Sixty-six percent of hotel IT and security executives expect a rise in attack frequency and 50 percent an increase in severity during the summer 2025 travel season, according to new research released today by VikingCloud, a predict-to-prevent cybersecurity and compliance company. During summer 2024, 82 percent of North American hotels were hit with a successful cyberattack, and 58 percent of hotels were targeted by five or more attacks.
For summer 2025, the threat landscape is evolving with AI-powered attacks that many hotels aren’t prepared to handle. In fact, 48 percent of hotel IT and security executives aren’t confident in their staff’s ability to reliably identify and respond to sophisticated AI-driven cyberattacks and deepfakes. Alarmingly, 22 percent admitted cybercriminals outpace their teams.
Guest-facing technology is most vulnerable to attack, including payment systems and point-of-sale (POS) technology (72 percent), guest Wi-Fi (56 percent), and front desk systems (34 percent). Top attack methods that could impact hotel operations this summer include data breaches exposing payment details, passports, loyalty accounts, or other sensitive guest PII (46 percent), phishing attacks (40 percent), and guest Wi-Fi network compromise or misuse (38 percent).
“Peak travel season is here, and it’s also the busy season for cybercriminals,” Kevin Pierce, chief product officer at VikingCloud, said in a statement. “Hotels are a prime target given the surge in guest transactions, reliance on interconnected systems, and vast amounts of sensitive data. Last summer, 44 percent of hotels experienced more than 12 hours of downtime due to an attack. The financial and reputational impact from downtime can last long after summer ends, which makes understanding your cyber vulnerabilities and closing preparedness gaps essential.”
VikingCloud’s research - Peak Season, Peak Risk: The 2025 State of Hospitality Cyber Report - is based on a quantitative survey of hotel IT and security leaders across North America and uncovered:
- Payment systems are at risk: Specifically, 34 percent are worried about POS system attacks disrupting in-person transactions, and 32 percent say a significant increase in credit card transactions will increase their cybersecurity risk during the busy travel season.
- Cyberattack fallout could be devastating: Reputational damage from negative reviews (66 percent), financial losses (46 percent), lawsuits (42 percent), lower occupancy (32 percent), and higher insurance premiums (30 percent) were cited as the most likely business impacts. Twelve percent said an attack could lead to hotel closure.
- Third parties and legacy tech pose major risks: 42 percent of hotel IT and security executives say weaknesses in third-party systems like payment processors and booking platforms increase their cybersecurity risk this summer. 40 percent say the same for outdated technology.
- Talent, skills, and training gaps undermine hotels’ defenses: Twenty-six percent report limited in-house cybersecurity expertise, and 16 percent struggle to fill job vacancies. Temporary staff add to the challenge—26 percent say an influx of seasonal employees unfamiliar with cyber policies and best practices increases risk.
Cyber Defenses Lag Behind Growing Threats
Despite 4 in 10 executives saying that 16-25 percent of their total IT budget is devoted to cybersecurity, hotel defenses are struggling to keep pace with today’s threats.
While most hotels are investing in basic protections like next-gen antivirus, anti-malware, and anti-spam (72 percent), firewalls (70 percent), and VPNs (66 percent), fewer than half have deployed advanced defenses like vulnerability scanning, automated data backups, or integrated ransomware protection. Adoption is even lower for dark web monitoring (26 percent) and penetration testing (28 percent). Thirty percent still don’t have plans to outsource to a managed security service provider.
“Cyberattacks can shutter hotel operations, erode guest confidence, and drain revenue during the busiest time of year. Going beyond the basics is critical to survival in today’s threat landscape,” added Pierce.
To read the full report, visit https://www.vikingcloud.com/resources/peak-season-peak-risk-the-2025-state-of-hospitality-cyber-report.