Marriott Data Breach a Reminder of Industry Vulnerability and the Importance of Vigilance

Blog > Industry News

Marriott Data Breach a Reminder of Industry Vulnerability and the Importance of Vigilance

By Elaine Pofeldt | Dec 11, 2018

With the massive Marriott data breach in the headlines, cybersecurity has been top of mind for many in the meeting and event industry.

“To me, it’s one of the worst breaches ever,” says MaryAnne Bobrow, CAE, CMP, CMM (MPI Sacramento/Sierra Nevada Chapter), president of Bobrow Associates in Sacramento, Calif., whose firm does strategic events management and who often leads conference sessions on cyber security. “We need more clarity from them on exactly what was breached.”

The hack affected as many as 500 million guests. Marriott determined on Nov. 19 that a breach of the Starwood guest reservation database had occurred, after an internal security tool detected an attempt to access it on Sept. 8. The database has information on reservations made with Starwood properties on or before Sept. 10. Hackers stole guests’ data including their names, mailing addresses, passport info, dates of birth and arrival and departure dates. Marriott reported that it discovered an unauthorized party had copied encrypted information and took steps toward removing it; the company said it decrypted the information on Nov. 19 and determined it came from the database. According to a Reuters report, sources said there were clues that the hackers were working for a Chinese government intelligence-gathering operation.

Following the breach, Marriott agreed to pay for new passports for customers who could prove fraud. Marriott established a call center staffed by operators who speak multiple languages to answer affected customers’ questions about the breach. The company has also offered to provide one-year subscriptions to WebWatcher, which monitors internet sites where personal information is shared. Guests who enroll will get free consultation services and reimbursement coverage, Marriott said in an email to customers.

Corbin Ball, CSP, CMP, DES (MPI Washington State Chapter), owner of Corbin Ball & Co., a meetings technology firm, sees the breach as a sign of the times.

“Unfortunately, this is going to happen,” he says. “From a meeting planner’s standpoint, it shows how important it is to make sure that you have a data protection plan in place that would minimize the risk.”

In Marriott’s case, the breach has prompted a U.S. class-action lawsuit, with security experts asking why it went on for so long. (Marriott says it learned on Nov. 19 that hackers had unauthorized access to the Starwood network since 2014—Marriott purchased Starwood in 2016.)

More information will likely emerge as to why the breach went on for so long. In the meantime, industry leaders will no doubt be looking at whether their own organizations are safe from situations like this, what the repercussions could be if they are lacking and how to shore up their security.

“We deeply regret this incident happened,” Arne Sorenson, Marriot president and CEO, said in a statement on the firm’s website. “We fell short of what our guests deserve and what we expect of ourselves. We are doing everything we can to support our guests, and using lessons learned to be better moving forward.”

A Vulnerable Industry

Marriott is not alone among hospitality and travel brands in coming under attack by cyber criminals.

The Radisson Hotel Group, for instance, disclosed an incident involving the Radisson Rewards program on Oct. 1. The hotel determined that information such as members’ names, addresses, email address, company names, member numbers, frequent flier member numbers on file and other information was exposed “for a small percentage of our Radisson Rewards members.”

Meanwhile, Eurostar, a site that enables customers to book trains and hotels online, required all customers to reset their passwords in late October. It uncovered an unauthorized attempt to hack into its system and gain access to their accounts. 

The breaches happened against a backdrop in which firms in the accommodations field suffered the greatest number of breaches of any industry in 2018, according to Verizon’s Data Breach Investigations Report for 2018. There were 338 breaches, with 31 at large companies, Verizon found. This category includes both hospitality firms and restaurants.

“It seems as though that particular vertical has been lagging when it comes to having the proper security measures put in place,” says Shaun St. Hill, CEO of Tech & Main, a technology services provider specializing in cybersecurity in Atlanta, Ga.

In accommodations, 90 percent of the intrusions occurred at the point of sale, Verizon found. The dominant breaches were financially motivated, with the main threats hacking and malware. “It’s pretty clear where you need to focus,” the report noted.

Often, third-party providers were involved. In 81 percent of these cases, people’s credentials were stolen, often en masse from a point of sale service provider and used to compromise the point of sale systems of the provider’s customers. Brute-force hacking, the second-most-common type of intrusion, occurred 18 percent of the time.

Unfortunately, the report found, in 96 percent of cases, breaches aren’t found for months and are typically only detected by an external source, such as law enforcement.

Shoring Up Gaps

Failing to protect customers’ data can have serious legal repercussions under federal and state data privacy laws. Firms that have personally identifiable information, known as PII (such as someone’s name or physical address), are responsible for protecting it, St. Hill notes.

 “Companies need to look at two things: ‘What is our security policy?’ and cyberinsurance,” he says.

On the security front, making sure a firm has covered the basics, such as firewalls, is a good place to start, he says. Bringing in an outside firm to evaluate a company’s compliance can help uncover any weaknesses.

“In most cases, there is a third party that can come in behind your security pros and shore up whatever your security policies are,” St. Hill says.

By evaluating factors such as incident response and doing penetration tests, an outside provider can help close gaps, he has found.

If a company in the meeting industry employs a number of mobile professionals who carry laptops and mobile devices that could potentially get left behind in an airport lounge or otherwise lost during business travel, investing in mobile device management software could be wise, according to St. Hill.

“It’s basically a remote kill switch,” he explains. “What it allows you or your IT person to do is basically wipe that device remotely if it gets into the wrong hands.”

The software can back up the data that was on the device so that it can be transferred safely to a new one, he adds.

However, companies need to go beyond keeping an eye on their own internal situation and look to their supply chain, experts say.

“Vendors have a lot of data,” explains Braden Perry, a litigation, regulatory and government investigations attorney with Kennyhertz Perry LLC in Kansas City, Mo.

When it comes to supply chains, Perry says, “it is critical to monitor and review your vendors and to mitigate any excess entry points into the system. Following critical data and the data stream can identify areas where more monitoring is required and can also minimize undetected intrusions. While it is impossible to prevent all intrusions, having a cyber policy that identifies weaknesses within the supply chain and enhancing security/monitoring will lessen the risk of landing on the ever-increasing list of companies breached.”

Covering the Costs

In the event there is a breach, cyber insurance is very important today, St. Hill says.

“Companies like Beazley will issue cyber insurance to a company that will help with notifying your customers there has been a breach and cover the communications and PR piece,” he says.

Such a policy would also help if a firm that is breached is sued or prosecuted, St. Hill says.

“That policy will help cover those damages,” he says.

As Ball explains, global companies that suffer a breach face potential liability under General Data Protection Regulation (GDPR), under which up to 4 percent of their annual global revenue can be charged.

With breaches accelerating, Perry has seen increased understanding of the importance of cyber security at the top tiers of organizations and on their boards—though there is room for growth.

“The main pain point from IT is the need for the latest resources to keep a company safe,” he says. “Many companies don’t upgrade their information security systems enough, and the technology to breach critical systems is advancing much faster than company security. The board must understand the issues, and the potential harm to a company if a breach occurs. Having a sophisticated board, not only in business, but in today’s cyber and IT security, is a must to understand the issues and protect the company.”

Keeping employees informed on how to do their part is important, too, notes Bobrow.

“The first word I would say to anybody is vigilance,” she says. “You must be absolutely vigilant in everything.”

That includes staying on the alert for phishing scams.

“Look at your emails carefully,” cautions Bobrow. “Look at the email address it’s coming from. If it’s Marriott, is it two Rs and two Ts?”

Many meeting professionals may find themselves among groups of customers whose identity has been breached in one of the incidents in the headlines. Bobrow changed her own password with Marriott and was impressed with how rigorously the hotel validated her identity before changing it.

“They are taking it seriously,” she says.

It’s not just credit cards that can be breached by hackers, she notes.

“They can use hotel stays and gift cards,” Bobrow says, noting that a hotel may not have an obligation to make customers whole in such a case. “There are so many unknowns right now.”

One way to protect yourself, if you were affected by a breach, is to monitor your credit through the major credit bureaus, Ball says. Or, for added assurance, you can freeze your credit. In a credit freeze, no one can get access to your credit file unless you lift the freeze using a PIN. That means lenders can’t get access.

That may seem extreme, but then again, so are some of the hackings.

“Unfortunately, these are the times we live in,” Ball says.

Learn More About Cybersecurity

Emergency preparedness, risk management and cybersecurity will be discussed during MPI’s free Safety & Security Management Virtual Summit, 11 a.m.-2 p.m. CST on Dec. 14. Explore these critical areas of concern with the industry’s preeminent experts. Learn more and register here


Elaine Pofeldt
Elaine Pofeldt

Elaine Pofeldt is a freelance journalist in the New York City area who contributes to publications from CNBC to Forbes and is the author of the upcoming book The Million-Dollar, One-Person Business.