A man walks into the hotel breakfast room. He is greeted by the friendly waitress with the familiar question, “Good morning Sir. May I have your name and room number please?” The man answers, “Mr. Smith, Room 305.”
The waitress thanks Mr. Smith and ticks the guest in-house report. The man proceeds to help himself to the breakfast buffet.
In this case, the waitress did not realise that the man was not the real Mr Smith, but
someone who had assumed his identity. She had no reason to doubt he was Mr Smith
because he gave the name of a hotel guest, he quoted the right room number and
breakfast was included in his stay – all matching her accommodation list. However, he
was not a guest of the hotel, but someone who walked in off the street and who knew
how the system worked.
He managed to get a free breakfast because the room service breakfast cards that
hang overnight outside room doors gave him all the information he needed. A walk
through the corridors without raising attention to himself yielded guest information he
could use.
The breakfast cards hanging on the outside of the door identify the room number, and
record the name of the guest, their signature and the time they request their
breakfast. The card hangs outside the door for a considerable time during the night.
Anyone passing the door can take the card and use the guest information for
improper purposes.
If appropriately dressed, exhibiting enough self-confidence and with a bit of luck
going his way the fake ‘Mr. Smith’ could also have asked reception for a duplicate key
card and gotten away with it. Only a low percentage of hotels really ask for ID when a
duplicate key is requested, even if ID is required in hotel procedure.
Hotels still request name, room number and signature on the breakfast card (order
card). We see no important reason why guest details must be displayed in order to
deliver breakfast to the room. In most cases when breakfast is delivered to the room
the guest usually has to sign the guest check anyway for verification and record
purposes.
When I carry out security penetration tests, this ‘Mr. Smith’ scenario is still happening. What concerns me more than the giving away of a free breakfasts, is this lack in security that increases the risk of access to rooms, theft, gaining free Wi-Fi internet access and in a worst-case scenario, jeopardising guest safety. Some hotels are using technology to place room service orders on a tablet PC or smart phone. This not only reduces print costs, importantly it also cuts down the risk of guest ID getting into the wrong hands.
Hotels can save money and prevent squabbles over guest bills by preventing non-guests
helping themselves to free breakfasts in the name of a guest.
About the author
Founder and Managing Director of Sky Touch Consulting, Stefan Vito Hiller, has over 20 years experience in the hotel industry including five years experience in the security field. He has worked for leading hotel brands in Munich, Frankfurt, Bremen, Berlin, Cork, Edinburgh and Doha in the Middle East. When working for a leading global security company in Germany, Stefan developed their hotel and tourism security segment. In this position, he conducted overt and covert security audits, provided security training and developed innovative security solutions.
Stefan now consults to hotels to implement innovative and affordable strategies to raise their level of security to meet growing global demands.
