Will Marriott Data Breach Herald the Death of Personalization?
December 21, 2018 1:43pm
By Greg Abbott
This analysis could be titled in a number of ways, each with a lean towards what was disclosed by Marriott last week when it emerged some 500 million guest accounts had been hacked.
Because of the size of the breach and the underlying issues that may have caused it, many may point to the hotel sector's drive towards personalization and trigger a major rethink.
Alternatively, stopping the next Marriott-like data breach may simply be a question of implementing many of protocols and strategies outlined below.
Or, perhaps, it's more of a rallying cry for stronger legislation - at least in the U.S. - which will ensure that brands across the travel spectrum take security (more) seriously.
But first some background...
I recently attended The Phocuswright Conference, where some of travel tech’s mightiest flock to debate industry trends. Apart from a few companies that are leveraging machine learning to battle the "black hat" hackers, security was absent from the agenda.
It was not on a single marquis, nor was it the subject of a hot debate or an executive interview. Let’s face it, as far as tagline topics go… "security" may be one of the least exciting topics at a conference covering the market’s leading innovation.
In short: despite the growing number and scale of security breaches, hospitality companies are still slow to invest in security.
A number of factors may be at play.
First of all, there is no upside to security. It doesn’t drive new revenue or customer acquisition, making the "cost" of increased security measures difficult to justify (until now, anyway).
Furthermore, hotels’ complex, distributed IT systems (internet booking engines, distribution systems, customer relationship management and hotel local systems) call for sophisticated, multi-dimensional, and expensive security measures.
Below are some ways that hospitality companies can improve their security and avoid data breaches.
Personally identifiable information (PII) has become the new target for attackers, and organizations are still making too little effort to protect it.
PII is often duplicated across multiple systems, un-encrypted, and kept longer than needed and can be easily exported in bulk.
A sensible approach for handling PII is data "pseudonymization" whereby personal information is transferred to a separate database with adequate security controls (encryption, access control, audit, etc.) and each person is assigned a unique ID.
All other systems operate with unique IDs instead of actual PII, which can be retrieved via a separate process. Any PII that is not required for immediate business needs should be deleted or archived.
Most organizations focus on their perimeter security at the expense of breach detection and response within the internal network.
They simply ignore the fact that attackers need only find a single flaw in a vast landscape, while defenders need to cover the entire attack surface. Even if they do so, there is a range of "unfair" attack methods, including social engineering, zero-day flaws, and insider attacks, that are not possible to cover by perimeter defense.
Hotels need subscribe to regular audits and penetration testing of their infrastructure, both internal and external.
Red pill, not the blue pill
A recent trend among advanced organizations is to employ "red teams," which are independent groups that take the adversarial point of view and challenge the effectiveness of a security program.
“Red teams” use various techniques, including social engineering, phishing, or posing as a company employee, to penetrate the internal network. During such simulated attacks, companies get a realistic view of their defense capabilities.
Traditional perimeter defenses such as firewalls, IDS/IPS, patching, anti-virus, etc, are still required, but IT security teams need to go further, assuming that the perimeter is compromised and taking a proactive approach to detecting malicious activity.
Here are some essential controls that are often overlooked but can massively improve security:
Finally, I submit that it is time for the U.S. - home to some of the largest and most advanced technology companies in the world - to introduce legislative data security measures and force the travel industry to take data protection seriously.
The evolving nature of cyber threats calls for a continuous legislative effort as well as for collaboration with other governments, industries, and academia.
At the time when personalization is a critical driver of innovation and progress, it is imperative that data security takes center stage.
This article was first published on phocuswire.com
Tags: greg abbott,
Gregory Abbott is a recognized expert in the Travel Industry, with 15 + years expertise in retail travel, travel technology, and tour operations. Greg joined DataArt in 2010 as a Senior Vice President in charge of Travel & Hospitality practice, having relocated from Europe, where he was most recently Commercial Officer and Product Director at Nexgen Travel Distribution.
His experience extends to domestic and international travel organizations, product direction, development & distribution, and content management systems. Through his business development, sales retention and contracting skills he has established an extensive C level contact base. Prior to Nexgen, Greg worked as an Investment Advisor at Jefferson Pilot Financial, and was Sales and Product Director at STA Travel, a travel organization for students and youth, before that.
Greg received a BA & AS from the University of California at Berkeley. He speaks fluent French, is proficient in German and Spanish, and competes in marathons and triathlons for recreation.
+1 (212) 378-4108
DKN Hotels Partners With ProfitSword to Create Seamless Data Management and Transfer Process
Shiji Group Launches New International Website to Cater for Group’s Growth
PolyU Study Advises Hotels to Look Ahead Accurately Basing on Publicly Available Data
Shiji Helps Marriott International to Complete Successful System Switch in China
GCommerce and NAVIS Announce Strategic Partnership
NAVIS and GCommerce Announce an Integrative Partnership to Support Hoteliers
Heritage Hotels & Resorts Partners with ProfitSword to Streamline Data Management and Budgeting/Forecasting Operations
Who Will Benefit From the Digitization of the Hotel Industry?
Chesapeake Hospitality Maximizes Data Management and Forecasting Efficiency With ProfitSword
Hotel Technology Pioneer Brad More Joins Hapi as Chief Architect
Marriott Provides Update on Starwood Database Security Incident
How to Win the Battle Between Privacy and Personalization
Data Security in Hospitality: Risks and Best Practices
Marriott Inherits a Mess of Historical Proportions
PPHE Books In for Better Business With Infor
Avoiding Hotel Data Breaches With a Risk Assessment Audit™ – Lessons From the Marriott International “Glitch”
Hapi Expands Management Team With Appointment of Jonathan Reynolds as Head of Product Strategy
Revinate Joins SiteMinder Exchange
The ‘Hack’ Leaders Should Use in Today’s Quagmire of Ambiguity
The Future of Revenue Management Is Not What It Used to Be
Please login or register to post a comment.