Every industry in the world is vulnerable to phishing and other cyber attacks, but retail and hospitality rank as some of the most high-value targets for hackers looking for personal identifiable information (PII) and payment card information (PCI). These two industries are often ranked among the top three most vulnerable industries, right behind financial institutions. That vulnerability became apparent earlier this month when the MGM Grand cyber attack shut down hundreds of casino games and disabled hotel room cards. The company reportedly lost between $4.2 million and $8.4 million in daily revenue during the attack.

Retail and hospitality (R&H) companies collect PII and PCI data through many customer interaction points – loyalty programs, reservation sites, stored purchase histories, or customer journey data. But the data itself may reside in places vulnerable to attack, like point-of-sale (POS) systems, call centers or shared workstations. In some cases these systems might be installed on legacy infrastructure, which often do not have updated security measures for authentication potentially leaving their customers’ security and personal data at high-risk for cyber attacks. 

A robust phishing-resistant multi-factor authentication (MFA) solution is needed to protect this kind of data and securely access it. As industries that often work directly with consumers, R&H has the added challenge of making sure any MFA solution is user friendly and easy to understand. Consumers are often targets for stolen credentials scams through “social engineering” – a recent Verizon Data Breach Investigation Report found that 74% of breaches are caused by stolen credentials. A second factor-method for authentication – or better yet going completely passwordless – is crucial to avoid falling victim to another cyber attack. Usernames and passwords, and other legacy MFA like SMS, mobile authentication apps and one-time passcodes, will not offer enough security, nor do they enable good user experiences. 

Hyatt Hotels and YubiKeys

Recently, Hyatt Hotels reached a security crossroads – legacy authentication systems weren’t  meeting their needs. Art Chernobrov, Hyatt’s Director of Identity, Access and Endpoints had seen enough of the old authentication system. His massive hotel chain had 200,000 employees moving between 1,500 locations (and working remotely), and he had already moved away from traditional usernames and passwords. Employees were using a one-time password (OTP) sent over SMS that created an atmosphere of ‘MFA fatigue’ as there were numerous MFA prompts daily. 

“I’ve seen the compromises in the industry, and other places, that come from fatigue, and MFA requests, that people just blindly accept. You don’t want to be that guy. You don’t want it to be on your watch.”

Art Chernobrov, Director of Identity, Access and Endpoints, Hyatt

YubiKeys offered a solution that worked well with Hyatt’s existing Microsoft authentications like Entra ID (formerly Azure ID) and SSO. With a hardware-bound, phishing-resistant security key, MFA fatigue was no longer an issue and the organization as a whole could embrace a passwordless future. Hyatt Hotels is leveraging YubiKeys and passwordless to reduce risks as well as to elevate guest experiences in their lobbies. 

Covering the retail and hospitality cybersecurity bases

Deploying a new MFA solution should start with some due diligence and internal auditing. This is why it’s critical to follow proven guidance to ensure that you have all the information you need. In general, it’s good to start a rollout with your high-value users handling the most sensitive data. These employees are more motivated to follow directions and adopt a new system. Once MFA is road-tested with that group, expand use cases by rolling out to the rest of the workforce.

We recommend making a key applications inventory part of your internal audit. During that inventory, you might ask these questions for each application or authentication scenario.

Who needs access?

What authentication approach will you take?

How do you currently manage access: IAM, IdP, PAM, SSO, or VPN?

What is your workforce like: Remote, hybrid, on-premise, or multi-location

What devices are they using: Owned, BYOD, desktop, laptop, smartphone, tablet, POS terminals, or inventory scanners?

Come say hello in Dallas at the RH-ISAC Summit

The 2023 RH-ISAC Cyber Intelligence Summit is coming to Dallas, Texas on October 2-4. Retail and hospitality cyber security experts and executives will be there to discuss the latest technologies that will protect this sector in 2024, and Yubico will also be attending. We offer a discount code for those that want to register here.

All RH-ISAC Core Members are already granted free admission to the event, but the discount code will be applicable for any non-RH-ISAC member.

Please come by and see us for an exciting breakout session we’re hosting with T-Mobile on Wednesday, October 4 at 10 a.m. Will Coleman, Principal Solutions Engineer at Yubico, will be speaking with Henry Valentine, T-Mobile’s Senior Manager, Cybersecurity Architecture & Strategy. During the session, Valentine will share how T-Mobile moved to hardware-backed, phishing-resistant, FIDO2 passwordless authentication to protect customer data and critical infrastructure. 


Read our guide, “How to get started with phishing-resistant MFA to secure retail and hospitality” for more information on how YubiKeys can help your organization. Check out how Hyatt is leveraging YubiKeys in the case study here.

The post How retail and hospitality can protect themselves from increased cyber attacks appeared first on Yubico.


VaultumCity is the best trusted place to select and buy your best Yubikeys, Vaultumcity free ship all yubikeys, Vaultumcity is reseller distributor of yubikeys so you can find cheapest best yubikey in Vaultumcity. If you are looking for best Yubikeys in Singapore at VaultumCity website online store.

The shop that sells yubikeys is https://vaultumcity.com/product-category/yubikey/

Our delivers are from Singapore, distribute globally. Buying Yubikey in Vaultum to have best customer and after sales services. All Yubikeys sold at Vaultumcity are quality guaranteed. Please place a large amount order to have great discount for reseller. Contact Vaultumcity at https://vaultumcity.com/contact/ whenever you have any issue with your yubikeys. Buying yubikeys at Vaultumcity to have best newest yubikeys free shipped to your door, FIDO2 U2F SECURITY KEY C NFC, FIDO2 U2F SECURITY KEY NFC, YubiKey 5 Nano, YUBIKEY 5 NFC, YubiKey 5C, YubiKey 5C nano, YubiKey 5C NFC, YUBIKEY 5Ci, YubiKey Bio – FIDO Edition. Yubikeys are best most secure tools for two-factor authentication. You can also buy yubikeys form Malaysia, Yubikey Malaysia is being sold at Vaultumcity with great price and free ship, you have it fastest, just in few days because we’re here in Singapore.

If you are looking for yubikeys in Indonesia, Vaultumcity is a great place to buy yubikey Indonesia, you can have yubikeys to protect your logins in just few days. Vaultumcity ship your yubikeys to your home in Thailand, to help ensure your data is safe and secured.

What about South Korea, Vaultumcity bring your yubikeys to your home in South Korea free-shipped.

Vaultumcity also delivers yubikeys to Japan, any province or city to your hands. Check out and grab your best suited yubikey today at VaultumCity.