How was Marriott Hacked? Here’s Why it Happened & How to Make Sure Your Hotel Isn't Next

By Jordan Hollander

Last updated January 26, 2022

3 min read

image description

Last year it was announced that Marriott had 500 million guest records hacked.

For a hotel brand operator, owner or manager - knowing that Marriott got hacked isn’t really all that helpful.  Further, the subject has been beaten to a proverbial pulp so rest assured we’re not here to repeat what has been said a thousand times.

We're going to tell you why it happened and what you can do to mitigate hacking risk at your hotel business by implementing the right tech stack and integrations.

The easiest way to avoid this kind of issue is to stay independent - but independence is not a silver bullet.  In a nutshell, independents are not as likely to attract hackers because these exploits are rarely profitable enough to justify the risk.  

Similarly, brands like Marriott often mandate that franchisees use specific technology vendors which means that as a hotel owner you have less control over who handles your guest data.  Many Marriott hotels are still using server based property management systems that were installed in the 80s and 90s.

We asked cyber security expert Ryan Cornateanu to weigh in on the Marriott hack.  Mr. Cornateanu is a security engineer with unicorn cyber security firm CrowdStrike and creator of Instagram’s largest hacker community @hackersclub.


“The attack on Marriott was hapless and still has many gaps to fill on what actually happened. A popular entry point for adversaries is through email spoofing. This tactic is used in phishing in order to get malware onto a target network to then move laterally across all systems.”


The first step to mitigating cyber security risk is by working with best in class providers.  Make sure that you are using a top rated cloud PMS.  If your brand doesn’t allow it - you should be demanding that they add top rated providers to their certified vendor list.



Security expert Cornateanu also commented, “unfortunately, this was not the first major breach, and will not be the last. We need to start thinking harder about how we secure our infrastructures, along with training our present and future employees on how we can make ourselves less vulnerable to attacks. Breaches like these are gaining a ton of popularity in the blackhat world, that more groups will attempt hacks like these in the near future knowing the damage it could cause.”

Because Marriott’s technical infrastructure is centralized, finding a single vulnerability in the system can open the door to a massive breach like the one we saw.

Red Lion Hotel Corporation CIO John Edwards outlines the antifragile approach that Marriott must adopt in order to successfully serve owners and guests in the digital world:


“At RLH Corporation, we give our owners freedom in the way they run their hotels and that includes giving them a choice in the vendors and technology solutions that they choose to implement.”


One key problem with hotel cyber security is that there are lots of vulnerabilities across the tech stack which get escalated through incomplete integrations.  Guests book online via a Booking Engine which feeds reservation data into a hotel’s Central Reservations System (CRS).  The CRS then accounts for that information in the Property Management System (PMS) which then feeds data to other systems such as the CRMBusiness Intelligence Software and even Revenue Management Systems.  This means that guest data is potentially vulnerable in each of those systems.

Encrypting data and distributing critical components is essential but hoteliers should outsource their data security needs to trusted and proven partners.

HAPI is one of those partners.  HAPI founder Luis Segredo and his partner Nikolai Balba are no strangers to the hotel technology world.  After decades of entrepreneurial success in the hotel tech space - Segredo and Balba noticed that 15% of IT budgets in hospitality are spent deploying, securing and supporting product integrations.  

Segredo previously founded MTech (creator of HotSOS operations software) and sold the business to hotel tech powerhouse Newmarket which eventually got rolled into Amadeus - so if anyone knows how to solve this complex problem - it’s Luis.

HAPI normalizes data from various tech vendors and enables them to communicate in a secured environment - protecting guest data and enhancing the performance of hotel technology systems across the board.

Red Lion Hotels Corporation has recently enlisted HAPI to stream PMS data from 7 approved vendors and 2 certified CRS providers, then enrich and feed that into various technology systems.  This is a first for a major hotel brand.

We anticipate that other brands and independents will follow suit - so we sat down with the man at the center of integrations and data security for the hospitality industry to understand how he’s helping hotels transform the way they think about security, technology integrations and performance.  Segredo told Hotel Tech Report,"The new data platforms will place data in the full control of hotel companies and help them be better stewards of the data they collect. This will be critical as the global community works to protect personally identifiable information in an ever more restrictive way."


Read our exclusive interview with Hapi founder Luis Segredo where we discuss cyber security in hotels, technology integrations and more