As the summer travel season approaches, travelers worldwide are busy booking their holidays, entrusting the hospitality industry with some of their most sensitive personal and financial information. Unfortunately, this makes the sector a prime target for threat actors looking to exploit and steal this data.
In the 2025 Trustwave Risk Radar Report: Hospitality Sector report, Trustwave SpiderLabs looked at the security weak spots threat actors attack, the impact of seasonal workers on physical and cybersecurity, online booking platforms, and even the role guests play in making these organizations vulnerable.
This comprehensive report builds on previous findings to provide the latest insights and strategies to enhance data security.
Key Findings and Trends
The most prominent threats to this industry continue to be ransomware, phishing, and the exploitation of a facility’s Internet of Things (IoT) infrastructure.
In April 2025 alone, Trustwave SpiderLabs found a total of 95,040 vulnerabilities with 3,884 unique CVEs to hospitality companies. Among these there were 14,318 critical vulnerabilities and 1,521 vulnerabilities listed in the CISA Known Exploited Vulnerabilities (KEV) catalog.
Based on metrics from Trustwave’s customer base, 61.5% of initial access attempts exploit this type of publicly exposed service.
Of note, the Simple Network Management Protocol (SNMP) was found to be exposed twice as much as the next highest publicly exposed service. This makes sense as SNMP can be a goldmine for hackers as vulnerabilities and misconfigurations are often plentiful in these environments.
The number of vulnerabilities found and the threat group’s ability to take advantage of them is a strong indicator the hospitality sector urgently needs to maintain a high level of cyber hygiene to remain safe.
Attacking Travel Booking Sites
SpiderLabs pointed out a few threat opportunities that primarily threaten the hospitality space that stem from infiltration and exploitation of online booking sites.
SpiderLabs found a great deal of criminal collaboration taking place in underground forums, Telegram groups, and private marketplaces where cybercriminals share guides and trade access on how to exploit major booking platforms.
Hackers also use these platforms to share detailed tutorials on the basic skills needed to utilize these sites for criminal activity, such as how to insert stolen credit card data into active bookings, bypass verification checks, and avoid detection.
Adversaries can then use this information to support another illegal activity: Dark web travel agencies.
Here, malicious operators sell heavily discounted travel packages, often exploiting compromised booking platforms and stolen payment data, in an underground ecosystem that mimics popular online booking sites. This activity has been taking place since 2018.
To help deter criminals and those willing to use stolen information for their own travel, hospitality organizations must, either on their own or through a partner, monitor dark web and underground forums for “chatter” about their brand. Any prior information can help mitigate this issue and alert the hospitality organization to potential issues with their booking portal.
General Actionable Recommendations
As always, Trustwave SpiderLabs has actionable recommendations that any organization can implement, some even without the need of a security partner, to help deter or mitigate the impact of a cyberattack.
These include:
- Enhanced Patch Management: Regular updates to critical systems to mitigate known vulnerabilities.
- Improved Access Controls: Enforcing multi-factor authentication (MFA) and least-privilege policies.
- Staff Training and Awareness: Continuous cybersecurity education, especially for seasonal workers.
- Employ Network and Host-Based Auditing: Auditing can provide an early warning of a compromise and an important trail for incident responders in the case of a compromise.
Hospitality organizations are often at the very end of an amalgamation of dozens, if not hundreds, of suppliers, all of which themselves could be vulnerable. Because an attacker that gains access to a third-party vendor can impact others in the supply chain, SpiderLabs recommends organizations:
- Conduct risk assessments on vendors and service providers, especially those with access to guest data or core infrastructure.
- Include cybersecurity obligations in all vendor contracts, such as notification timelines and incident handling procedures.
- Monitor for dark web leaks involving suppliers and take immediate steps if credentials or data are exposed.
Finally, if an incident occurs, organizations must have a detailed and well-practiced business continuity plan, and their data must be encrypted in an offline facility.
By adopting these strategies, hospitality businesses can better navigate the evolving cyber threat landscape, safeguarding both their operations and the trust of their guests.
