AI-driven hotel hacks surge, putting guests' payment data at risk

AI-driven hotel cyberattacks are escalating. Here's how to protect guests and revenue

Kaspersky is warning hotels about a new wave of attacks where criminals use AI to sharpen old techniques. The threat group known as RevengeHotels is leveraging AI-generated code and phishing to steal guest payment data and personal information.

The group has been active since 2015. Recent analysis shows their operations are more sophisticated and harder to detect, with incidents reported beyond Brazil and relevance for African markets including South Africa, Kenya and Nigeria.

What's new - and why it matters

Attackers are combining convincing phishing emails with malware deployment at the property level. The goal is simple: reach payment systems and guest records without tripping basic defenses.

As Kaspersky's Lisandro Ubiedo puts it: "Cybercriminals are increasingly using AI to create new tools and make their attacks more effective. This means that even familiar schemes, like phishing emails, are becoming harder to spot for a common user. For hotel guests, this translates into higher risks of card and personal data theft, even when you trust well known hotels."

How the attack works

• Phishing email sent to reservations, front office, HR or finance, disguised as a booking request, group inquiry, or job application.
• An employee opens an attachment or link that looks legitimate.
• Malware such as VenomRAT installs, giving attackers remote access to systems handling bookings and payments.
• Payment data, IDs and contact details are exfiltrated; in some cases, ransomware or spyware follows.

Why Africa should pay attention

High tourism volumes in South Africa and Kenya, and frequent business travel through Nigeria, make these markets attractive targets. Multinational chains with central systems can also be used as a bridge to properties across continents.

Immediate actions for GMs and IT leads

• Block the usual payloads: disable macros by default; quarantine LNK, HTA, ISO/IMG, and script attachments at the email gateway.
• Tighten email authentication: enforce SPF, DKIM, and DMARC with reject/quarantine.
• Segment networks: isolate PMS, POS, payment terminals and back-office PCs on separate VLANs with strict ACLs.
• Lock down remote access: disable unused RDP; require VPN + MFA for any vendor or staff access.
• Endpoint protection: enable EDR with behavioral detection and application control on all front-desk and finance machines.
• Patch and update: prioritize OS, browsers, PDF readers, Office suites and any booking integrations.
• Backups: enforce 3-2-1 with at least one offline or immutable copy; test restores weekly.
• Monitoring: set alerts for new user creation, mailbox forwarding rules, and unusual outbound traffic.
• Least privilege: remove local admin rights from front office and reservations PCs.
• Vendor access: time-bound accounts, IP allowlists, and activity logs for channel managers, payment gateways and PMS support.
• Payment hardening: use tokenization; never store PANs locally; align with PCI DSS requirements.
• Phishing simulations: run monthly tests; coach individuals, not just teams.

Front-of-house red flags (train your team)

• "Urgent" group bookings with attachments that won't open in cloud viewers and insist on local download.
• Job applications with archive files (.zip/.rar/.img) or script extensions.
• Emails spoofing familiar partners but sent from free webmail or look-alike domains.
• Requests to "confirm card details" via a form or file rather than your standard payment link.

Guest trust: what to say and how to say it

• Payments: route guests to a secure, consistent payment link. Never ask for full card details by email.
• Booking changes: verify by calling the number on file before processing card updates sent via email.
• Notice template ready: if an incident occurs, provide clear timelines, what data may be affected, and steps guests can take (card reissue, monitoring).

If you suspect compromise (first 24 hours)

• Isolate: disconnect affected machines from the network; do not power off unless instructed by IR lead.
• Notify: contact your incident response partner and payment provider; escalate internally per runbook.
• Contain: reset credentials, revoke suspicious tokens, disable mailbox forwarding, and block indicators found by EDR.
• Preserve evidence: collect logs, memory and disk images before reimaging.
• Regulatory: assess notification duties (see notes below) and prepare guest communications.

Policy updates that reduce risk this week

• Default-deny for email attachments; allow only file types your teams truly need.
• Two-person rule for vendor-initiated changes to PMS or payment settings.
• Quarterly access reviews for all staff and vendors; remove dormant accounts.
• Data minimization: purge scanned IDs and card copies; set clear retention windows.

Regional compliance notes (hospitality)

• South Africa: POPIA - notify the Information Regulator and affected individuals if there's a reasonable belief of compromise.
• Nigeria: NDPR - breach notification to NITDA within required timelines.
• Kenya: Data Protection Act - notify the ODPC and data subjects where risks are likely.
• EU guests: GDPR obligations may apply if you process EU resident data.

Recommended resources

• Kaspersky Securelist: threat research and advisories
• CISA guidance: avoiding phishing attacks

What Kaspersky advises

• Treat every link and attachment with caution, even if the email looks friendly or familiar.
• Use advanced security solutions that provide real-time protection, visibility and fast incident response.
• Fine-tune antispam settings; expect targeted messages that mimic your daily workflows.
• Be suspicious of unexpected files, even from official-looking senders; they may carry ransomware or spyware.

One smart move for staff upskilling

Elevate email, AI and office-tool fluency for front-office and admin teams so they spot sophisticated lures faster. Curated options by job role can help you roll this out without friction: AI courses by job role.

Bottom line for GMs

• People are your first firewall. Train them. Test them. Make it routine.
• Assume phishing will get a click. Build layers that limit blast radius and speed up response.
• Protect payments above all else. Tokenize, segment and monitor.
• Have the breach playbook ready. The clock starts the moment a lure lands.

Tourism and business travel are rising, and attackers are using AI to sharpen their methods. Strengthen defenses now to protect your brand, your guests and your bottom line.