Hotels have a new AI cybersecurity problem. Here’s what to know.
Hotels have a new AI cybersecurity problem. Here’s what to know.
https://hotelsmag.com/news/hotels-have-a-new-ai-cybersecurity-problem-heres-what-to-know/
Publish Date: 2026-06-23 19:03:00
Source Domain: hotelsmag.com
Using an unordered list, summarize the following article with between 4 and 8 key points.
Cybercriminals have long targeted hotel loyalty programs, guest accounts, call centers and customer support channels. Historically, these attacks required significant human effort to execute and scale. Autonomous AI agents are changing that equation by pursuing objectives independently and adapting their tactics in real time.
As hotels continue expanding digital services and connected guest experiences, threat actors are leveraging autonomous AI agents to exploit the trust that underpins everyday interactions among guests, employees and hotel systems.
A Growing Threat to Hospitality
Autonomous AI agents differ from traditional AI tools because they can pursue goals, make decisions, interact with other systems and adjust their approach based on what they encounter, all without human directing at every step. In a cyberattack, an autonomous AI agent might identify a target, test credentials, attempt account recovery, adjust its tactics when challenged and continue probing for opportunities without continuous oversight from a human operator.
Hotels are particularly attractive targets because they manage valuable loyalty programs and customer data while operating complex environments designed around convenience and customer service. This combination creates numerous opportunities for sophisticated attacks, many of which are highlighted in the 2026 Retail & Hospitality Information Sharing and Analysis Center (RH-ISAC) Intel Team report.
One of the clearest examples is the hotel call center. Using publicly available information from breached databases, social media or other online resources, autonomous AI agents can impersonate loyalty members, contact hotel staff using synthesized voices and request actions such as a points transfer or account changes. Unlike human attackers, AI agents can operate simultaneously across hundreds of properties and thousands of accounts, adapting their responses in real time and prioritizing the highest-value targets.
Hotel contact center staff, trained to prioritize guest satisfaction and efficient service, are inherently disadvantaged against systems that operate continuously and at massive scale.
For hotel brands, a single successful impersonation attack can damage guest trust, erode loyalty program value and harm brand reputation long after the initial fraud event.
Why Traditional Security Controls Fall Short
Hotel security has historically been built around keeping attackers out through strong passwords, multi-factor authentication and access controls. Autonomous AI agents can often sidestep this model.
Today’s attackers increasingly don’t break in, they log in. Using synthetic identities, compromised credentials or convincingly impersonated guests, they enter systems through the front door and initially behave like legitimate users. The attack doesn’t look like an intrusion; it looks like a loyal guest changing a reservation or contacting support. By the time the fraud is detected, the AI agent has often already achieved its objective and moved on.
The fragmented nature of hotel technology environments compounds the challenge. Loyalty, booking, payment and guest services platforms are often managed by different teams and operate on separate systems with limited ability to share behavioral signals in real time. An AI agent that triggers a low-level anomaly in a loyalty system may simultaneously be executing a transaction in a booking platform, while neither environment has enough context to identify the activity as fraudulent.
Traditional security tools evaluate isolated events. Autonomous AI agents are designed to exploit the gaps between them.
Detecting and Mitigating Identity Threats
Defending against autonomous AI agent attacks requires a new approach to identity security—one that extends beyond verifying who a user claims to be at login and instead continuously evaluates whether behavior throughout a session is consistent with that of a legitimate guest.
This is the core principle behind identity threat detection and risk mitigation. Rather than establishing trust only once, organizations continuously assess “risk signals” throughout an interaction, including device intelligence, behavioral patterns, transaction sequences and cross-system activity.
For hotels, this means applying continuous risk evaluation at the moments that matter most: loyalty account changes, password resets, payment modifications, guest support interactions and check-in requests. These high-value touchpoints are especially attractive targets because they are designed for speed and convenience rather than intensive scrutiny.
An identity risk framework that evaluates interactions throughout the customer journey is far better positioned to identify autonomous AI-driven activity before fraud occurs. Critically, this approach can operate largely in the background, minimizing friction for legitimate guests while preserving the seamless experiences that drive loyalty and revenue.
Hotels Need an Adaptive Security Model
Autonomous AI agents are accelerating both the speed and sophistication of identity-based attacks. As hotels continue expanding their digital services and guest engagement channels, their cybersecurity strategies must evolve accordingly.
The future of hotel cybersecurity will depend on continuously evaluating trust across identities, systems, and guest interactions. Hotels that gain greater visibility across traditionally siloed workflows will be better positioned to reduce identity fraud, strengthen guest trust and protect loyalty programs without introducing unnecessary friction.
As autonomous AI agents proliferate, the challenge is no longer simply keeping attackers out. It is continuously verifying trust across every digital interaction.
Story contributed by Brian Nimmo, chief strategy officer at ID Dataweb.
