelier’s business strategy.

This is because converting guests into returning visitors and, even better, hotel ‘brand’ ambassadors, increases their lifetime value.

And as with any business, the price premium of getting it right is both real and big.

People are willing to pay more for a service or experience they value.

To deliver the ultimate guest experience today, hotels need more than exceptional accommodation, food and customer service.

They need to understand their guests better than we arguably know ourselves.

A lot of customer-focussed hotels at check-in ask us to share insights into our personal preferences, from the type of food we like, to entertainment or amenities the hotel may offer.

This is in addition to the usual mandatory personal information such as our full name, date of birth, address, mobile phone, passport/identity card and, often, payment details.

Increasingly, all this information is requested in advance online as a way of speeding up the physical check-in process. Reducing queue times, paperwork and front-of-house staffing costs.

And at check-out, hotels can continue to collect personal information under the guise of how to improve their services for your next visit.

I’m fully supportive of this approach as a means of enhancing the guest experience.

But – there is a consequence, or should I say a responsibility, attached to this information gathering exercise.

By requesting, processing and storing large quantities of sensitive and personally identifiable information, hotels, similar to banks, have become custodians of our identities.

Information is data. Our digital DNA. And, as the world is slowly realising, our digital DNA is becoming more valuable than gold. To those who know it’s true worth.

And hackers want to get their hands on it making hotels a prime target for cyber criminals.

Marriott’s ‘Mega-Hack’

Just about all the major hotel chains have reported breaches, from Hilton Worldwide to Intercontinental Hotels Group and Hyatt Hotels.

It’s little over a year since the reported ‘mega-hack’ of international hotel chain Marriott International (through its acquisition of Starwood Hotels in 2016) came to light after hackers stole the records of 339 million guests including names, passport numbers, addresses, dates of birth, gender; to name just a few.

A large quantity of the breached data was encrypted. However, the amount of unencrypted data (including passport data) made this a significant breach despite the fact that most of the payment card and passport information was properly protected.

As a consequence, in July 2019, the UK Information Commissioner’s Office (ICO) announced its intention to fine Marriott almost £100 million for the data breach, in accordance with rules set out in the European Union’s General Data Protection Regulation (GDPR).

And this could be the tip of the iceberg. Reading Marriott’s 2018 Annual Report, the financial ramifications of what the company describes as its ‘Data Security Incident’ is yet to be fully felt given its global impact.

Hotel technology is often out-of-date and vulnerable

The Marriott’s unfortunate incident is not unique. It serves as a warning to hotels worldwide.

This could happen to any hotel, at any time.

Particularly those who have under-invested in their technology infrastructure, not realising the extent of the risks this causes.

Hotels generally store their data in a centralised way, meaning that all customer data is stored in one or two data centres.

This makes these data centres a ‘honeypot’ for hackers, who once they penetrate the security layer, have access to every piece of customer data.

Many hotels operate on slim margins and as a result, there can be a tendency to spend money on things guests can see, such as new carpets, televisions or furniture.

Rather than what they can’t. Because as of today, who chooses their hotel based on its chosen Property Management System (PMS)?

This might change sooner than hoteliers realise.

A cyber-attack or data breach can result in a combination of financial and reputational damage with long-term difficult-to-recover-from consequences.

Hotels need to stop centralising their data

As is the case in most industries today, a failure to keep pace with developments in technology could severely impair a company’s operations or competitive position.

There is, however, a way in which hotels can use emerging technology to better protect identifiable guest data, whilst simultaneously and seamlessly personalising the guest experience from pre to post-stay.

The hotel industry needs to evolve its operational architecture and transition from legacy data management systems to more decentralised data management systems.

Guest data should not at all times be stored in a centralised honeypot on a hotel’s servers, but should mostly be stored on, for example, a guest’s phone or in, what is known as, a decentralised identity hub.

With newly emergent Self-Sovereign Identity (SSI) technology, hotel guests can store verified identity data about themselves on their mobile devices which can be pulled by a hotel at the time of booking.

This verified information can be paired with other exciting innovations in Artificial Intelligence (AI) and the Internet of Things (IoT) to enhance the overall guest experience – but in a safe and trusted way.

SSI is simply a must-have for hotels because it greatly reduces the size of the honeypot which hackers can access, but also improves the accuracy of data which a hotel holds on its guests.

The challenge is, so few hotels have begun investing in this technology or have even heard of it.

It’s not as expensive as hotel owners probably think either.

Or to put it another way, the financial risks of a data breach far outweigh investing in blockchain infrastructure.

Notwithstanding the additional benefits blockchain can bring to a hotel in terms of speed, operational cost savings and, something we’ll explore in our upcoming hotels thought leadership series, open brand-new lucrative revenue streams.

The world is changing, and the way hotels connect with and serve their guests needs to change too.

As does understanding that guest safety today means much more than just during their physical stay.