Hotel cyber risk is heating up this summer, as 66% of hotel IT and security executives expect a rise in attack frequency and 50% an increase in severity during the summer travel season, according to new research from VikingCloud.
During the summer of 2024, 82% of North American hotels were affected by a successful cyberattack, and 58% of hotels were targeted by five or more attacks.
For this summer, the threat landscape is evolving with AI-powered attacks that many hotels aren’t prepared to handle. In fact, 48% of hotel IT and security executives aren’t confident in their staff’s ability to reliably identify and respond to sophisticated AI-driven cyberattacks and deepfakes, while 22% admitted cybercriminals outpace their teams.
Guest-facing technology is most vulnerable to attack, including payment systems and point-of-sale (POS) technology (72%), guest WiFi (56%) and front desk systems (34%). Top attack methods that could impact hotel operations this summer include data breaches exposing payment details, passports, loyalty accounts or other sensitive guest personally Identifiable information(46%), phishing attacks (40%) and guest WiFi network compromise or misuse (38%).
“Peak travel season is here, and it’s also the busy season for cybercriminals,” said Kevin Pierce, chief product officer, VikingCloud. “Hotels are a prime target given the surge in guest transactions, reliance on interconnected systems and vast amounts of sensitive data. Last summer, 44% of hotels experienced more than 12 hours of downtime due to an attack. The financial and reputational impact from downtime can last long after summer ends, which makes understanding your cyber vulnerabilities and closing preparedness gaps essential.”
VikingCloud’s research, “Peak Season, Peak Risk: The 2025 State of Hospitality Cyber Report,” is based on a quantitative survey of hotel IT and security leaders across North America and uncovered:
- Payment systems are at risk: Specifically, 34% are worried about POS system attacks disrupting in-person transactions, and 32% say a significant increase in credit card transactions will increase their cybersecurity risk during the busy travel season.
- Cyberattack fallout could be devastating: Reputational damage from negative reviews (66%), financial losses (46%), lawsuits (42%), lower occupancy (32%) and higher insurance premiums (30%) were cited as the most likely business impacts, and 12% said an attack could lead to hotel closure.
- Third-party and legacy tech pose major risks: 42% of hotel IT and security executives say weaknesses in third-party systems like payment processors and booking platforms increase their cybersecurity risk this summer, while 40% say the same for outdated technology.
- Talent, skills and training gaps undermine hotels’ defenses: 26% report limited in-house cybersecurity expertise, and 16% struggle to fill job vacancies. Temporary staff add to the challenge—26% say an influx of seasonal employees unfamiliar with cyber policies and best practices increases risk.
Despite four in 10 executives saying that 16-25% of their total IT budget is devoted to cybersecurity, hotel defenses are struggling to keep pace with today’s threats.
While most hotels are investing in basic protections, such as next-gen antivirus, anti-malware and anti-spam (72%), firewalls (70%) and VPNs (66%), fewer than half have deployed advanced defenses, including vulnerability scanning, automated data backups or integrated ransomware protection. Adoption is even lower for dark web monitoring (26%) and penetration testing (28%). 30% still don’t have plans to outsource to a managed security service provider (MSSP).
“Cyberattacks can shutter hotel operations, erode guest confidence and drain revenue during the busiest time of year,” added Pierce. “Going beyond the basics is critical to survival in today’s threat landscape.”