by Patrick Clark June 26, 2019, 6:00 AM EDT

Back doors to your personal data can be found in everything from smart fish tanks to Wi-Fi pineapples.

Three men dressed for business travel in jeans and dress shirts loaded backpacks into the trunk of a black coupe and wound their way through the center of a major European city. When they arrived at their hotel, they unloaded their luggage and waited giddily to pass through the revolving doors. They were checking into the hotel to hack it.

Hackers target financial institutions because that’s where the money is, and they target retail chains because that’s where people spend the money. Hotels might be a less obvious target, but they’re hacked almost as often because of the valuable data that passes through them, like credit cards and trade secrets. Thieves have targeted electronic door locks to burgle rooms and used malware attacks to log credit card swipes in real time. They’ve even used Wi-Fi to hijack hotels’ internal networks in search of corporate data. Just about all of the industry’s major players have reported breaches, including Hilton Worldwide HoldingsInterContinental Hotels Group, and Hyatt Hotels.

The group’s leader checked in at the front desk. One of his associates strolled along the length of the reception area, noting that the property used an outdated point-of-sale system, and another used a mobile app called Fing to scan for hidden networks. While they waited for the staff to finish preparing their room, the hackers took coffee on a terrace. They opened up the published code for the hotel website and exploited an outdated plug-in to compile a list of admin names.

Ultimately they were looking for a door. Sure, they could slip a thumb drive into the neglected register at the far end of the restaurant bar and log credit card numbers until somebody noticed the device. But they would rather find a way into the property management system, or PMS, which hotels use to take reservations, issue room keys, and store credit card data.

Better still would be to do what they did at a hotel in New York City. After plugging the internet cable from the room’s smart TV into a laptop, they got into the hotel’s PMS, which led to the chain’s corporate system. Emails Bloomberg Businessweek viewed show they gained access to credit card information for years’ worth of transactions across dozens of hotels.

If they had been crooks, the team would have sold the information on the black market, where a Visa with a high limit can go for about $20. These hackers, however, were good guys: IT consultants who were frustrated with their hospitality clients’ lax approach to security. To demonstrate the industry’s weaknesses, their leader arranged for a reporter to tag along on an audit of one of his clients’ hotels. The conditions: The hackers wouldn’t break into the personal devices of hotel guests, and neither the hotel, the city, nor the hackers could be named.

Once they got to their room, the hackers concentrated on finding the hotel’s internal network—the one used by staff, not the one guests use to stream pornography and FaceTime their families. In one famous example, hackers breached the internet-connected fish tank in the lobby of a Las Vegas casino and used that exploit to find a database of high rollers on the property’s internal network.

But this room was an older make, with a dumb TV, old phones, and a standard minibar, equipped with Heineken and Toblerone but no internet. Then one of the hackers started rooting around in the window frame. Nestled in a top corner was an internet port, designed to let guests open and close the curtains by remote control.

“This will be the way in,” the leader said.

How much of the responsibility for guarding electronic transmissions lies with hotels and how much with guests is “a nasty philosophical question,” says Mike Wilkinson, global director at Trustwave SpiderLabs. Mark Orlando, chief technology officer for cybersecurity at Raytheon IIS, advises corporate clients to avoid using personal devices altogether while on the road. That could mean requesting a loaner laptop or buying a burner phone. Even ordinary travelers should use virtual private networks to connect to the internet when outside the U.S., he says.

But no amount of personal digital security could have saved travelers from the massive attack Marriott International Inc. discovered last year. In early September 2018, an automated security tool flagged a suspicious query in the reservation database for Starwood Hotels & Resorts Worldwide Inc., a company Marriott had acquired two years earlier. In the weeks that followed, security investigators discovered a remote access trojan (RAT), software that lets hackers take control of a target computer, as well as another piece of malware that scours computer memory for usernames and passwords.

Clues left behind by the digital trespassers suggest they made off with as many as 383 million guest records, as well as more than 5 million unencrypted passport numbers and more than 9 million encrypted payment cards. Marriott hasn’t found any evidence of customer data showing up on dark-web marketplaces, CEO Arne Sorenson told a Senate committee hearing in March. That sounds like good news but may actually be bad. The lack of commercial intent indicated to security experts that the hack was carried out by a government, which might use the data to extrapolate information about politicians, intelligence assets, and business leaders.

“From an intelligence standpoint, there are some real advantages to understanding where high-profile people are going to be ahead of time,” says Gates Marshall, director of cyber services at CompliancePoint Inc., whose consulting clients include airports. “There’s a market for travel itineraries. It’s not a commercial market, it’s more of a geopolitical one.”

Sorenson has said he doesn’t know who’s responsible for the attack—and likely never will. Others have been more willing to point the finger, including U.S. Secretary of State Mike Pompeo, who attributed the hack to China in an interview with Fox & Friends in December.

Hospitality companies long saw technology as antithetical to the human touch that represented good service. The industry’s admirable habit of promoting from the bottom up means it’s not uncommon to find IT executives who started their careers toting luggage. Former bellboys might understand how a hotel works better than a software engineer, but that doesn’t mean they understand network architecture.

There’s also a structural issue. Companies such as Marriott and Hilton are responsible for securing brand-wide databases that store reservations and loyalty program information. But the task of protecting the electronic locks or guest Wi-Fi at an individual property falls on the investors who own the hotels. Many of them operate on thin margins and would rather spend money on things their customers actually see, such as new carpeting or state-of-the-art televisions.

The result is a messy technological ecosystem that runs on old software. Many hotels use Opera, sold by Oracle Corp., as their PMS. A common version was designed for a legacy Windows operating system, and directs users to disable security features to make the software work. An instruction manual for the software starts with a step-by-step guide on how to lower your defenses: First, turn off data execution prevention, a feature that protects system memory from malicious code. Next, deactivate user account control, making it easier for hackers to gain administrator privileges. Finally, disable Windows Firewall. Now you’re ready to book reservations and take credit card payments. (Oracle’s security guide advises users to “harden” their operating systems after installation.)

Even worse, many hotels put their PMS online, letting hackers break in from thousands of miles away. Joshua Motta, CEO of cyber insurer Coalition Inc., ran a search of the admin page used to support Opera online and found 1,300 instances of the application running on the public internet, from Newfoundland to the Maldives. “All of a sudden your system is only as secure as a username and password,” Motta says, “which hackers have repeatedly shown isn’t terribly effective.” “Customers are encouraged to upgrade their systems and software to the most recent version to provide the highest level of security measures available,” says Oracle spokeswoman Deborah Hellinger.

While hotels are struggling with basic cybersecurity, they’re building massive databases of personal behavior. One of the ironies of the Marriott breach is that the company acquired Starwood because Sorenson thought adding its popular loyalty program and fancy hotels would give him a moat against digital middlemen, who seek to collect fees for helping travelers find hotel rooms. Marriott’s new heft would give customers more incentive to book directly with the company, cutting out Expedia, Booking.com, and other online travel agencies, as well as advertising giants Google and Facebook.

At some properties, hotel brands are already collecting data on what temperature you like your room and how you like your eggs, betting that knowing that stuff can translate into better service. Other kinds of customer data—the annual conferences you attend or the date of your wedding anniversary—are largely untapped marketing opportunities. Some companies are also experimenting with putting voice assistants in their rooms or using facial recognition to streamline check-in. Privacy issues abound, but even more mundane advances are fraught with trade-offs between convenience and security. It’s increasingly common for travelers to check in to a hotel from a mobile app, bypass the front desk, and get into their room by using their phone as an electronic key.

In an interview in June, Sorenson said that the hack had forced his company to take a harder look at how it manages cybersecurity, adopting forensic tools that it used in the wake of discovering the breach as part of its daily security hygiene. He also argued that privacy issues are manageable.

“The information that we want and you may want us to have, that allows us to better serve you, is often not that sensitive,” he said. “The fact that you like feather pillows, or a low floor, or a high floor. Now it is personal. But we’re not collecting information about which man or woman you show up in our hotel with and whether one’s a spouse and one’s not.”

The internet-connected drapery hadn’t led the hackers into the hotel PMS, but it did set the team on a frenzied search for other connections. One hacker dragged a chair into the vestibule and balanced on the arms, the better to lift a mahogany ceiling panel. Another found an internet port in the ceiling of the walk-in closet. Only one problem: No one had brought a 10-foot cord.

“We should call housekeeping and ask for a ladder,” one of them said. “We’re trying to hack into your network,” he joked. “Can I have a ladder? Of course, sir. Is there anything else I can do for you? ” Instead, they balanced an ironing board on an ottoman, rested a laptop on top of it all, and plugged in, using a network scanner tool to search for IP addresses that looked as if they could be hosting the PMS.

While they waited to find a signal, they took stock of the failures and successes of the hotel’s defenses. All things told, the security was better than the team expected, but it was still disconcertingly porous given the presumption of safety most guests think they have inside a hotel. If they were actually trying to breach the network, they would have tried to crack the hotel staff’s accounts to try to take control of the hotel website. At a minimum, it would have let them collect credit card info from every new booking. Before they’d checked in to their room, the leader had used his phone’s hotspot to create a new Wi-Fi network, naming it after the hotel. Within minutes, six devices had joined his spoofed network, exposing their internet activity to the hackers. (If he really wanted to go after guests, he would have used a device called a Wi-Fi pineapple to automate the process.)

It wasn’t all bad. When one of the hackers asked a waitress to charge his phone, she went out of her way to plug the device into a wall charger instead of her computer. More important, the hotel’s internal network was well protected.

Impatient to speed up the process, the team leader called his office and had a colleague look up the correct IP range for the hotel network. The PMS, however, didn’t respond. The door was locked.

But then another door opened. One of the hackers used a kind of attack called a distributed denial of service to kick a guest device, “Jamie’s iPad,” off the hotel Wi-Fi. That could have been the prelude to tricking her iPad into joining the spoofed network, and snooping on her communications. On the bright side, the hackers might never find out what Jamie likes for breakfast.

ILLUSTRATION: INKEE WANG FOR BLOOMBERG BUSINESSWEEK

Read more at Bloomberg