Cyber risk: Protecting your management rights business
Guest data has become one of the accommodation industry's most valuable assets, and one of its biggest vulnerabilities. Resort News Editor Mandy Clarke investigates what's changed, what's at stake and how operators can stay one step ahead of cyber criminals.
Most operators spend a great deal of time thinking about the security of their buildings, guests and physical assets. Far fewer have traditionally given the same attention to the security of their data.
Yet in today’s connected world, protecting guest data can be just as important as protecting the property itself.
Management rights businesses hold a surprising amount of sensitive material. Guest details, payment records, access codes, CCTV footage, owner records, trust account information, contracts and financial data all pass through operators’ hands every day.
First published in the latest edition of Resort News. Read it HERE
That makes the industry an increasingly attractive target for cyber criminals.
While most operators have systems in place to protect physical assets, one of the biggest threats to the business may now be something nobody can physically see.
Why accommodation businesses are attractive targets
If recent incidents across the accommodation sector have shown anything, it’s that size offers very little protection. Small management rights businesses can be just as attractive to cyber criminals as larger operators.
Accommodation businesses rely on multiple connected systems to operate efficiently. Property management systems, booking engines, channel managers, payment gateways, accounting software, owner portals and communication platforms all share data and communicate with each other.
While these integrations create enormous efficiencies, they also create additional entry points for attackers.
“Accommodation businesses handle a particularly sensitive mix of data, from guest personal and payment information to staff records, owner information and financial systems,” explains Andrew Buttigieg, CTO at RMS Cloud.
“That makes them an attractive target, especially when operators are working with lean teams and may not have dedicated IT support.”
For management rights operators, the risks extend well beyond guest bookings. Trust account details, owner banking information, body corporate records, access codes, CCTV footage and contractor records can all become valuable targets if systems are compromised.
According to Andrew, phishing attacks targeting staff remain one of the most common risks facing accommodation businesses, particularly staff working in reservations, front office and accounts.
Attackers often disguise themselves as guests, suppliers, online travel agents, banks or software providers to trick staff into clicking malicious links, changing payment details or providing login credentials.
Read more HERE: From cheeky chargebacks to cyber fraud: Scams that cost the industry $$$$$
Cyber criminals are getting smarter
Five years ago, many phishing emails were relatively easy to spot. Poor spelling, strange formatting and obvious mistakes often gave them away. Today, the technology available to cyber criminals is far more sophisticated.
“We’re seeing attackers become more targeted and convincing,” Andrew says.
“With AI tools, criminals can create messages that sound polished, relevant and specific to the business.”
In many cases, the email looks exactly like a legitimate booking enquiry, supplier invoice or owner communication.
In some cases, a single click on a malicious link can be enough to compromise an account or device.
Lessons from the front line
For management rights operator Marion Simon from Boulevard North Holiday Apartments, cybersecurity is no longer viewed as a technology issue. It’s now a business risk issue.
“A few years ago, many operators, particularly smaller businesses, assumed cyber criminals were only interested in large corporations,” she says.
“Recent incidents across the accommodation industry have demonstrated that any business holding guest, owner or financial information can be a target.”

Like many operators, Marion’s business has significantly strengthened its approach to cyber protection.
“We now place much greater emphasis on staff awareness, password security, multi-factor authentication, software updates and ensuring suppliers and service providers take cybersecurity as seriously as we do.”
She says one of the biggest lessons has been understanding exactly what data the business holds and how long it is retained.
“We are currently working with our PMS supplier to ensure all credit card information and personal guest details are automatically deleted four weeks after checkout.”
While this may create some inconvenience for returning guests, Marion believes reducing risk is worth the trade-off.
“We strongly recommend guests pay directly into our trust account, removing the need to share bank card information and reducing potential cyber risks.”
She also highlights the importance of working with trusted technology partners that can respond quickly if an issue arises.
“Our guests and owners trust us with their personal information and protecting that information must now be considered as important as protecting the physical assets within our buildings.”
Read the latest edition of AccomNews HERE
Cyber risk is now legal risk
Cybersecurity is no longer just about protecting systems. It is also about complying with privacy legislation.
Lawyer, Rhys Williamson, Partner at Mahoneys specialising in intellectual property, IT and privacy law, says operators need to understand their legal obligations around personal information.
“Management rights operators hold valuable personal information,” he says.
Depending on their turnover, activities and business structure, some management rights operators may be subject to obligations under the Privacy Act, while others may still face privacy requirements through contracts and industry obligations.
Rhys says one of the simplest ways to reduce risk is to collect less information in the first place.
“Operators should not collect ‘just in case’ data,” he says.
“Do not scan passports or driver’s licences unless there is a clear reason.”
The less information a business stores, the less information can potentially be exposed if a breach occurs. He also recommends operators regularly map the information they collect, where it is stored and who has access to it.
“You can’t protect what you don’t understand,” he says. Knowing what data is held across booking systems, email accounts, cloud storage and business records is an important first step in reducing risk.
He also recommends storing any identification documents securely and deleting them once they are no longer required.
Importantly, operators should not assume responsibility ends because data sits within a booking platform.
“The booking platform holds the data, not us is a dangerous misconception,” Rhys says. “Not if the operator accesses, downloads, prints, emails or stores it.”
What happens if a breach occurs?
When a cyber incident occurs, every minute matters.
Rhys says operators should immediately isolate affected systems, preserve records, identify what data may have been exposed and notify their insurer.
“Get legal advice early,” he says.
Depending on the circumstances, operators may also have obligations under the Notifiable Data Breaches scheme to notify affected individuals and the Office of the Australian Information Commissioner (OAIC).
Beyond regulatory penalties, operators may face reputational damage, business interruption, lost bookings and significant recovery costs.
Read: Booking.com breach puts guests and accommodation operators on phishing alert
Where insurance fits
EBM Insurance says cyber incidents are occurring at an alarming rate across Australia. As a result, many accommodation businesses are turning to cyber insurance as part of their broader risk management strategy.
A cyber incident can result in system downtime, lost revenue, data recovery costs, legal expenses and reputational harm. Cyber insurance can help businesses respond to these events by providing access to specialist support, including forensic investigators, legal advisers, crisis communications professionals and recovery services.

However, insurance should be viewed as the final layer of protection rather than the first.
EBM Insurance notes that cyber policies vary considerably, making it important for operators to ensure cover aligns with their booking systems, payment processes and the amount of guest data they hold.
Eight practical steps every operator should take today
Many of the most effective cyber protections are surprisingly simple and inexpensive to implement.
1. Enable multi-factor authentication (MFA)
Turn on MFA for your property management system, email accounts, banking platforms, OTA extranets and accounting software.
Even if a password is compromised, MFA provides an additional layer of protection.
2. Use strong, unique passwords
Avoid password reuse across systems and consider using a password manager to securely generate and store credentials.
3. Train your team
Front office, housekeeping, reservations and accounts staff should all know how to identify phishing emails, suspicious payment requests and fake supplier communications.
4. Map your data
Know what information you collect, where it is stored, who can access it and how long it is retained. You cannot protect information you don’t know you have.
5. Review access regularly
Remove access for former employees immediately and ensure staff only have access to the systems and information they genuinely need.
6. Have an incident response plan
Know who to call, what systems need checking, how information will be communicated internally and when specialist help should be engaged.
7. Test your backups
Backing up critical business data is important, but operators should also test that those backups can actually be restored if systems are compromised.
8. Keep software and systems up to date.
Install updates and security patches promptly for your PMS, payment platforms, operating systems, browsers and connected applications. Delaying updates can expose vulnerabilities.
An industry-wide responsibility
ARAMA CEO Trevor Rawnsley says management rights operators should view cybersecurity as a core business responsibility rather than simply a technology issue.
“Years ago, the saying was ‘loose lips sink ships’. These days, failing to protect your data can leave your business just as exposed,” he told us.
“As management rights operators become increasingly reliant on digital systems, protecting sensitive business and guest data is now part of running a professional business.”
Trevor says operators should approach cybersecurity with the same discipline they apply to trust accounting, workplace safety and compliance obligations.
“Prevention is always better than dealing with the consequences after something has gone wrong.”
New compliance obligations on the horizon
Cybersecurity is not the only data-related issue operators should be watching.
Mahoneys warns that some management rights operators involved in property sales, buyer representation or real estate transactions may be affected by new anti-money laundering and counter-terrorism financing (AML/CTF) obligations from July 1, 2026.
Operators should seek advice to determine whether the new requirements apply to their business and ensure any additional customer information collected is managed appropriately.
Protecting what matters
Most operators would never leave a master key sitting on the reception counter or hand confidential owner records to a stranger. Protecting digital information now requires the same level of care.
Cybersecurity may not be as visible as a broken gate, faulty lock or damaged security camera, but the consequences can be just as serious.
In a business built on trust, a few simple habits today could prevent a very costly problem tomorrow.
⚠️ Warning signs of a cyber attack
Keep an eye out for these common red flags:

- Unexpected password reset requests
- Staff receiving unusual payment instructions
- Suppliers requesting bank account changes via email
- Slow, unresponsive or locked computer systems
- Suspicious login notifications
- Unusual activity in booking or payment platforms
- Guests reporting strange emails that appear to come from your business
If something doesn’t feel right, don’t ignore it. Investigate immediately. Acting quickly can significantly reduce the impact of a cyber attack and help protect your business, your guests and your reputation.