Cyber threats in hospitality, leisure and tourism sector: risks, real cases and how to protect your business

Tourism and hospitality businesses are increasingly exposed to cybercrime and fraud. Hotels, restaurants, travel agencies and leisure companies routinely process sensitive customer data, including bookings, payment details and personal information – making them appealing targets for cyber criminals.

The scale of the threat in the UK remains significant. The Government’s latest Cyber Security Breaches Survey 2025/2026 found that 43% of UK businesses - equating to around 612,000 businesses - had identified a cyber breach or attack in the past 12 months, and recent incidents highlight that the hospitality sector cannot afford to be complacent.

In May 2026, BWH Hotels, the group behind Best Western Hotels & Resorts, confirmed that unauthorised activity involving one of its reservation applications had exposed guest contact information and reservation details, including names, email addresses, telephone numbers, home addresses, reservation numbers, dates of stay and special requests. Payment and bank details were not involved, but the data could still be used to support convincing phishing attempts aimed at guests.

But the risk is not confined to large hotel groups. In 2025, Jeremy Clarkson confirmed hackers broke into the accounting system at The Farmer’s Dog pub in the Cotswolds and stole £27,000, underlining how quickly a cyber incident can become a direct financial loss for an individual hospitality business.

Large and small operators are at high risk of cybercrime

Smaller operators are just as likely to be targeted. Independent hotels, guesthouses, restaurants, and travel agents may believe cyber criminals only go after large firms, but the opposite is often true as attackers actively seek out businesses with weaker controls. The impact can be severe, not only financially and reputationally, but also operationally. Downtime caused by an incident can halt operations for hours or even days. Time and resources are diverted to recovery tasks such as informing affected customers, restoring access, and dealing with lost data. For small teams, the disruption can be overwhelming.

Cybercrime and fraud techniques are increasingly sophisticated. Invoice fraud is on the rise with criminals intercepting emails and altering payment details to divert funds.

Research shows phishing attacks remained the most prevalent type of breach or attack (experienced by 38% of businesses), and also highlighted a perception that phishing attacks have become easier for attackers to commit.

Reservation scams, with bogus bookings made using fake or compromised information, lead to lost revenue and added administrative burden. Perhaps most concerning are cases where AI has been used to impersonate senior staff or trusted contacts by phone, tricking employees into revealing passwords or authorising payments. These attacks are designed to exploit the trusting, service-oriented nature of the industry and can be extremely convincing.

Common types of cyber breach

• phishing emails to reception, finance or booking teams
• fake supplier invoices or requests to change bank details
• compromised email accounts used to intercept booking enquiries
• attacks on online reservation systems or website forms
• ransomware affecting access to booking, till or back-office systems
• theft of customer, employee or payment-related information
• weak passwords or shared logins across booking platforms
• unpatched devices, outdated software or poorly configured cloud systems
• fraudulent messages sent to guests following access to reservation data

The impact of a cyber breach can be substantial. Systems and bookings may be inaccessible, customer data may be exposed, supplier payments are directed to cybercriminals and customers could receive fraudulent messages appearing to come from the business.

Cyber security solutions

Within the tourism and hospitality sectors, limited internal IT capacity and constrained budgets often mean that investment in cyber security is overlooked, leaving many businesses under-protected.

In an industry where trust and reputation are vital, cyber security is not a luxury - it is a necessity. Proactive steps to improve cyber security can help avoid potentially costly and damaging disruption and give customers continued confidence in the services businesses provide.

Many hospitality businesses already have IT support in place, whether internally or through an external provider. That support is valuable, but it is not the same as an independent cyber security review.