The Mumbai attacks exposed vulnerabilities in hotel security. Experts reveal what these are—and what must be done to fix them

The November 2008 Mumbai attacks could bring changes to international hotel security just as sweeping as those September 11 brought to aviation. By the time the 60-hour rampage that targeted three of the city's top hotels had ended, security experts, law enforcement, and hoteliers worldwide knew that they were facing a new reality.

The threat of terrorism at luxury hotels has long been recognized: In 2001, the U.S. Department of Homeland Security identified hotels as soft targets, and since then fatal attacks have occurred at a dozen properties around the globe. To be sure, the two other incidents in 2008—at the Marriott Hotel in Islamabad and the Serena in Kabul—were in high-threat countries not frequented by tourists. But several earlier attacks took place in destinations popular with both business and leisure travelers: Netanya, Israel (2002); Jakarta (2003); and Sharm-el-Sheikh, Egypt, and Amman, Jordan (2005). Yet the Mumbai violence, in which 171 perished, sounded the loudest alarm, say hotel security professionals.

"We've been monitoring attacks on our industry [in the Middle East and Asia]," says Jimmy Chin, chairman of the security committee for the Hotel Association of New York City. "These had high death tolls. The [terrorists] are honing their skills." Chin, who is also the executive director of risk management for the New York Palace Hotel, says the Mumbai violence struck close to home. "Mumbai is a financial capital; New York is a financial capital. Mumbai has a high population; New York has a high population. Mumbai has luxury hotels; New York has luxury hotels."

Although no U.S. hotels have been attacked to date, industry insiders are increasingly concerned about their vulnerability. "Major European capitals and American cities are a couple of places we're worried about," says Robert Grenier, a 27-year veteran of the CIA who is chairman of global security consulting at the corporate security firm Kroll. "Mumbai is going to force five-star hotels in high-threat capitals to focus on security—at least in the short term."

The Challenges of Hotel Security
As quasi-public spaces where people come and go freely, hotels by their nature are difficult to fully secure. "They are not nuclear power plants, prisons, or airports," says Thom Davis, president of the security company Hospitality Risk Controls, who is also on the Department of Homeland Security's lodgings committee. "They have some obligation to provide reasonable security measures, but there is only so much they can do." In fact, hotel safety and security efforts can vary wildly, even within one brand. And hotels are not subject to international—or in this country, federal—safety standards beyond basic fire and municipal codes. Matters of hiring security guards and training staff are mostly left up to hotel management. Experts say it's impossible to institute a national standard. "What applies in Manhattan may not apply at a hotel in Dublin, Ohio," says Davis.