On November 26, 2008, terrorists launched a series of coordinated attacks in Mumbai, India. Among the targets were two high-profile hotels: the Taj Mahal Palace and Tower and the Oberoi Trident complex, which is part of The Oberoi Group. Reports indicated that more than 50 people were either trapped in or directly held hostage at the Taj Mahal and about 40 were at the Oberoi. Ultimately, at all of the targets combined, about 300 people were wounded and an estimated 170 died.
The terrorists, whom the Indian government has since said were linked to Lashkar-e-Tayyaba, a jihadist organization that aims to create an Islamic South Asian state, reportedly took cocaine, LSD, and steroids to sustain themselves over the multiple-day siege. They had cell phones and other technology to help them navigate and communicate. They had also clearly surveilled the properties ahead of time.
In addition to the official responders—local police plus national commando and other law enforcement forces—there were heroes at both hotels who risked their lives to help guests and staff members evacuate and find safety. However, there were also major problems. “What you saw in Mumbai was that the reaction plan, if you will, the crisis management plan, was not so fine tuned. I mean, I don’t think hotel staff knew exactly how to react,” says Todd Brown, executive director of the U.S. State Department’s Overseas Security Advisory Council (OSAC).
OSAC has set up a hotel sector group to exchange information from attacks and develop best practices for improving hotel security and crisis planning. The following lessons learned relate to Mumbai and earlier attacks and are drawn from OSAC and other hotel industry experts and resources.
The terrorists apparently built their wealth of knowledge of the hotel floor plans and security setups from pre-operational surveillance and open-source data, such as the use of commercial imagery providers, according to congressional testimony by Charles E. Allen, undersecretary for intelligence and analysis at the U.S. Department of Homeland Security.
To deter and detect this type of attack planning, hotels must be on the lookout for anyone surveilling their properties. The entire staff has a role to play in the surveillance-awareness program. For example, housekeeping staff should be trained to notice anything out of the ordinary in guest rooms, such as the presence of weapons or drugs.
“You just can’t depend on the security personnel, because they’re limited in number,” says Elinor Garely, a travel writer and business management professor at the City University of New York.
“So every person has to be trained to have the watchful eye, to know what to look for in guests. And the people that are not guests,” she says.
Brown agrees. “You have to have training throughout the entire staff of the hotel. They have to challenge people. And they can do that in a nice way. But they should be asking for room keys for where you are staying, all those types of things. And I think in the past, many were sort of lax in doing that. That is changing.”
There are various types of behavior that hotel staff and security officers must be trained to look for. These range from spotting people who are obviously out of place, such as an individual wearing a long or heavy coat in hot weather, to the less conspicuous, such as when a person is taking unusual pictures of hotel exits or security cameras.
Staffers should “be trained in spotting individuals who may raise flags in terms of doing advanced recon,” says Magnus Ranstorp, terrorism expert with the Swedish National Defense College. He suggests that someone be posted in the lobby to observe individuals and decipher whether they look suspicious. He acknowledges, however, that this surveillance can take a lot of staff time.
Many hotels are addressing this issue cost effectively by positioning in the lobby a greeter who makes eye contact with people entering the hotel and asks them where they are headed. “That person has a chance to eyeball that individual,” says Garely. If suspicions are raised, depending on the level of concern, the greeter can have the person escorted so that he or she is not roaming freely, or the greeter can discreetly call security.
Since 9-11, many Las Vegas hotels have stepped up their visible exterior checkpoints and controls. Vehicles are often stopped and the driver is questioned before they are permitted into the parking garages, says Steven T. Baker, CPP, PCI, PSP, a security consultant at VTI Associates. This approach of asking where people are headed and perhaps even pointing out more convenient routes or garages can be thought of as customer service as well as security, says Baker.
“That’s giving them time to look at the people, see who they are, check their mannerisms,” he says, adding that the casual questioning has been useful in decreasing normative crime, such as car thefts, because it encourages thieves to look elsewhere where they will not be questioned.
Additionally, reception desk workers should have an eye out for suspicious behavior from guests checking in. The hope is that this vigilance will thwart attempts at surveillance and deter attackers, who will prefer a softer target where they can anonymously assess the site.
Hotels must also ensure that employee exits and other less visible entryways are access controlled and patrolled to discourage anyone from trying to conduct reconnaissance in those areas. In this regard, randomness is important. Security patrols and functions of other hotel staff must not be predictable, because this allows attackers to study and counter them more easily. A lack of variability was an issue in Mumbai, where the attackers were able to ascertain security routines of hotel personnel, according to Allen’s testimony.