Cybersecurity is probably not high on your list. For any hotelier it should be.
It is a good idea to get a hold of a local expert. latest episode ofMatt Talks, Mews CEO Matt Welle sat down with Josh Edwards from Penta Hotels to discuss one of the most overlooked, high-impact areas in hospitality operations: keeping your systems – and your guests’ data – safe.
Penta only realized the vulnerability of hotels in 2021 after a full-scale, ransomware assault. The result was a complete change in their security approach. Their story is a cautionary tale – but also a roadmap.
The Day All Went Dark
Josh was expecting his son to arrive on October 7, 2020. It was going to be a great day. He received the call all IT managers dread while in the hospital cradling their new baby. Penta had been hacked. All systems were down. Phones started ringing. Hardware was destroyed. The doors must be closed.
Who is the culprit? Hackers gained access to the entire infrastructure on-premises via a single compromised login. The network was an old MPLS. The attackers then moved freely to disable antivirus software, and deploy ransomware in multiple countries and properties.
Chaos reigned.
Rebuilding with Security as the Core
Penta’s reaction was prompt and thorough. Penta didn’t simply patch the holes, they rebuilt their entire IT infrastructure.
Penta developed a security framework based on 6 key pillars, with the help of a new partner external and a shift from general IT to expertise in digital security. Protect, prevent, detect and respond.. Each is supported by detailed controls and processes that govern the entire tech ecosystem.
Making Security Practical
How does it look in action? Here are some examples.
- IP restrictionsIf an employee from Germany attempts to login using Canada, the account will be blocked pending verification of their location.
- Real-time monitoring: A third-party security provider tracks every user and device across the network, shutting down threats instantly – sometimes multiple times a day.
- Phishing simulationsPenta tests its employees regularly with fake phishing email to increase awareness and reduce clicks that could be risky.
- Passkey authenticationPost-it notes have been replaced by biometric logins and password managers.
Yes, there is a cultural shift. Frontline staff often find security measures such as two-factor authentication inconvenient. Josh said that you would only understand why security measures are necessary if they were seen behind closed doors.
Without Crisis: Learning without Crisis
Penta was not the first hotel to have a dramatic wake-up. Josh thinks that all teams should consider what they would do if their access to systems was lost tomorrow.
How would guests be checked in? What would you do? What reports do you need? If the answer is, ‘We don’t know,’ then you’ve got a problem.
Cybersecurity does not need to be theoretical or dry. It can start with role play: three hours until total system shutdown – what do you do?
Cloud vs. on-Prem – The debate is Over
Penta has made a number of changes, including moving away from the on-premises system. Physical servers require hotels to take full responsibility for maintenance, compliance and security. Cloud-based system providers, like Microsoft Azure, have world-class security built in.
Even today, some hold onto the false belief that knowing where their server is – in a back room or a basement somewhere onsite – provides some measure of reassurance. The truth is that criminals will be able to find it if they know you have it. In today’s climate, that’s not peace of mind – it’s a risk.
What’s next for secure hospitality?
Security is not limited to firewalls and strong passwords. Penta is now focused on implementing SSO, scaling biometric access and reducing the number of systems that employees must log into.
Leadership buy-in is crucial. Penta’s leadership was involved. Cybersecurity was made a priority by the senior executives and head of digital. Cost was not an excuse. Josh says, “You cannot put a cost on protecting guests’ data.”
A wake-up call for the industry
Hotel cyberattacks are on the rise, from phishing email to spoofed pages that steal credentials. The reality is that: You’re only as good as your weakest link.
Josh’s story serves as a reminder to all that cybersecurity is not just an IT issue. It is a top priority. It impacts every guest, team member and property.
It’s about time that the industry did.
Boost your home’s security. follow these 10 ways to protect your hotel from phishing attempts.
About Mews
Mews The leading platform in the new age of hospitality. Mews Hospitality Cloud, which powers over 12,500 clients in more than 85 different countries, is designed to streamline hotel operations, transform guest experiences, and create profitable businesses. BWH Hotels customers include Strawberry, The Social Hub, Airelles Collection, and The Social Hub. Hotel Tech Report named Mews Best PMS (2020, 2025), and among the Best Places To Work in Hotel Tech (2020, 2022, 2020, 2024, 2030) for 2019. Mews raised $410m from investors such as Growth Equity at Goldman Sachs Alternatives and Kinnevik to transform hospitality.
