A data breach is every hotel’s worst nightmare - especially when personal data and guest information is leaked. Prior to COVID-19 hoteliers viewed cybersecurity and data protection as one of the biggest threats to the industry. The hospitality industry is constantly under threat; numerous high-profile malware attacks on hotels have led to hundreds of millions of guests’ data being compromised and millions of dollars in damage.
Case-in-point: Marriott. The hotel chain was recently fined around $23.8 million in penalties as a result of a data breach that occurred in 2014. And, the financial burden is just the start of Marriott’s woes. The attack compromised the credit card details, passport numbers, and birthdates of more than 300 million guests stored in the brand’s global guest reservation database. It’s one of the largest data breaches ever.
While insurance will cover much of Marriott’s financial repercussions, its brand reputation will suffer well into the future. Here’s how the Marriott data breach happened – and how to prevent something like this from happening to your hotel.
Background: Marriott Data Breach 2014
The breach took place sometime in 2014, but it wasn’t discovered until 2018, when an internal security tool caught a suspicious attempt to access the internal guest reservation database for Marriott’s Starwood brands. Starwood Hotels was acquired by Marriott in 2016, adding 11 new brands to add to Marriott International’s original 19 assets.
The internal security alert prompted an investigation which discovered that the Starwood network was compromised in 2014, before the acquisition. Starwood had not migrated Mariott’s reservation system in 2018; Starwood brands were still using legacy IT infrastructure, which contributed to the scope and scale of the data breach.
In their internal investigation, Marriott found that hackers had encrypted data and removed it from the Starwood system. That information included information from up to 500 million guest records – although some of those records were duplicates. When they announced the breach, Marriott said that the hackers stole guest information that included “a name, mailing address, phone number, email address, passport number, Starwood Preferred Guest ("SPG") account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences. For some of these guests, payment card data was also stolen, but Marriott did not say for how many.”
How Did the Marriott Data Breach Happen?
The actual specifics of the attack get pretty technical, but there were some business and cultural practices at Starwood that underpin how easy it was for a bad actor to access that many guest records.
Crowdstrike cybersecurity expert Ryan Cornateanu told Hotel Tech Report, “The attack on Marriott was hapless and a popular entry point for adversaries is through email spoofing. This tactic is used in phishing in order to get malware onto a target network to then move laterally across all systems. From there hackers can leverage account numbers, driver's license numbers and other sensitive information from loyalty programs and reservations systems. The general data protection regulation has gone a long way to protect consumers but there's only so much that can be done when a hacker is able to secure login credentials or access servers directly.”
Starwood was notorious for having an insecure reservation system; a separate attack in 2015 compromised data and wasn’t detected for eight months. Marriott then compounded the issue by laying off Starwoods IT staff during the acquisition in 2016. The lack of personnel prevented Marriott from quickly integrating newly added hotel properties into its own in-house reservation system. Starwood’s already-insecure guest reservation system, therefore, “limped on, zombie-like, infected with malware, breached by hackers, and without much by way of continuity of care, for another two years before the breach was finally discovered,” reports CSO Online.
As to the question of who hacked Marriott, that answer is even more complicated. Both the New York Times and the Washington Post reported that the attack was part of a state-sponsored intelligence-gathering effort on behalf of the Chinese government. Patterns in the code as well as the method of the attack echo techniques previously employed by Chinese hackers, and none of the guest records ended up for sale on the dark web – a clue that this wasn’t a hack for profit.
The Repercussions for Marriott
Financially, Marriott faced significant penalties as a result of this data breach. Multiple class-action lawsuits were filed against the brand targeting Marriott’s failure to perform its due diligence on Starwood’s IT systems. In addition to the lawsuits, Marriott agreed to pay for passport replacements for customers who victims of the data breach.
Separately, the United Kingdom’s Information Commissioner’s Office (ICO), a consumer rights watchdog, fined Marriott $23.8 million (down from the original penalty of $123 million) for failing to meet security standards required by GDPR. The ICO argues that Marriott failed to "put appropriate technical or organizational measures in place" when processing data, though it also acknowledged that Marriott has since taken the proper measures to improve security. Notably, the original fine of $123 million would have been one of the largest penalties issued under GDPR, representing around 3% of Marriott’s total revenue.
It’s true that financially, Marriott will likely survive this data breach. Customer satisfaction scores, however, dipped in 2019, bringing the brand even with Hilton and suggesting that the breach may cause more long-term harm to guest loyalty. Studies show that nearly a quarter of Americans will stop doing business with a company that has been hacked, while more than two in three people trust a company less after a data breach.
How to Avoid a Similar Data Breach
Ultimately independents are far safer than brands because they have less attractive loot for hackers. Less loot means less incentive. Further, independents often work with best of breed tech vendors rather than attempting to develop systems in-house. These vendors are venture-backed and take great measures to ensure data security. Hoteliers should look for software vendors who meet rigorous standards with regards to modern regulatory frameworks like SOC-2, GDPR, PSD2 and PCI compliance.
But still, even amongst independents - the hospitality industry is an attractive target for hackers. There’s a huge amount of personally-identifiable information collected by hotels, and often outdated or few security protocols protecting this valuable data. It’s not out of the question that your hotel could be the target of a cyber attack in the future: however, it’s crucial to avoid the mistakes that Marriott made in failing to find the breach for four years.
The first priority of any hotel’s IT team should be to encrypt guest data and set up alerts to immediately warn when there’s been a potential security breach. Legacy IT must be brought up-to-date; make sure the newest version of your software is installed on all devices. Security updates often contain patches and new fixes that evolve with the threat landscape. And, have a plan to communicate with customers as soon as you sense there’s been a breach. The question shouldn’t be “if” there will be a cyberattack – but when.