Your Ex-Employee Still Has Access to Your Booking.com; That's Just the Beginning
The hidden infrastructure running your hotel outside IT governance
Former Multi-Property IT Director & EMEA Security Leader, Marriott International
Right now, your former revenue manager could log into your hotel's Booking.com account and change your rates. Your ex-marketing coordinator could alter your Google Business listing, post to your social media, or change your hotel's description online. That terminated front desk supervisor? They might still have access to your guest messaging system, payment gateway, or even your internet service provider account.
Most terminated employees don't intentionally cause harm - they simply retain access because nobody thinks to revoke it. But the potential for disruption is significant: rates could be accidentally modified, bookings redirected, online reputation damaged, or critical services interrupted.
Even well-intentioned former employees represent ongoing operational exposure. The scope of this vulnerability extends far beyond what most hotel executives realize.
While your IT team carefully revokes PMS access and disables corporate email, dozens of external systems remain completely open. These aren't obscure technical platforms - they're the portals that control your daily operations, revenue streams, and guest-facing presence.
Why This Happens (And Why It's Universal)
Through a decade of industry experience and extensive security assessments, I've found this isn't a hotel-specific problem - it's how modern business operates. Recent studies show that 61% of organizations fail to remove terminated employee access from their systems.
At one organization:
- • 12 former employees retained network access for up to six months after termination
- • Three accounts had privileged access to critical systems
- • Two accounts were actually used after the employees left
Hotels face this challenge because business moves faster than IT processes. When your revenue manager needs immediate Expedia access, they don't submit an IT ticket and wait three weeks. They use their personal email, create the account, and start managing rates.
When marketing needs social media management tools, they sign up with a corporate card and begin posting. This agility drives business forward, but creates an unmanaged infrastructure that persists long after employees depart.
Your IT team can't secure what they don't know exists. Your auditors can't assess what isn't documented. Your executives can't govern what nobody officially owns.
The Hidden Infrastructure Running Your Hotel
Right now, your property depends on 5-12 external portals that fall completely outside traditional IT governance:
Revenue Management Systems
- • OTA extranets (Booking.com, Expedia, Agoda - each with separate logins)
- • Channel managers and distribution platforms
- • Rate shopping and revenue optimization tools
- • Commission reconciliation portals
- • Payment gateway management consoles
Marketing & Reputation Platforms
- • Google My Business (controlling your search visibility)
- • Social media management platforms
- • Review response and reputation management systems
- • Email marketing and automation tools
- • Loyalty program management interfaces
Operational Services
- • Internet service provider portals
- • Utility company accounts and billing systems
- • Vendor and contractor management platforms
- • Maintenance request and work order systems
- • Guest messaging and communication services
Financial & Compliance Systems
- • Banking and merchant services portals
- • Tax filing and compliance systems
- • Payroll and HR service providers
- • Insurance claim and policy management platforms
- • Corporate credit card and expense management
Each represents a door into your operation. None appear on your standard IT audit.
The Five Questions That Reveal Your Exposure
Take this quick assessment:
1. "Can you produce a complete list of every external portal your hotel uses?"
If the answer involves checking with multiple departments, you have potential exposure.
2. "Who has administrative access to each portal?"
If you can't answer immediately, terminated employees likely still have access.
3. "Which portals use corporate email domains versus personal emails?"
Personal emails often mean persistent access unless actively revoked.
4. "When was the last time someone verified active users on each portal?"
If never, the risk of accumulated unauthorized access grows exponentially.
5. "If your revenue manager quit tomorrow, which systems would be affected?"
The length of your pause reveals the scale of potential disruption.
If you paused on any of these questions, you're facing the same blind spots that many hotels had to discover the hard way.
The Long-Term Solution
Leading properties are implementing comprehensive Portal Access Management (PAM) programs:
Centralized Documentation
A living inventory of every external system, updated monthly and accessible to management and auditors - not buried in IT files.
Federated Access Review
Quarterly certification where each department head verifies their portal users. IT facilitates this process but doesn't own it - the business does.
Integration Where Possible
Modern vendors support SAML/SSO integration. Every portal you bring under corporate authentication eliminates a shadow system.
Vendor Management Requirements
New contracts should mandate SSO support or enterprise authentication. "Personal email only" is no longer an acceptable answer from vendors.
The Uncomfortable Truth
You've invested heavily in sophisticated security around your core systems while leaving revenue and reputation exposed through ungoverned portals. Your next security audit will miss these critical vulnerabilities unless you take action.
The question isn't whether former employees might retain access to your critical portals - it's how many currently do, and what they could potentially impact.
Audit Your Portal Access Today
Get a complimentary Portal Access Management assessment that reveals which former employees still have access to your critical systems. I'll help you identify every external portal your hotel depends on and show you exactly who has access to what.
Schedule Your Portal Access AuditDaniel secured 450+ hotels across Europe, Middle East & Africa as Marriott's Multi-Property IT Director and Continental Security Leader, managing high-stakes events like Euro 2024 and Paris Olympics. Beyond opening 7 hotels from scratch, he specializes in identifying security blind spots in hotel operations that traditional IT audits miss. His systematic approach to Portal Access Management has helped properties eliminate unauthorized access while maintaining operational agility.