Hotel chain’s digital security strategy provides 130,000 rooms with peace of mind

APA Group, one of Japan’s largest hotel chains, with 981 hotels and more than 130,000 rooms in Japan and abroad, is focused on digital transformation. The APA App, a mobile application for hotel guests, is particularly popular.

The APA App features contactless procedures for reservation, check-in, and checkout. The “One-Step Reservation” feature makes it easy for travelers to reserve rooms at their favorite hotels. Secondly, the “One-Second Check-in” feature allows users to instantly check in by holding the QR code from the APA App over the scanner at the front desk. Lastly, ”One-Second Check-out” enable guests to finish checkout procedure by dropping their room key into the box (EXPRESS CHECKOUT POST). This series of stress-free systems, called APA Triple-One, has been extremely well received, with approximately 80% of guests using it.

The APA Stay Here app also allows guests to make requests to the front desk, and is equipped with an AI-powered concierge chatbot, instead of asking front agents or visiting the front desk.

In the early days, the hotel industry’s apps were simply rehashed versions of web reservation sites. “Though we are a latecomer to the market, we designed our app with a strong focus on customer convenience, assuming smartphone use from the start, and it has been very well received. Guests can now handle everything through the app, from accessing services during their stay to managing reward points after checkout,” said Kiyoshi Hamamoto, Executive Officer, APA Resort Co., Ltd., and Director of IT, APA Group Co., Ltd.

In addition to enhancing guest experience, APA Hotels uses mobile apps to streamline hotel operations such as housekeeping and front desk services. Conventional operations that relied on paper, such as tracking room status, managing lost-and-found items, and bookkeeping, have been converted to apps and linked to the back-end system via an API. This shift from analog to digital has significantly increased operational efficiency.

In the hotel industry, which welcomes a diverse range of guests from all over the world, securing IT services is one of the most significant issues. As cyberattacks become more sophisticated and intense by the day, protecting personal information is increasingly important. APA Group has been working to strengthen its security measures accordingly, for example, by using Akamai’s services to thwart DDoS attacks.

However, APA Hotels’ successful digitization of processes via apps exposed a new attack surface: APIs that are used to enable applications and intercompany collaboration. In recent years, hotel operations have become more diversified and decentralized, relying on a growing number of systems and third-party services. As a result, APIs have become more numerous and more critical — forming a key part of a hotel’s infrastructure. At the same time, cyberattacks targeting APIs are on the rise, making it necessary to implement proper security measures.

While APA Hotels collected logs of API communications, the sheer volume made them difficult to analyze, so it was impossible to detect signs of an attack manually. Although security organizations have traditionally strengthened their systems, the demands on individuals continue to increase. Hamamoto and his team wanted to not only protect guests, but also the hotel employees — who bore the brunt of any incidents — by significantly strengthening API security.

“Visualizing API activity was key,” Hamamoto said. “We needed more than easier-to-read logs — we needed a view shaped by security experts familiar with API communications. If we can clearly identify where to focus, it will be easier to collaborate with the vendors developing our apps and APIs.”

With future growth in services and APIs in mind, Hamamoto selected Akamai API Security for specialized API protection.

APA Group has long relied on Akamai’s security solutions, including WAF and DDoS protection, and has consistently valued the reliability of both the technology and support. The deciding factor for API Security was its ability not only to visualize and analyze logs, but also to work seamlessly with existing security services to block attacks and strengthen overall security measures.

“One of the things I appreciate most about Akamai is its support. Security can be complex, and it’s rare to find experts who truly understand the details. However, Akamai fills those gaps for us, and plays a strategic role in helping us resolve attacks quickly. The API Security workshop in particular was valuable for us — it gave us insight into the attacker’s perspective. As a result, more of our team has taken an interest in security, which is a big benefit,” explained Hamamoto.

One of the biggest benefits of implementing API Security is that users can now see signs that previously went unnoticed. For example, “404” is often ignored as a common error in web services. With API Security, APA Group can visualize the underlying causes of a 404 error and detect signs of an attack.

API Security is often compared to standard vulnerability assessment services provided by vendors. However, when the results show “no problem found” or that the penetration test failed, it can feel inconclusive. One of the major advantages of API Security is its ability to visualize activity in a way that allows security teams to confirm whether critical areas were properly examined and if any risks were identified. It also solved the challenge of tracking large volumes of log data. “Many technologies and products visualize logs, but few show us what really matters,” noted Hamamoto.

“Seeing the API Security dashboard made me realize how much information is exchanged through APIs. It is easy to overlook APIs, but now we clearly understand the importance of protecting them. API security can be complex, but the Akamai solution interface is easy to understand, lowering the hurdle,” said Hamamoto.

The concept of Zero Trust architecture is also important to ensure API security. Private APIs for connecting with partner systems, such as travel agencies, may seem secure. However, once inside the partner’s network, they can be exploited as entry points for attacks. “An attack can come from anywhere and happen instantly. That’s why it is essential to have a system that allows us to immediately visualize any attack and protect our valuable information assets, business, and guests,” said Hamamoto.

APA Group will continue to enhance its hotel services by further improving the APA App and APA Stay Here. “Security remains a top priority, and we are committed to ongoing improvements beyond API protection so guests can use our services with confidence. We look forward to Akamai’s continued support in identifying cyberattack trends and providing timely solutions and advice,” Hamamoto concluded.

Founded in 1971 in Ishikawa Prefecture, APA Group began its business by building custom homes. Through the sale of detached houses and the development of condominiums, the company has evolved into a diversified business entity that includes hotel management and urban development. It is one of the largest hotel chains in Japan, with 138,054 rooms including plans in the pipeline, and is actively promoting overseas expansion, especially in North America. The company is a leader in the hotel industry with its unique mobile apps and check-in system.