This creates real operational problems because, for example, in order for a housekeeper to create a housekeeping task on a reservation, we have to grant the “create and manage reservations” permission. However, this permission includes access to guest details (first name, last name, phone number, credit card, etc.). Some guest data is sensitive (such as payment information), and housekeeping or maintenance staff should not have access to certain data.

I’d like to raise a potential security issue in Mews. In the user role settings, there is currently no option to prevent the download of client reports while still allowing access to guest contact details within individual reservations. While it is possible to restrict access to "sensitive reports" such as financial or management reports, the most sensitive report is arguably the client database, as this is what hackers typically target and download to launch phishing or cyberattacks.

A receptionist should not be able to export the entire client database to Excel, especially considering that many hotels rely on temporary staff (extras) who may only work a few hours. These temporary workers could easily download the report and sell it on the dark web, or unknowingly fall victim to phishing emails disguised as Mews communication.

This presents a significant risk for hoteliers, even when using two-factor authentication and endpoint protection (EDR).

It’s also important to point out that if we remove the “Access to clients” permission, receptionists can no longer view any client contact information at all — which is not practical for day-to-day operations.

In my view, reception staff should be able to view client contact details in Mews, but should not have permission to export reports that contain client data.

This kind of access control would greatly improve data security and better align with data protection regulations such as GDPR.

great idea and critical to protect our guest data from phishing

Yes please!