Operators Weigh Options as Senate Moves toward New Data Security Rules

Share Article

'Insecure databases are now low-hanging fruit for hackers,' -- Sen. Patrick Leahe

On July 28, 2005 politicians signaled a readiness to enact security breach and data safeguard laws and indicated new federal regulations could reach President Bush's desk by the end of the year. Bills from three different Congressional committees proposed during the last week of July share common points. These include requiring prompt notification when security breaches occur, awarding more regulatory power to the federal government, and setting minimum standards for data security.

Vermont Senator Patrick Leahy, a sponsor of the Personal Data Privacy and Security Act of 2005, said, “We are seeing a rise in organized rings that target personal data to sell in online virtual bazaars. Insecure databases are now the low-hanging fruit for hackers looking to steal identities and commit fraud.”

If passed, this legislation will impact every hotel operator in the United States. At the very least, hotel companies will be held responsible for maintaining and documenting mandated data security procedures to protect guest information from identity thieves. At most, it will mean a complete overhaul of all guest data storage, including hardcopy archiving and disposal, and the possible upgrading of all existing property management systems (PMS) and other technologies where guest information is stored. Executives at top hotel companies acknowledge their systems are regularly probed by hackers, but for security reasons most will not discuss details of penetration attempts or the risk of identity theft. The scope of this challenge can be summed up by one chain CIO who said, “Security is the primary technology problem in the industry today.”

As a result of the security breaches in other industries, a number of lawsuits have been filed against various entities. However, because only a few of these cases have made it to final adjudication, the extent of potential liability is still unclear. What is clear is that costs associated with legal defense, customer notification, crisis management and lost business could add up to millions of dollars per breach.

Leading systems companies gear up for compliance

Almost all hotel companies maintain extensive guest information databases, most often in their PMS guest history modules. These applications store guest credit card numbers and other personal contact records. Because most PMSes were designed before data theft was a primary concern, their information is rarely protected with more than simple one-word pass code access maintained by property managers. Further, when employees move on to other jobs their passwords often continue to be valid. Of equal concern is the widespread use by hotels of thinly-secured 24-hour Internet connections for receiving online bookings and updating room availability on travel sites. Both of these technologies may provide hackers with easy access to data. Forward-looking property management system providers aware of these threats are already working with clients to safeguard guest data with layered security, and encrypt Internet communications before likely federal mandates go into effect.

Maestro supports multi-layered security safeguards

Warren Dehan, NORTHWIND's president of US operations, said, “With identity theft growing significantly it is critical that properties protect guest data. Credit card information is the usual target of system hackers, but we are securing most guest data at multiple levels.” Dehan noted many instances where property employees have unnecessary access to guest data. “No one needs to see a credit card number after it is swiped. But with many front office systems almost any member of the front desk staff can run a report listing guest card numbers and other personal information. NORTHWIND's Maestro PMS has always supported three separate security thresholds to prevent unauthorized staff from gaining access to a property's system, and now because of ID theft legislation in California we are finalizing 64-bit encryption to protect credit card numbers and other guest information in our system so it cannot be viewed by staff or printed without management security approval.” This new data security technology lets property managers decide what information is accessible to its staff, and will use a random-generated key at each property so every hotel will have unique security protection to prevent cross-property data theft.

Online booking a possible open door for hackers, viruses

The public Internet is the fastest growing source of reservations for our industry, but it can also present an open door to data thieves and expose a property to liability if data is stolen. Many hotel companies use the Internet to communicate booking information and financial data between properties and third-party travel sites, but very few properties regularly update and test their virus protection and firewalls.

NORTHWIND's Dehan said, “Numerous hotels use Internet booking engines to drive online reservations; many of these systems maintain a full-time two-way connection between the hotel PMS and the Web that passes guest data to the property, and property data to the guest.” Dehan explained that the data a guest sees through their web browser should always go though SSL, a secured socket layer, identical to those used by banks and credit card companies. He emphasized that NORTHWIND protects its Maestro users from threat from Internet viruses and hackers with the latest security technology. “For example,” Dehan continued, “Our ResEze booking engine uses 128-bit encryption for all data that passes between the property and the viewer. For data that flows between a user and the Maestro server we use military-grade 448-bit encryption that is extremely difficult to crack.” For added security the Maestro system does not store guest credit card numbers on its reservation server. “Even if a hacker was very aggressive and managed to break into our ResEze data server they would find no information of any value to them. This protects both our clients and their guests,” Dehan said.

With the popularity of remotely hosted ASP (application service provider) front office systems and other applications, more operators are running their entire PMS from off-site locations using high-speed Internet connections to access all functions from their properties. This type of system may also be susceptible to data theft and hacking. Warren Dehan explained, “With any ASP application security is particularly important. At all our Maestro ASP installations the connection between the property browser and the central hosting server is fully encrypted by SSL security so data flowing across the Internet is protected.” At the NORTHWIND ASP hosting site full credit card encryption and masking is also in place secured behind multiple firewalls.

Hotel data security checklist

With federal data security legislation pending and hotel company databases being probed regularly, it is imperative that operators review their data protection and security policies. Taking effective precautions to safeguard their systems can include the following:

  • Check all Internet firewalls to verify updates are current;
  • Ask your PMS vendor to discuss its guest data security and credit card masking precautions;
  • Review all functional system passwords and employee security levels;
  • Employ a security professional to test your systems security barriers for effectiveness;
  • If you are a systems professional who believes there is a potential security weakness at your property, notify management at once.

NORTHWIND's Warren Dehan concluded, “There is little consumers can do to prevent identity theft; the key is for operators to establish responsible information-handling practices. People need to realize that security must be taken seriously before they are compromised. If hotels do not use the tools at their disposal they may be liable for exposing their guest information to data thieves.”

At IHM&RS 2005 in New York City be sure to visit the NORTHWIND team at Booth # 3038 to discuss your security concerns with a Maestro professional and receive a full demonstration.


NORTHWIND, known in the hospitality industry for its service and state-of-the-art technology, is widely respected for providing hotels, private organizations, and corporate management companies with flexible software solutions.

Based in Markham, Ontario, Canada, with a network of dealers and offices worldwide, NORTHWIND is a leading supplier of software for all types of hospitality operations including hotels, resorts, timeshares, condominiums, seminaries, state parks, and clubs. Maestro applications are engineered for operators who need to manage their enterprise in a real time environment for the utmost operational control and profitability. Designed to maximize the efficiency of any size single hotel or multi-property enterprise, NORTHWIND's Maestro solution offers the most productive working environment, which includes the following suite of products: PMS, Sales & Catering, Club/Spa Management, Corporate Reservations Office, Multi-Property Management, Condo/Owner Management, Yield Management, POS & Online Table Res, GDS Connectivity and ResEze Internet Reservations. This comprehensive multi-platform (Windows 2000/XP, Unix/Linux, Terminal Server & Web Enabled) suite is recognized as the solution of choice for progressive and demanding organizations. NORTHWIND is a total solution provider that offers leading-edge technologies, and unparalleled training and support.


Audrey MacRae


60 Renfrew Drive, Suite #235

Markham, ON L3R 0E1

Phone: (905) 940-1923 ext - 246

1-888-NORTH88 (667-8488)

Fax: (905) 940-1925


Media Contact

Julie Squires

Softscribe Inc.

Phone: 404-256-5512



Share article on social media or email:

View article via:

Pdf Print

Contact Author

Julie Squires
Visit website