Identity Theft in Hospitality Industry

Introduction

Identity theft is continuously growing in the USA, primarily due to the increased use of technology in transactions, e-marketing, and international communication. Identity theft and related fraud affect businesses, governments, individuals, and communities considerably (Sow et al., 2018). Its effects are traumatizing to the victims. They devastate the victims with long-lasting financial effects. The hospitality industry should keep its eyes wide open for the growing concern of identity fraud, especially since it is the most susceptible industry because it deals directly with clients (Bjorke & May, 2016). Thus, it stores chunks of its customers’ sensitive data (Sow et al., 2018). The hospitality industry should be cautious of this growing concern, since the services they offer precipitate the necessary elements for a successful data breach. This paper analyzes issues arising from identity theft in the hospitality industry. The paper majorly focuses on identity fraud cases, the legal implications of identity theft, and the measures implemented to prevent identity theft in the hospitality industry. It also includes recommendations for businesses in the hospitality industry to help secure clients’ data from hackers and other criminals.

Background of the Problem

The hospitality industry attributes some of its revenue losses to identity theft (Sow et al., 2018). Identity theft refers to a fast-growing social crime that includes all types of crimes that involve individuals fraudulently acquiring and using other people’s data for economic gain. The Federal Trade Commission (FTC) (2018) identifies employment or tax-related fraud, credit card fraud, and phone or utility fraud as the top three identity thefts reported by victims. Companies in the hospitality industry, such as casinos, restaurants, hotels, theme parks, movie theaters, and bars, suffer significant financial losses since the data breaches remain undetected for months or years (Bjorke & May, 2016).

In addition to financial losses, data breaches in the hospitality industry result in loss of trust in the brand, reduced consumer loyalty to a business, and increased cost to customers. Furthermore, a company’s insurance also rises after a data breach to cover cybersecurity expenses that arise after the threat (Bjorke & May, 2016). Additionally, the firm’s cost of debt increases due to reduced creditworthiness caused by data breaches. The company further faces financial losses due to the additional cost to compensate for the investigation of the fraudulent activities (Bjorke & May, 2016). The customers can also sue the business and its employees after a data breach to compensate them for the damages experienced (Bjorke & May, 2016). Consequently, the adverse effects of identity theft result in the failure of some businesses.

Technology use in the hospitality industry perpetuates identity theft, especially since it is getting more advanced every day with new technologies being introduced. Even though advancements in information technology have improved the hospitality industry’s quality of services, they have also created an avenue for identity theft (Shabani & Munir, 2020). The increased usage of e-commerce, communication technology, and computers is instrumental in exponential data breaches due to cyber theft. Information technology contributes to data breach and information loss when the employees gather guest information when offering services and during payments. The hospitality industry is a consumer-centric business; hence, it relies on consumer loyalty to generate substantial revenue. Therefore, companies in the hospitality industry should aim to maintain clients’ trust by implementing security measures that prevent cyber-attacks and data breaches. Ensuring cybersecurity of the technologies that increase the efficiency of services is of paramount significance in the hospitality industry (Hahn et al., 2019).

Companies affected by commercial and consumer identity theft faced more significant financial losses than companies with countermeasures to deal with identity theft (ACFE, 2018). Price Waterhouse Cooper presented data in their 2014 Global Economic Crime Survey that showed 78% of businesses in the hospitality industry faced challenges of identity fraud, which resulted in asset misappropriation (Jirsa, 2020). Iwejor (2017) also indicated that most managers failed to execute the required internal controls and safeguards due to insufficient funds and inadequate knowledge. Consequently, there is a need for additional research regarding the techniques that managers in the hospitality industry should apply to lessen crimes of identity theft and fraud.

Legal Issues

Seven Sentenced in Chicago Restaurant ID Theft Scheme

Joseph Woods, Britain E. Woods, Alex Houston, Jenette Farrar, Essence S. Houston, Kenyetta Davis, and William Washington were the defendants that skimmed personal financial data from consumers in restaurants and attractions sites in the Chicago area (Claims Journal, 2013). The ringleaders paid the employees of various establishments such as Wrigley Field, RL Restaurant, a Chicago Taco Bell location, and a McDonald’s restaurant in Berwyn to steal the credit card information when the customers were paying their bills (Claims Journal, 2013). The employees used a credit card reader device to steal approximately 175 credit cards and banking information (Claims Journal, 2013). The ringleaders used the stolen information to reproduce counterfeit credit cards and make purchases of more than $200,000.

All the defendants pled guilty and were sentenced in Cook County Criminal Court. According to Illinois Attorney General Lisa Madigan, the banks with the accounts of customers whose identities were stolen included Citibank, US Bank, American Express, Fifth Third Bank, Chase, Harris Bank, and Bank of America (Claims Journal, 2013). The compromised financial institutions notified the affected clients to secure their personal information during the investigation (Claims Journal, 2013). The Illinois Attorney General stated that identity theft posed a tremendous threat to Illinois credit card users, primarily since she received approximately 2500 identity theft complaints in 2012 only (Claims Journal, 2013). The complaints included incidents of fraudulent withdrawals from consumers’ financial accounts, fraudulent charges on consumers’ financial accounts, the fraudulent opening of accounts using consumers’ information, and stolen checks (Claims Journal, 2013). Madigan stated that the seven identity thieves’ case proved that identity theft is prevalent in everyday transactions. Therefore, people should be consistent in checking their financial statements and credit card bills for any unauthorized billing and report any unknown and dubious activity early on to prevent extensive damages (Claims Journal, 2013).

Eric Larson Charged with Defrauding Hotels

Eric Larson, the defendant, allegedly stole credit card numbers to book rooms in Newport Beach, Laguna Beach, and Costa Mesa (Parker, 2012). The defendant allegedly paid for his hotel charges at the montage with an illegally acquired credit card. The fraudulent activity was discovered after two days when the bill accrued to $2,134, as reported by the Laguna Beach Police Department (Parker, 2012). Eric Larson used a laptop to obtain the credit card information used to acquire information to book the room from clients who accessed their accounts or made credit card purchases. Apparently, the defendant stole other people’s identities over open Wi-Fi networks by illegally acquiring their credit card account information (Parker, 2012).

The police tracked Eric Larsonto when he left without paying the $2,134 bill at Montage Laguna Beach (Parker, 2012). He was arrested on several identity theft charges reported in Newport Beach, Costa Mesa, and Laguna Beach. He allegedly used the stolen information to rent out for himself and his friends (Parker, 2012). Sgt. Louise Callus arrested one of his counterparts, Edward Richard York, allegedly for possessing methamphetamine and marijuana after receiving a complaint about clients that were abusing drugs in a room at Laguna Cliffs Inn. Upon arresting him, the officers discovered that the hotel room was booked with Larson’s illegally acquired credit card number (Parker, 2012). Larson was charged with 23 felony counts of fraud and theft due to the illegal use of stolen credit card information to book rooms in hotels (Parker, 2012). He was found guilty of the mentioned charges and was sentenced to one year in jail, three years’ probation, and restitution.

Analysis

Under a variety of federal statutes, the Department of Justice takes legal action against cases of fraud and identity theft. Congress passed the Identity Theft and Assumption Deterrence Act in 1998 and made identity theft a new offense (Hill & Marion, 2016). According to the USA Department of Justice, the legislation prohibits knowingly using or transferring an individual’s means of identification without lawful authority. It prohibits the use of the illegally acquired personal information to aid or to abet or commit any violation that comprises of misconduct under any applicable local or state law (18 USC § 1028(a)(7)) (Hill & Marion, 2016). The Act also enabled the Federal Trade Commission to monitor complaints and offer amenities to consumers whose identities were stolen. Failure to comply with the legislation usually results in a maximum sentence of 15 years’ imprisonment, criminal forfeiture of any personal possession used or intended to be used to commit the offense, and a fine (Hill & Marion, 2016).

According to the USA Department of Justice, plans to execute crimes of identity fraud also constitutes violating other statutes such as credit card fraud (18 USC § 1029), wire fraud (18 USC § 1343), mail fraud (18 USC § 1341), financial institution fraud (18 USC § 1344), identification fraud (18 USC § 1028), and computer fraud (18 USC § 1030) (Hill & Marion, 2016). All the federal offenses mentioned above have significant penalties that reach up to 30 years imprisonment, fines, and criminal forfeiture. Furthermore, federal investigative agencies such as the Federal Bureau of Investigation and the United States Postal Inspection Service collaborate with Federal prosecutors to take legal action against identity theft and fraud cases (Hill & Marion, 2016).

Identity theft statutes vary by state, although federal and state criminal regulations govern it (USLegal.com, 2020). The crime does not include falsifying identification to enter into adult business establishments or purchase tobacco or liquor. Information such as Social Security numbers, personal identification numbers (PIN), name, credit or debit card numbers, and date of birth, among others, are protected from misuse by identity theft statutes (USLegal.com, 2020) Hence, an individual who uses another person’s identity with the intent to engage in illegal activities of identity theft may be legally punished (USLegal.com, 2020). This explains why the defendants in the case scenarios provided above were found guilty by the court. However, punishment depends on the number of victims and the total combined loss experienced directly or indirectly by the victim(s) (USLegal.com, 2020). Thus, the defendants may have had different punishments.

Management Suggestions

Managers of companies should be consistent in updating and incorporating cybersecurity tools and techniques to prevent and control data breaches. Besides, all executive and low-level employees should have basic knowledge about cybersecurity tools and techniques in case of any detected fraudulent activities to protect its clients from identity theft cases (Shabani & Munir, 2020). Managers should encourage employees to be careful of the emails and websites they access while at work to prevent data from being breached. For instance, identity thieves can easily steal client information if an employee opens an unsecured email or website due to the lack of knowledge in such regard (Shabani & Munir, 2020). As a result, clients’ data recorded by the hospitality company, such as credit card information and personal details, can be stolen, causing a big disaster for the company. Furthermore, hospitality managers should inform their subordinates not to hand out any sensitive information about their clients and educate them on the repercussions of doing so (Shabani & Munir, 2020). Managers should also establish security measures that restrict access to sensitive files and ensure safe credit card transactions.

Management should also provide secured Wi-Fi instead of unsecured Wi-Fi. The latter is highly liable to attacks from fraudsters. Most hospitality businesses, such as restaurants and coffee shops nowadays provide free Wi-Fi for their customers, which can be accessed in every area in the facilities. The free accessible Wi-Fi enables hackers to monitor clients’ traffic on the Wi-Fi and use it to access the clients’ personal data (Shabani & Munir, 2020). The hackers can also take advantage of the unsecured Wi-Fi to trick customers with malicious “updates” for widely-known software, such as Flash Player, so that they undoubtedly click on the updates that contain malware (Shabani & Munir, 2020). The hackers then use the opportunity to acquire the customers’ passwords, full names, and other vital information from their technological devices. Managers’ negligence to update an organization’s systems makes it easy for hackers to obtain access, mainly since they use ancient programs to acquire confidential information from hospitality businesses.

Fake booking is the most common way hackers acquire guest information in the hospitality industry (Shabani & Munir, 2020). The attackers create a phony website with features of the main hotel’s website that consumers access when booking hotel rooms. When the guests access the phishing websites, identity thieves use the opportunity to collect their personal and financial information. Hotel managers should encourage face-to-face check-ins with the provision of identification documents instead of online check-ins to reduce cases of fraudulent bookings. Identity thieves usually use stolen credit card information to rent hotel rooms; hence, face-to-face check-ins will reduce such crimes. In addition to face-to-face check-ins, hotels can encourage their clients to confirm their identity by using fingerprints to avoid identity theft. This can facilitate this by updating their systems to require their clients and customers to use the feature when accessing their accounts with the business. Besides, hotels can acquire fingerprints of their regular clients to reduce the long process of providing identification documents each time they visit the hotel and store them in their database.

Hospitality companies can also use a web application firewall (WAF) to prevent data breach attacks. The firewall prevents attacks coming from web security flaws, such as security misconfigurations, SQL injections, and buffer overflow by filtering the content of specific web applications (Clincy & Shahriar, 2018). WAF also prevents data theft by detecting and blocking the credit card database when attackers access it (Clincy & Shahriar, 2018). Hotel managers can also secure client data by employing digital certificates since they help provide non-repudiation security service by binding a message to the sender. Digital certificates can also be used by other businesses in the hospitality industry to curb identity fraud since they help to establish the truth by challenging false claims (Clincy & Shahriar, 2018). Businesses can also use digital certificates to ensure the authenticity of their websites to customers. Besides, according to Hathaway et al. (2012), individuals and organizations can curb identity theft by implementing and enforcing cyber-attack laws.

As much as organizations implement measures to prevent the identity theft of their clients, the clients should also be vigilant in protecting themselves. Customers should be careful of the links and updates they click when using public Wi-Fi to prevent hackers from accessing their private information. They should also secure their technological devices with passwords at all times to prevent fraudulent activities. They should also check their bank statements often to keep track of their credit card activities and notify the authorities if there are any irregularities. They should also be careful about the sites they offer personal information and contacts because they might not be legitimate. Consumers should also be careful of the amount of data they post on social media since social media has made it easy for fraudsters to commit identity theft. Individuals’ information such as names, location, personal details, and contact info are available online, which is all the fraudsters need to commit identity theft. Conclusively, customers should secure their financial and banking details to prevent hackers from stealing them.