In one of the largest data breaches in history, and certainly the largest in the hotel industry, Marriott International disclosed on Friday that data on roughly 500 million customers staying at Starwood hotel properties since 2014 had been compromised in an apparent systemwide breach.
Unknown attackers accessed the Starwood guest reservation database well before Bethesda, Maryland-based Marriott completed its merger with Starwood in September 2016.
The news prompts multiple questions: Was there any indication of the breach during Marriott’s due diligence, before the Starwood deal was finalized? Why did it take four years to uncover a breach of this magnitude? Will it have any effect on the combined loyalty program, which will be formally unveiled next year? And what harm will it do to the company’s reputation among its guests? Email requests to Marriott for interviews and answers to these questions were outstanding on Friday afternoon.
R.W. Baird analyst Michael Bellissario estimated in a published note on Friday that direct costs to Marriott include (among others) increased near-term technology and legal costs to resolve the data breach net of applicable insurance deductibles; increased cybersecurity costs over the long run to better protect customer data; and the near-term cost of a one-year enrollment in WebWatcher, which an annual subscription retails for about US$130 (likely lower for Marriott), for affected guests in the U.S. if they choose to enroll.
Paige Boshell, attorney and managing member of Privacy Counsel, Birmingham, Alabama, told HOTELS the potential fallout for Marriott will almost certainly involve regulatory enforcement action in the U.S. (at federal level, with the Federal Trade Commission, and the state level), as well as in the U.K. and Canada. The Office of the New York Attorney General has opened an investigation into the breach, according to news reports.
“Reputational and market value fallout will depend on the circumstances of the attack and any perceived lack of reasonableness in security or privacy efforts by Starwood or Marriott,” Boshell said, while adding that Marriott should remain proactive and protective of the customer to retain trust. “Consumers trusted Starwood with all of this personal information and will need be convinced to continue trusting Marriott,” she said.
As to what might help reduce these types of incidents, “until the U.S. has a strong GDPR-like regulation with sufficient penalties attached to it, these breaches will continue,” cybersecurity company Nyotron’s Senior Director of Product Management Rene Kolga told HOTELS. “Businesses keep ignoring security and basic customer data management hygiene because they can, because it is convenient and because it will cost them a bit more to change the status quo. Enough is enough, and it is time for strong privacy regulation on the federal level, because having a patchwork of different regulations per state is not going to cut it.”
Understanding the risk
The immediate concern from an owner’s perspective is understanding their risk, said Larry Trabulsi, senior vice president at CHMWarnick, a hotel asset management and owner advisory services firm. Of course, they might also be thinking about the cost implications.
“Marriott, and certainly other management companies, as this is truly an industry issue, will likely revisit and enhance security protocols, which may come at an added expense,” Trabulsi told HOTELS. “While this added security and cost may be warranted, owners and management companies should be open in the dialogue on what may change, what the costs might be, and how they may get allocated/charged back to owners.”
Trabulsi added that this event might also stimulate reviews of insurance requirements and coverages included in hotel management agreements, particularly cyber insurance coverage. “We have seen this as a requirement in recently executed management agreements, but is typically not carved off in older agreements. Owners may want to revisit this aspect as well,” he said.
Events like this also have owners thinking about other technology investments, said Trabulsi, such as mobile key and system integrations, and whether there will be delays and costs to ensure safety and protection going forward.
In a statement, Marriott President and Chief Executive Officer Arne Sorenson took responsibility for incident. “We are working hard to ensure our guests have answers to questions about their personal information, with a dedicated website and call center (info.starwoodhotels.com)… We are devoting the resources necessary to phase out Starwood systems and accelerate the ongoing security enhancements to our network,” he said.
How it started
A broader Marriott statement said its investigation determined by November 19, 2018, that the breach had happened on or before September 10, 2018. On September 8, 2018, Marriott received an alert from an internal security tool regarding an attempt to access the Starwood guest reservation database in the United States. Marriott then engaged security experts to help determine what occurred and found that there had been unauthorized access to the Starwood network since 2014. Marriott said that an unauthorized party had copied and encrypted information, and took steps towards removing it. On November 19, 2018, Marriott was able to decrypt the information and determined that the contents were from the Starwood guest reservation database.
The company has not finished identifying duplicate information in the database, but believes it contains information on up to approximately 500 million guests who made a reservation at a Starwood property. For approximately 327 million of these guests, the information includes some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest (SPG) account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences.
For some, the information also includes payment card numbers and payment card expiration dates, but the payment card numbers were encrypted using Advanced Encryption Standard encryption (AES-128). There are two components needed to decrypt the payment card numbers, and as of Friday morning, Marriott had not been able to rule out the possibility that both were taken. For the remaining guests, the information was limited to name and sometimes other data such as mailing address, email address, or other information.
Marriott is sending emails on a rolling basis to affected guests whose email addresses are in the Starwood guest reservation database.
