Cybersecurity probably isn’t high on your list of passions. But for any hotelier, it should be.
In the latest episode ofMatt Talks, Mews CEO Matt Welle sat down with Josh Edwards from Penta Hotels to discuss one of the most overlooked, high-impact areas in hospitality operations: keeping your systems – and your guests’ data – safe.
For Penta, it took a full-scale ransomware attack in 2021 to realize just how vulnerable hotels can be. What followed was a total transformation of their approach to security. Their story is a cautionary tale – but also a roadmap.
The Day Everything Went Dark
October 7, 2021, was supposed to be one of the best days of Josh’s life: the birth of his son. But while he was in the hospital, cradling his new child, he got the call every IT manager dreads. Penta’s systems had been hacked. Everything was down. Phones started ringing. Hardware had to be destroyed. Doors had to close.
The culprit? A single compromised login gave hackers access to their entire on-premises infrastructure, which was connected via an outdated MPLS network. From there, attackers moved freely, disabling antivirus software and deploying ransomware across multiple countries and properties.
It was chaos.
Rebuilding with Security at the Core
Penta’s response was swift and thorough. They didn’t just patch the holes; they rebuilt their entire IT framework.
With a new external partner and a shift in team focus from general IT to digital security expertise, Penta established a security model based on six key pillars: protect, prevent, detect, respond, recover and review. Each one is backed by detailed processes and controls that now govern their entire tech ecosystem.
Making Security Practical
What does that look like in action? Here are a few examples:
- IP restrictions: If an employee based in Germany tries to log in from Canada, they’ll be blocked until their location is verified.
- Real-time monitoring: A third-party security provider tracks every user and device across the network, shutting down threats instantly – sometimes multiple times a day.
- Phishing simulations: Penta regularly tests employees with fake phishing emails to improve awareness and reduce risky clicks.
- Passkey authentication: Password managers and biometric logins have replaced post-it notes and reused passwords.
And yes, it’s a culture shift. Security measures like two-factor authentication often feel inconvenient to frontline staff. But, as Josh puts it: if you saw behind the doors what we’re doing and why we’re doing it, you’d understand the need.
Learning Without the Crisis
Not every hotel has a wake-up call as dramatic as Penta’s. But Josh believes every team shouldimagine what would happen if they lost access to all their systems tomorrow.
How would you check in guests? Who would you call? What reports would you need? If the answer is, ‘We don’t know,’ then you’ve got a problem.
Cybersecurity planning doesn’t have to be dry or theoretical. It can start with role play: three hours until total system shutdown – what do you do?
Cloud vs On-Prem: The Debate Is Over
One of the biggest changes Penta made was moving away from on-premises systems. With physical servers, hotels take on the full burden of maintenance, compliance and protection. Cloud-based systems, by contrast, come with security baked in, backed by providers like Microsoft Azure with world-class defenses.
Even today, some hold onto the false belief that knowing where their server is – in a back room or a basement somewhere onsite – provides some measure of reassurance. But the reality is, if you know it’s there, criminals and bad actors will know it too. In today’s climate, that’s not peace of mind – it’s a risk.
What’s Next for Secure Hospitality?
Security doesn’t end with strong passwords and firewalls. At Penta, the focus is now on scaling biometric access, implementing single sign-on (SSO), and continuing to reduce the number of systems employees have to log into.
And leadership buy-in is essential. For Penta, it came from the top down. Both the head of digital and senior executives made cybersecurity a non-negotiable. Cost was never the excuse. “You can’t put a price on protecting guest data,” as Josh says.
A Wake-Up Call for the Industry
Cyberattacks against hotels are rising, from phishing emails to spoofed login pages that harvest credentials. And the reality is simple: you’re only as strong as your weakest link.
Josh’s story is a reminder that cybersecurity isn’t just an IT problem. It’s an operational priority. It affects every guest, every team member, every property.
And it’s time the industry treated it that way.
To boost your property’s cybersecurity, follow these 10 ways to protect your hotel from phishing attempts.
About Mews
Mews is the leading platform for the new era of hospitality. Powering over 12,500 customers across more than 85 countries, Mews Hospitality Cloud is designed to streamline operations for modern hoteliers, transform the guest experience and create more profitable businesses. Customers include BWH Hotels, Strawberry, The Social Hub and Airelles Collection. Mews was named Best PMS (2024, 2025) and listed among the Best Places to Work in Hotel Tech (2021, 2022, 2024, 2025) by Hotel Tech Report. Mews has raised $410 million from investors including Growth Equity at Goldman Sachs Alternatives, Kinnevik and Tiger Global to transform hospitality.
