When a Donegal hotel's property management system was encrypted by ransomware on a Saturday afternoon in October 2024, the timing could not have been worse. The hotel was running at 94% occupancy. Guests were arriving for check-in. Room assignments, guest preferences, pre-paid breakfasts, and the evening's restaurant reservations were all locked inside a system the team could no longer access. By the time the owner had confirmed it was ransomware and called his IT provider, three hours had passed and the queue at reception stretched to the door.
The following 72 hours cost the hotel an estimated €65,000 in direct losses, staff overtime, guest compensation, and emergency IT costs. Most of that could have been avoided — not by better security alone, but by having a tested response plan that the team knew how to execute before the crisis occurred.
Why PMS Outages Are an Existential Risk for Irish Hotels
The property management system is the operational nervous system of a hotel. It manages everything that makes a hotel function: reservations and room assignments, billing and payment processing, housekeeping schedules, restaurant bookings, and communication with online travel agencies. When it fails — whether through ransomware, hardware failure, cloud provider outage, or software corruption — everything that depends on it fails simultaneously.
For a Donegal hotel during peak season, a 72-hour PMS outage can produce losses that exceed the annual profit margin for a mid-sized property. The direct revenue loss from cancelled bookings, the cost of manually processing transactions, the guest compensation for disrupted stays, and the reputational damage from poor reviews posted in real time on TripAdvisor and Google — each element compounds the others. An Garda Síochána's Garda NCCB has reported that ransomware attacks against Irish hospitality businesses increased significantly in 2025, with the sector identified as a priority target because operational disruption creates immediate financial pressure to pay the ransom.[^1]
The NCSC Ireland advises Irish businesses never to pay ransoms — which is the right advice but requires having an alternative recovery path ready before the attack occurs. For hotels, that alternative path is a tested manual operations procedure and a verified backup that can restore the PMS to a recent state.[^2]
Does your hotel have a tested plan for operating without your PMS for 72 hours? Book a free 20-minute strategy call — we work with Donegal hospitality businesses to build practical business continuity plans that their teams can actually execute under pressure.
The First Hour: What to Do Immediately
The first hour after a PMS failure is the most critical for limiting damage. The operations manager or duty manager must confirm that the PMS is genuinely offline and not merely experiencing a temporary network issue, then take three immediate actions.
First, communicate to all staff on shift. Every member of the team needs to know within fifteen minutes that the PMS is offline and that manual procedures are in effect. Confusion multiplies in the absence of information. A brief, calm factual message — "our system is down, here is what we are doing" — is better than silence while the management team investigate.
Second, assess whether this is a ransomware attack or a technical failure. If you see encrypted files, a ransom demand on screen, or staff reporting that their files have been replaced with unreadable versions, stop using all systems immediately and do not attempt to open any unfamiliar files. Ransomware spreads through networks and the speed of isolation determines how much damage is contained. Contact An Garda Síochána if ransomware is confirmed — the Garda NCCB should be notified, and their involvement matters for your insurance claim and any subsequent recovery.[^3]
Third, switch to manual operations. Your hotel must continue to function. Guests who have booked stays cannot be turned away because a system is offline. Manual operations require paper forms, a physical room inventory, and a team that knows the procedure.
Hours One to 24: Manual Operations
Manual check-in requires three things: a paper form capturing the essential details the PMS would normally record, a room allocation sheet that tracks which rooms are occupied and which are available, and a procedure for accepting payment without the PMS billing module. Most hospitality payment terminals operate independently of the PMS and can process card payments even when the main system is offline. Confirm this with your payment provider before you need it.
Occupancy tracking in manual mode is not difficult, but it requires discipline. Assign one person the sole responsibility for maintaining the room allocation record, updated at every check-in and check-out. Post the current status on a whiteboard in the operations area. Housekeeping needs this information to know which rooms to turn around. Without a single, maintained source of truth, the operation fractures.
Guest communication determines whether the reputational impact is contained or catastrophic. Guests who receive a clear, honest explanation from calm staff respond very differently from guests who receive confusing messages. Designate one person to handle all guest communications about the outage. Do not allow different staff to give different explanations.
The Data Protection Commission requires that any breach of personal data resulting from a cyber incident is reported within 72 hours if the breach is likely to result in a risk to individuals' rights and freedoms. A ransomware attack that encrypts guest booking data, payment records, or CCTV footage qualifies. Do not wait until the recovery phase to assess whether notification is required.
Hours 24 to 72: Recovery and Restoration
The recovery phase begins once you have confirmed the cause of the outage and identified a recovery path. For ransomware incidents, recovery without paying the ransom requires restoring from a backup that predates the attack. This is only possible if your most recent backup is stored somewhere the ransomware could not reach — an offline drive, an isolated cloud backup with immutable storage, or a backup that was taken before the attack began.
Your PMS vendor should be your primary technical contact throughout recovery. Share the technical details with them as early as possible — what error messages appeared, when the last known-good state was, what systems are affected — so they can prepare the correct recovery procedure.
Before restoring from backup, test the restoration procedure on a separate environment if possible. A backup that appears valid but cannot actually be restored is not a backup. The moment of a live incident is not the time to discover this.
When the PMS is restored, reconcile all manual transactions from the outage period before returning to normal operations. Every check-in, payment, and guest interaction recorded on paper needs to be entered into the restored system and verified for accuracy. Assign this task to a specific individual — the operational debt from manual operation accumulates faster than most managers expect.
What Next: Three Actions Before the Next Incident
First, test your backup and recovery procedure this quarter. Ask your IT provider or PMS vendor to demonstrate a full system restoration from your most recent backup on a test environment. Document the result: what was restored, how long it took, and what data was missing. If you cannot get this demonstration, your backup strategy requires immediate review.
Second, create a manual operations pack and train your front office team on it before the summer season. The pack should include paper check-in forms, a blank room allocation sheet, payment terminal instructions, and the names and numbers of who to call when specific systems fail. Laminate the key elements. Keep a copy in a location that does not depend on the systems being online to access.
Third, report any ransomware attack immediately to An Garda Síochána and to NCSC Ireland. Do not pay the ransom without consulting both agencies. Paying does not guarantee recovery, removes the incentive for authorities to pursue the attackers, and may create complications with your cyber insurance claim. The Garda NCCB and NCSC Ireland have resources to support Irish businesses through ransomware incidents and should be engaged from the earliest stages.
[^1]: An Garda Síochána — Cybercrime [^2]: NCSC Ireland — Advice for Organisations [^3]: Data Protection Commission Ireland
Related Reading
- Cyber Insurance for Donegal Hospitality
- Your Booking System Is Your Biggest Attack Surface
- NIS2 Compliance for Donegal Hospitality
Pragmatic Security — Cybersecurity advisory for Irish businesses. Based in Donegal, Ireland. CISA, CISSP, CISM certified advisors.