Hotel cyber risk is heating up this summer.
66% of hotel IT and security executives expect a rise in attack frequency and 50% an increase in severity during the summer 2025 travel season, according to new research released today by VikingCloud. During summer 2024, 82% of North American hotels were hit with a successful cyberattack, and 58% of hotels were targeted by five or more attacks.
For summer 2025, the threat landscape is evolving with AI-powered attacks that many hotels aren’t prepared to handle. In fact, 48% of hotel IT and security executives aren’t confident in their staff’s ability to reliably identify and respond to sophisticated AI-driven cyberattacks and deepfakes. Alarmingly, 22% admitted cybercriminals outpace their teams.
Guest-facing technology is most vulnerable to attack, including payment systems and point of sale (POS) technology (72%), guest Wi-Fi (56%), and front desk systems (34%). Top attack methods that could impact hotel operations this summer include data breaches exposing payment details, passports, loyalty accounts, or other sensitive guest PII (46%); phishing attacks (40%); and guest Wi-Fi network compromise or misuse (38%).
“Peak travel season is here, and it’s also the busy season for cybercriminals,” said Kevin Pierce, Chief Product Officer at VikingCloud. “Hotels are a prime target given the surge in guest transactions, reliance on interconnected systems, and vast amounts of sensitive data. Last summer, 44% of hotels experienced more than 12 hours of downtime due to an attack. The financial and reputational impact from downtime can last long after summer ends, which makes understanding your cyber vulnerabilities and closing preparedness gaps essential.”
VikingCloud’s research, Peak Season, Peak Risk: The 2025 State of Hospitality Cyber Report, is based on a quantitative survey of hotel IT and security leaders across North America and uncovered:
-
Payment systems are at risk: Specifically, 34% are worried about POS system attacks disrupting in-person transactions, and 32% say a significant increase in credit card transactions will increase their cybersecurity risk during the busy travel season.
-
Cyberattack fallout could be devastating: Reputational damage from negative reviews (66%), financial losses (46%), lawsuits (42%), lower occupancy (32%), and higher insurance premiums (30%) were cited as the most likely business impacts. 12% said an attack could lead to hotel closure.
-
Third parties and legacy tech pose major risks: 42% of hotel IT and security executives say weaknesses in third-party systems like payment processors and booking platforms increase their cybersecurity risk this summer. 40% say the same for outdated technology.
-
Talent, skills, and training gaps undermine hotels’ defenses: 26% report limited in-house cybersecurity expertise, and 16% struggle to fill job vacancies. Temporary staff add to the challenge—26% say an influx of seasonal employees unfamiliar with cyber policies and best practices increases risk.
Cyber Defenses Lag Behind Growing Threats
Despite 4 in 10 executives saying that 16-25% of their total IT budget is devoted to cybersecurity, hotel defenses are struggling to keep pace with today’s threats.
While most hotels are investing in basic protections like next-gen antivirus, anti-malware, and anti-spam (72%), firewalls (70%), and VPNs (66%), fewer than half have deployed advanced defenses like vulnerability scanning, automated data backups, or integrated ransomware protection. Adoption is even lower for dark web monitoring (26%) and penetration testing (28%). 30% still don’t have plans to outsource to a managed security service provider (MSSP).
“Cyberattacks can shutter hotel operations, erode guest confidence, and drain revenue during the busiest time of year. Going beyond the basics is critical to survival in today’s threat landscape,” added Pierce.
To read the full report, visit www.vikingcloud.com/resources/peak-season-peak-risk-the-2025-state-of-hospitality-cyber-report.
