The latest reports from Trustwave, a leading cybersecurity and managed security services provider, has revealed cybercriminals are professionalising, collaborating, and exploiting vulnerabilities in the Australia’s hospitality industry at an unprecedented scale.
Trustwave released their latest threat intelligence report, the 2025 Trustwave Risk Radar Report: Hospitality Sector, and within that, two supplemental reports: How Threat Actors Turn Vulnerabilities into Big Business and A DFIR Case Study in Hospitality.
Craig Searle, director of consulting and professional services and global leader of cyber advisory at Trustwave, said the reports highlight the vulnerability of the industry and “couldn’t come at a more critical time for Australian hospitality operators.”
“Cybercriminals now operate like businesses. They collaborate, specialise, and focus on return on investment,” he said.
“Compared to global trends, Australia’s regulatory framework emphasises stricter penalties for privacy violations and expanded oversight of third-party vendors, yet the sector remains a prime target for ransomware groups with hospitality environments creating ideal conditions for attackers.”
According to Searle, cybercriminals are preying on the hospitality sector’s focus on digital transformation and delivering seamless guest experiences rather than focusing on security awareness.
“Cybercriminals exploit that mindset using fake booking messages, vendor impersonation, or urgent requests to get around defences.”
Searle said the industry’s cybersecurity attitudes approaching a point of change, where businesses need to become more aware of the potential threats and implement protection strategies.
Weak passwords a major threat to venue security
A new study by NordPass, in collaboration with NordStellar, reveals that many hospitality businesses are using weak passwords to guard systems which is posing a major threat.
From hotel reservation platforms to restaurant POS systems, the research exposes an industry-wide habit of reusing predictable, outdated, or brand-specific passwords, making it alarmingly easy for cybercriminals to gain access to sensitive information.
This is a list of the 20 most frequent passwords used by hospitality businesses, with many iterations of venue/brand names and the word ‘reservations’ – a stark reminder of the urgent need to improve password hygiene in the industry.
| THINKIN2023 | P@ssw0rd |
| 123456 | 123456789 |
| Ids@1001 | Comfortinn4 |
| reservations2019 | V1n1c1u5 |
| Reservations2022 | GrandE@2022@ |
| developer2 | 1234 |
| Ramada@123 | Always4u! |
| 12345678 | Zone@1234 |
| abanico12 | reservations2021 |
| Reservations2021! | M@$ter1318 |
Karolis Arbaciauskas, head of business product at NordPass, said weak security not only puts a venue’s data at risk but also that of clients and staff.
“In hotels and restaurants, guests expect great service – not for their personal data to be on the menu. When weak passwords are used to protect booking systems, POS terminals, or staff accounts, it’s an open invitation to cybercriminals.”
Staff misuse posing a threat
According to Vidit Sehgal, cyber security expert and CEO of V4 IT, staff misuse of hospitality business computers is becoming one of the biggest enablers of cyber breaches.
“Most business owners think hackers are getting in through some high-level cyber warfare, but in reality, they’re often getting in because a staff member has clicked the wrong link, ignored a warning or downloaded something they shouldn’t have”
Vidit Sehgal
“Whether it’s using work computers for personal browsing, logging into unsecured public WiFi, or ignoring antivirus updates, these everyday habits are giving hackers a free pass into business systems.”
Sehgal warned, in some cases, it only takes a single click on a phishing email or fake browser update for hackers to infiltrate an entire network and go undetected for weeks or even months.
But by the time the damage is visible, its often extensive.
“The impact on a business can be catastrophic. Customer poaching is a big issue and a goldmine for hackers who use the information to offer customers better deals or even offers too good to be true and once they pay, the scam business disappears leaving the original business suffering and scrambling,” said Sehgal.
Signs that your venues systems may be compromised include:
- A noticeable slowdown in computer performance
- Unexpected system crashes or suspicious popups
- Files start disappearing
- Passwords are changed without permission
- Antivirus software disables itself
- Strange emails and messages are being sent from company accounts
- Mouse moves on its own
- The webcam light flicks on without you touching it
- Staff begin receiving unusual password reset emails
Even trusted employees can unintentionally invite serious risk said Sehgal.
“The majority of staff are not malicious, they’re just unaware. Unfortunately, in cyber security, ignorance is just as dangerous as intent.”
If there’s even a suspicion of a breach, Sehgal saidthe first step is to disconnect affected devices from the internet and contact a cyber security expert and arrange for an IT professional to conduct a complete onsite computer health check.
“Don’t try to fix the issue yourself and don’t take the computer to a random tech store. Have a trusted IT professional come to your business or home, inspect your system in person, remove threats and lock it down properly,” he said.
What can pub operators do to protect their venue?
Trustwave’s Searle suggests businesses invest in prevention first and foremost such as managed detection and response, email protection, and employee awareness training.
Sehgal agreed that the best protection lies in educating staff, implementing clear IT usage policies and scheduling regular security audits.
“Your staff are your first line of defence or your weakest link. The smartest investment a business can make today is a regular computer health check by an IT professional who comes to you. It is one of the easiest and most effective ways to prevent a silent breach before it turns into a disaster.”
Similarly, NordPass recommends educating staff on password hygiene to help build a security-aware culture and reduce human error; avoiding company names, dates, or role-specific terms in passwords; enabling multi-factor authentication; and adopting secure password managers for teams to simplify the creation and storage of strong passwords.