How much will the Starwood data breach end up costing Marriott?
By now, everyone is aware that hotel giant Marriott International announced on Friday a massive data breach that goes back more than four years and may have affected up to 500 million customers worldwide. The breach — which began in 2014 and involves Marriott-owned Starwood Hotels & Resorts’ guest reservation databases — is one of the largest in history. It’s also the second major security breach Starwood has reported. In November 2015, the company disclosed that malware had infected point-of-sale systems at dozens of its properties throughout the United States and Canada.
In this latest incident, anyone who made a reservation at a Starwood property, including Sheraton, Westin, W Hotels, St. Regis, Le Meridien, Four Points, Aloft, Tribute, Design Hotels, Element and the Luxury Collection, over this time period may have had data stolen. Information involved includes guest names, mailing addresses, phone numbers, email addresses and birth dates; and, for some customers, loyalty account information, travel histories, passport numbers and payment card data. At the time of this article, Marriott released in a statement that the company isn’t certain whether the hackers have been able to decrypt the payment card numbers.
Marriott acquired Starwood in September 2016. The acquisition made the company the largest hotel chain in the world, with more than 6,700 properties. The hackers’ access apparently went undetected during the merger.
Merging Loyalty Programs a Top Priority
Soon after the acquisition, Marriott began merging the Starwood Preferred Guest program with its own Marriott Rewards program. The company then turned its attention to merging the reservation systems. It was while working with the Starwood system that IT staff discovered the activities of the hacker. Marriott apparently had installed a new security monitoring tool on the Starwood network that alerted them to an unauthorized attempt to access the Starwood database.
Although Marriott has not confirmed which security tool found the breach, the company says the tool enabled its IT staff to discover encrypted data the hacker had copied and planned to remove. Marriott immediately enlisted the help of leading security specialists, who discovered there had been unauthorized access to the Starwood network since 2014.
For many industry experts, the breach doesn’t come as a surprise. “The hospitality industry has proven to be a data-rich soft target for hackers,” said attorney Thomas Jackson, who heads Phillips Nizer’s technology practice group in New York. He lists some of the hotel chains that have been breached in recent years, including Hilton Hotels, Hyatt Hotels, Intercontinental Hotel Group, Wyndham Worldwide, Radisson Hotel Group, Kimpton Hotels and Mandarin Oriental Hotel Group.
The breach also has gained the attention of several U.S. legislators, including Senator Mark Warner (D-Va.), who on Friday issued the following statement via Twitter: “It seems every other day we learn about a new mega-breach affecting the personal data of millions of Americans. Rather than accepting this trend as the new normal, this latest incident should strengthen Congress’ resolve. We must pass laws that require data minimization, ensuring companies do not keep sensitive data that they no longer need.”
Warner called on his colleagues to implement standards similar to the recently enacted EU General Data Protection Regulation (GDPR), which includes provisions for improved security and privacy policies for residents’ personal information.
Because the Marriott breach likely involves consumers in the European Union, it has received global attention. Moreover, there is speculation that the hotel conglomerate may have been the target of nation-state hackers who want to follow the travel movements of diplomats, heads of state, military officials, business executives and other people of interest to espionage agencies.
The Need for Improved Cybersecurity
Even if espionage is not the case, security experts across the country note that a data breach of this magnitude might still result in a wide range of crimes. Perhaps more importantly, though, it will drive hotel companies to rethink how they secure their networks to combat today’s increasingly sophisticated cybercriminals.
"The hotel industry dramatically underperforms long-regulated industries, such as banking and healthcare, in key areas of cybersecurity,” said Kelly White, founder and CEO of RiskRecon, a cyber risk management company based in Salt Lake City. Compared to banks, he stated, hotels have a 400 percent higher rate of critical software vulnerabilities in internet-facing systems that store and process sensitive regulated information; compared to health care facilities, hotels have a 180 percent higher rate. “The hospitality industry has a long way to go to satisfy protection requirements dictated by standards such as GDPR,” he continued, noting that it’s going to take time for the industry to get their cyber risk house in order.
Although White believes part of the problem is due to the industry being newly regulated, he also points a finger at the franchise model of larger hotel brands. “They are dependent on third- and fourth-party relationships to get security right,” he said. “And, because of the interconnected nature of large enterprises to third and fourth parties, it only takes one mistake to expose and embarrass millions.”
David Durko, CEO of Security Validation, a Montclair, N.J. provider of PCI compliance and managed security services, agrees. “This latest event reminds us that the threat surface for hospitality continues to evolve as reliance on third-party providers and bleeding edge technologies grows,” he said, referring to the category of technologies so new that they could have a high risk of being unreliable.
At the Hospitality Upgrade CIO Summit in September, representatives from the FBI discussed the need for more stringent surveillance tools and noted that hotels must take a multi-faceted approach to cybercrime, as hackers are using multiple methods to break into systems. They outlined the most popularly used intrusion techniques, which include: emails with attachment and malware; phishing; reused credentials from a third party; unpatched known vulnerability; web app or database vulnerability; and, zero day vulnerability.
According to Dan Dearing, senior director of product marketing at Pulse Secure, a San Jose, Calif., provider of network solutions, companies must adopt a ‘Zero Trust’ cybersecurity model, deploying security tools that verify every user and that determine whether users are authorized to access the desired applications or data. Additionally, users’ laptops and mobile devices must meet the company’s security standards. “Only if all three conditions are met are users allowed on the network,” he said.
Josh Bergen, president of Atlanta-based data protection company VENZA, stresses the importance of continuous staff security training in fighting cybercrime. “The ‘human firewall’ is only as strong as the training staff receives, combined with the tools they’re given to manage data security.” He also notes that protecting guest data requires a team approach involving a brand’s corporate office, franchisees, vendors, equipment providers and guests.
An Industry Call to Action
Industry insiders agree that the fall-out from this latest security breach will be considerable. Along with the damage to its reputation, Marriott also will be affected financially. Already, the attorneys general in several states, including Illinois, Massachusetts, New York, Pennsylvania and Texas, have launched investigations into the incident. And the breach likely will set off a series of class action lawsuits from those affected by it.
For its part, Marriott is working with leading security experts and law enforcement officials to catch the hackers. And the company is offering plenty of customer support, including launching a dedicated website and call center to answer guest questions and providing customers affected by the breach a year of free monitoring with Kroll’s WebWatch. According to a corporate press release, Marriott also is devoting the resources necessary to phase out all Starwood systems and accelerate network security enhancements.
Certainly, this latest data security incident is a huge call to action for the hospitality industry. “The lodging industry has a unique relationship with its customers, who routinely entrust hotels with their safety and security,” said John Burns, president of Hospitality Technology Consulting in Scottsdale, Ariz. “Moreover, hotels increasingly ask guests for personal information and have amassed detailed profiles that contain sensitive data.
“We must implement a considerably more stringent data protection protocol,” he concluded. “The techniques are available — some are simple and user-friendly, others less so. Regardless, if we fail to honor the trust guests place in us to protect their sensitive data, the result will be a resounding loss of confidence, not only in our relationship-building efforts but also in our industry more broadly.”