Across Hyatt Hotels’s more than 1,300 resort and hotel properties, cybersecurity is a hidden amenity.
That’s according to Benjamin Vaughn, current CISO at the almost seven-decade-old global hospitality company, who told IT Brew that cybersecurity at the company’s properties has been described as oxygen in a room, unnoticed by guests unless it’s gone.
“I don’t ever want our guests to have to preoccupy themselves with a question about whether we are doing an adequate job of keeping them safe or not,” Vaughn said. “I want them to think about the wedding they’re about to attend.”
Disruptive guests. Vaughn told IT Brew the travel and hospitality industry is a prime target for threat actors due to the nature of information in its ecosystem.
“Criminals want to steal your points,” Vaughn said. “Other more advanced threat actors are interested in when you took a flight, so that travel data is more interesting.”
According to a recent 2024 Retail and Hospitality ISAC report, fraud, including compromised loyalty points, was the top shared threat trend in the ISAC community’s intelligence-sharing output in Q4 2024. Chris Pierson, founder and CEO of BlackCloak, told IT Brew that there is an active market for the stolen digital currency.
“There are entire dark web [and] deep web trading forums for hacked accounts…of individuals who have 100,000 hotel points,” Pierson said, adding that the virtual-based points can be exchanged for cash.
Under renovations. Vaughn told IT Brew that Hyatt has taken a number of precautions—some visible to guests and others more discreet—to prepare against the threat landscape, including making investments toward secure single sign-on for its World of Hyatt loyalty program in recent years.
“Over the last few years, we deployed, first, a mechanism that we call step-up authentication, or magic link sign in. So, instead of using a password to sign in, we send an email with a link to your email account on file,” Vaughn said. “Then, we integrated that process into all of the flows on our website for when you’re transferring points to another account or redeeming points for a hotel stay, just to add that additional security check.”
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
He added that the hotel chain has also made investments in passkeys, the industry’s poster child for secure password alternatives.
“We think of that as an excellent security initiative, because it makes life easier for our guests,” Vaughn said. “It protects our guests and it protects the company.”
The CISO also touted the hotel and resort company’s bug bounty program, which made its debut in 2019, as another security win. Vaughn told IT Brew that it was the first global hospitality company to roll out the monetary reward program in its industry.
“We paid out something like $800,000 in the last eight years to security researchers in exchange for the security submissions that they’ve given to us,” he said, adding that the average bounty payout is around $700, meaning discovered bugs are of low or medium severity.
Beyond secure sign-in options and the company’s bug bounty program, Vaughn told IT Brew that Hyatt ensures that staff of all levels and job functions have a proper level of security awareness to mitigate potential cyber risks.
“Threat actors often do not know the difference between a housekeeper and a general manager. All they see is an email address,” Vaughn said. “So, we think it is imperative that everybody at the company get the same training, no exceptions.”