By Elton Gomes
On Friday, November 30, Marriott International said that hackers stole about 500 million records from its Starwood Hotels reservation system. Marriott said that the data breach began four years ago and exposed personal data of customers, including some payment card numbers.
Though the company has not finished identifying duplicate information in the database, it believes that for 327 million guests, compromised data could include passport details, phone numbers, and email addresses, while for the others, it could include credit card information.
“We deeply regret this incident happened,” Arne Sorenson, Marriott’s President and CEO, said in a statement. “We fell short of what our guests deserve and what we expect of ourselves. We are doing everything we can to support our guests, and using lessons learned to be better moving forward.”
Fallout
Hours after disclosing details of the huge data breach, a law firm sued Marriott. The firm Morgan & Morgan asked a court in Maryland to grant a class action trial by jury and has accused Marriott International Inc. of “negligence, breach of confidence, and deceptive and unfair trade practices”.
US Senator Ron Wyden has also argued that companies that lose their users’ data should see their employees going to jail. “Until companies like Marriott feel the threat of multi-billion dollar fines and jail-time for their senior executives, these companies won’t take privacy seriously,” he reportedly said, according India Today.
After the hotel disclosed the details of the data breach, Marriott International Inc. stock sank 5.6% in premarket trade on Friday, November 30. Over the past three months through Thursday, Marriott’s stock has lost 3.5%, while the S&P 500 has shed 5.6%.
However, not everyone is convinced that the breach could significantly affect Marriott. As per an NY Mag report, Equifax suffered a similar massive information breach and initially saw its stock price plummet after the news broke, but the company quickly managed to regain its footing. Considering that the holiday season is in full swing, Marriott might just be able to shake off the incident without too much damage.
What happened?
On September 8, 2018, Marriott received an alert from an internal security tool regarding an attempt to access the Starwood guest reservation database in the United States. The company immediately engaged leading security experts to help determine what had happened.
There have been claims that the data breach could be an act of espionage, particularly since high-stakes business deals and romantic trysts often unfold in hotels.
The affected reservation system could be extremely enticing to nation-state spies who might want to unravel the travels of military and senior government officials, said Jesse Varsalone, a University of Maryland cybersecurity expert, as per an AP report.
Which properties were affected?
The breach hit customers who made reservations for the Marriott-owned Starwood hotel brands from 2014 to September 2018.
The properties include Sheraton Hotels & Resorts, Westin Hotels & Resorts, W Hotels, St. Regis, Four Points by Sheraton, Aloft Hotels, Le Méridien, Tribute Portfolio, Design Hotels, Element Hotels, and the Luxury Collection — all of these are Starwood brands.
What did Marriott do after the breach?
After discovering that an unauthorised party had copied and encrypted information, and Marriott took steps towards removing it. On November 19, 2018, Marriott managed to decrypt the information and determined that the contents were from the Starwood guest reservation database.
Marriott has offered a free one-year subscription to a monitoring service, WebWatcher. This service monitors websites where stolen information is shared.
The hotel will send you an alert if your details are found. However, this service is only available for guests from the US, Canada, and the UK.
US residents are eligible for consultation with a fraud specialist and reimbursement for legal and other expenses related to identity theft.
How does this affect you?
Marriott says it has begun sending emails to affected guests on Friday. However, users are advised to maintain caution as hackers could be using this email to dupe you into providing passwords or installing malicious software.
The hotel has set up a dedicated website, in case users get such an email. Users can verify the authenticity of such a mail, and get answers to other questions they might have on the website. The website also has Marriott’s call centre number for any information. Users can access the dedicated website here: answers.kroll.com
The database is likely to have details on future stays, including arrival and departure dates, along with your home address. This information can be used by burglars to break into your home.
How can customers stay protected?
If users are concerned that their information has been compromised, they can begin contacting each of the credit bureaus, and put a credit freeze on their accounts.
Credit freezes stop anyone from opening up a new line of credit, using your name. A credit line can be opened only once you lift the freeze. Freezing a credit card does not cost anything.
Passwords may have been part of the potentially stolen data, so Starwood members should immediately change their passwords.
Additionally, users should opt for two-factor authentication, starting with their email and social media accounts. This is an additional layer of security that texts or generates a temporary password on your smartphone with a program such as Google Authenticator to make sure it’s really you logging into your account.
Notable instances of data thefts
In 2017, Yahoo said that all 3 billion of its accounts were hacked in a 2013 data theft, tripling its earlier estimate of the size of the largest breach in history. Attorneys said that the revelation sharply increased the legal exposure of its new owner, Verizon Communications Inc.
Yahoo said that it had “obtained new intelligence”, which showed that all user accounts had been affected. The company said the investigation indicated that the stolen information did not include passwords in clear text, payment card data, or bank account information.
In May 2014, eBay was criticised over its handling of a cyberattack, wherein hackers accessed personal data of 145 million users – making it among the biggest such attacks on a corporation. Global marketplaces chief Devin Wenig said hackers had breached the site using the credentials of three corporate employees, and eventually made their way to the user database.
A data breach in 2016 exposed the names, phone numbers, and email addresses of more than 20 million people who use Uber Technologies Inc.’s service in the US, authorities said. The intruders got their hands on unencrypted consumer personal information related to American riders and drivers, including 25.6 million names and email addresses, 22.1 million names and mobile phone numbers, and 607,000 names and driver’s licence numbers, the Federal Trade Commission said in a complaint.
In a more recent breach, Facebook, in September, said that an attack on its computer network had exposed the personal information of nearly 50 million users. The breach was reportedly the largest in the company’s 14-year history. The attackers exploited a feature in Facebook’s code, managed to gain access to users’ accounts and potentially took control of them.
Google said it would close Google+ after announcing that data of up to 500,000 users might have been exposed to external developers by a bug that was present for more than two years in its systems.
Google said that it had discovered and patched the bug in March 2018. It further added that it had no evidence of misuse of user data or that any developer was aware or had exploited the vulnerability.
How can the hospitality industry deal with data breaches?
At a time when privacy is becoming such an imporant issue, there is significant onus on the hospitality industry to protect users’ data.
To protect personal data, it is crucial that hotels understand what type of data is collected, where it is stored, and how it is used. By having accurate knowledge of how data is stored and collected, hotels will be able to better identify the information most valuable to cybercriminals.
When a reservation is through a phone call, that information is likely entered directly into a software system that is accessible to many different levels of staff members. However, these employees may or may not have been trained about data security.
When guest data is accessible by employees across the organisation, hotel operators should assess who is handling the data, and what type of data is being handled (such as credit cards, or basic guest information, etc.). From there, hotels can start laying rules as to who can access what information. The hotel can also take steps to prevent the sharing of more sensitive data.
Although the government has data protection laws in place for companies to comply with, having a secure system is simply good business practice for companies.
As data has become the new oil, hospitality operators should ensure that all employees are aware about best practices in terms of data security, and should then seek external help in data operations.
Elton Gomes is a staff writer at Qrius