The Inhospitable Nature of Privacy

July 19, 2016 Avani Desai

Originally published at

For those who travel, whether for business or pleasure, do so using the welcoming arms of the hospitality industry. The hospitality industry is massive. According to industry analysts, STR Global, the U.S. hotel industry has around 54,000 properties, with a real estate value of $725 billion and room revenue in 2014 equating to around $132 billion. Collectively, the industry is a mega-business, and this mega-business is built upon the needs for comfortable rooms, a reasonable price, at a needed location. As most service organizations, when consumers check into a hotel, they share information about themselves and put their trust and confidence within the industry.

The hospitality industry inherits significant amounts of information about the consumer; the obvious being financial details to pay for services and also personally identifiable information (PII), such as name, address, phone number, and place of employment during the check-in process. However, in tandem to financial information and PII, hotels may also know highly personal things.  For instance, many consumers staying in a hotel, or using hotel amenities, will likely use the extended offerings. This may be to watch a movie in the room, take a drink or two in the hotel bar, let the kids play in the kids club, use the free Wi-Fi,  park in the garage or order room service. In international hotels, the consumer will also have to provide passport information. Aggregated, now hotels manage and maintain a significant amount of personal information, from watching trends, eating habits, healthcare data, children’s information and even IP addresses.

And there’s more.

As well as the personal details mentioned above, there are the hidden, metadata about a consumer's stay. For example, door entry systems in hotels are fully auditable; some even use fingerprint biometrics or a personal phone for accessing not only the room but also other hotel services such as spas and towel rentals. This allows a hotel to have a record of a person’s movements through the facility.

And this doesn't even cover the extended hospitality industry. The new vogue of the sharing economy has opened up new channels for hospitality. Providers, like Uber and Airbnb, require the consumer to release a plethora of personal information (driver’s license, family information), as well as personal financial data (salary, credit card information) that is housed in the application to use and reuse the service. Yes, the hospitality industry knows a lot about us.

Welcome To The Hotel California

With this personal information under the guardianship of the hospitality industry, the consumers need to trust the industry to safeguard information and protect it from cybercriminals, and misuse. 

Hyatt Hotels had a recent breach affecting 250 of the hotels. This breach was aimed at stealing financial data, specifically credit card information. The breach was a point of sale attack. It was discovered mid-last year and publically disclosed on Dec. 23, 2015. Hotels are becoming a target for cybercriminals because of the significant amount of personal data they hold. Most of the major chain hotels have been targeted in the last few years, including Trump Hotel Collection, Starwood Hotels and Hilton.

It’s not just hotels that are feeling the pressure of losing consumer information – but it extends to the rest of the hospitality industry. Airbnb has revolutionized the industry by connecting people to rooms in a simple and cost efficient way. Consumers simply sign into the Airbnb app, find a room, and book it. Almost anyone can place a room for rent using the app, and almost anyone can submit to rent it. The problem with this model is that Airbnb has to balance individual safety with the privacy of PII – which is difficult to get right. However, some of Airbnb’s privacy policy clauses leave much to be desired. For example, they state: “If Airbnb undertakes or is involved in any merger, acquisition, reorganization, sale of assets or bankruptcy or insolvency event, then we may sell, transfer or share some or all of our assets, including your personal information… and becomes subject to a different privacy policy.”

With regard to protecting private information, they state that: “…we cannot guarantee the absolute security of your transmissions to us and of your personal information that we store.”


The arrival of the Airbnb Verified ID system has also thrown spanners into the privacy works of Airbnb. This system was introduced as a way to enhance the safety of the users of Airbnb, by validating they are who they say they are. The system requires offline documentation, such as a passport, or other photo ID, to be uploaded directly to the system. Several people find this an excessive amount of identification to hand over to book a room. The fact this is performed across the Web and with privacy policies, which expressly state that your data may well, fall under the remit of a privacy policy you didn’t originally sign up for, is just too risky for some consumers.

Now, add in that the individuals who rent their rooms could install hidden cameras to record your entire stay, listen in on your conversations, and log, as well as monitor, traffic across the Wi-Fi they provide. How much of your privacy, both digital and physical, is at risk in the personal residences of others?

It's All About Trust

Good hospitality must be based on trust. Consumers of hospitality services, need to provide personal details, financial data, and biometrics within a secure environment that respects privacy. The hospitality industry is in quite a unique position. It holds a wide-angle view of information about the consumer – from financial to personal, to biometric and beyond. Some of the information may be a snapshot in time, but none the less, it could have repercussions on personal and corporate privacy that could be far reaching. The hospitality industry must not only ensure that cybercriminals are prevented from stealing our information, but they also need to respect the, often very personal, information they have about their guests.

Consumers and good corporate citizens, need to take notice of both good and bad practices when staying at hotels, ask questions about how data is handled, and assess risk as best to help ensure the safety and security of personal and company information, as well as overall well-being.  Consumers must be diligent and pay close attention to what’s happening. While the likelihood is low that a hospitality professional would compromise consumer safety and security, just like in every other industry, bad apples exist. Yes, it’s certainly about trust, yet with trust, comes verification.  Consumers can be the front lines of defense against the misuse of information.  Staying vigilant may mean the difference between a wonderful business trip or vacation and a nightmare of paperwork and clean-up on one’s credit or the company’s reputation.

About the Author

Avani Desai

Avani Desai is the President at Schellman. Avani has more than 15 years of experience in IT attestation, risk management, compliance and privacy. Avani’s primary focus is on emerging healthcare issues and privacy concerns for organizations. Named as one of the 2017 Global Leaders in Consulting by Consulting Magazine she has also been featured and published in the ISSA Journal, ITSP Magazine, ISACA Journal, Information Security Buzz, Healthcare Tech Outlook, and many more. Avani also sits on the board of Catalist, a not for profit that empowers women by supporting the creation, development and expansion of collective giving through informed grantmaking. In addition, she is co-chair of 100 Women Strong, a female only venture philanthropic fund to solve problems related to women and children in the community.

Follow on Linkedin Visit Website More Content by Avani Desai
Previous Article
A Game of Pwns: A Storm of (Pas)swords
A Game of Pwns: A Storm of (Pas)swords

Despite their perpetual status as old news, passwords and their security weaknesses continue to make headli...

Next Article
Your Questions About ISO 27001 Answered
Your Questions About ISO 27001 Answered

An ISO 27001 certification can help your business stand out. It lets your customers and potential customers...


First Name
Error - something went wrong!