Accommodation and Food Services (NAICS 72)

Please provide the information below to view the online Verizon Data Breach Investigations Report.

The information provided will be used in accordance with our terms set out in our Privacy Notice. Please confirm you have read and understood this Notice.

By submitting the form, you are agreeing to receive insights, reports and other information from Verizon and affiliated companies in accordance with our Privacy Policy. California residents can view our California Privacy Notice.

Verizon may wish to contact you in the future concerning its products and/or services. If you would like to receive these communications from Verizon, indicate by selecting from the dropdown menu below. Please note that you can unsubscribe or update your preferences at any time.

Indicates a required field. The content access link will be emailed to you.

View only

Thank You.

Thank you.

You will soon receive an email with a link to confirm your access, or follow the link below.

Download this document

Thank you.

You may now close this message and continue to your article.

Frequency

 

254 incidents, 68 with confirmed data disclosure

Top patterns

 

System Intrusion, Basic Web Application Attacks and Social Engineering represent 90% of breaches

Threat actors

 

External (93%), Internal (9%), Multiple (1%) (breaches)

Actor motives

 

Financial (100%) (breaches)

Data compromised

 

Payment (41%), Credentials (38%), Personal (34%), Other (26%) (breaches)

What is the same?

 

We are seeing the same three attack patterns hitting this sector as we did last year—but the order has changed. External actors continue to target this industry because of the lucrative data the members hold.

Summary

 

Payment card data continues to be the top target for Data types in this sector, unsurprisingly. The use of RAM scrapers continues to be a favorite tool of the Financially motivated attackers that regularly plague this sector.

I’ll just scrape that off. 

System Intrusion is top pattern in this sector for the second year running. Included in this pattern, among other things, is a collection of various types of malware. Approximately one-third of cases involved the use of Ransomware, and much of the remainder consisted of RAM scrapers. In fact, RAM scrapers targeting the point of sale (PoS) is the favorite combo in this sector, which likely comes as no surprise to those trying to maintain their defense. 

Payment card data was targeted 41% of the time, which is the same percentage we saw last year, but since Credentials and Personal data fell as percentage of the whole, they have taken a back seat to credit cards. Along with the increased focus on the data type of Payment cards comes the motivation of Financial. Last year, we saw the Espionage motive in 9% of the breaches, but this year, it is all Financial all the time.48

Give a person a phish and you feed them for a day!

Social continues to have a considerable presence in this sector. While Phishing and Pretexting (the main difference between them is how hard the adversary must work to make it happen) are the main social engineering concerns in Accommodation, they are too close to call for the top spot. Most of these social attacks are coming in via email, so make sure it is easy for your employees to report any questionable attempt quickly. There is nothing like having your employees be your first line of defense— they are certainly already on the front line of targets.

48 Honestly, what isn’t though?

Let's get started.