Marriott's Massive Data Breach Is No Surprise to Meetings Industry Experts

The Westin San Jose in California
The Westin San Jose in California

Marriott International today revealed a huge data breach of the guest information of as many as 500 million people making reservations at Starwood hotels. The chain discovered unauthorized access that has been taking place within its Starwood network since 2014.

Data Breached? What to Do Now
Click here for 5 immediate steps to take when your personal information has been compromised.

Marriott hasn't finished identifying the compromised information in its database, according to a statement the hotel company issued today. However, for approximately 327 million of the potentially affected guests, the breached data includes a combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest account information, date of birth, gender, arrival and departure information, reservation date and communication preferences. In some instances, the credit-card numbers and expiration dates also were compromised. While those numbers had been encrypted using the Advanced Encryption Standard (AES-128), it is possible that the two components required to decrypt the data were hacked as well.
 

Travel Data: A History of Vulnerability
The massive Marriott data breach revealed today is just the latest -- and largest -- of similar instances of compromised traveler data. Here's a sampling of incidents over the past four years.
 
Nov. 2, 2018
Radisson Rewards Hit by Data Breach
The incident affected a small number of members and did not expose credit-card info.
 
March 20, 2018
Orbitz Data Security Breach Put 880,000 Payment Cards at Risk
Hackers accessed a legacy platform last year.
 
Nov. 22, 2017
Uber Reveals Cover-Up of Hack Affecting 57 Million Riders, Drivers
Breach occurred a year ago; the company paid hackers a ransom to destroy the stolen data.
 
July 13, 2017
Sabre Security Breach Affects Four Seasons, Hard Rock, Loews, Rosewood, Trump Hotels
Guest data was compromised around the globe.
 
April 18, 2017
IHG Acknowledges Another Data Breach in U.S. and Puerto Rico
Payment cards used at hotel front desks in late 2016 might have been affected.
 
Feb. 6, 2017
IHG Confirms Customer Data Breach at 12 Company-Managed Properties
Guests who used payment cards at restaurants and bars are being notified.
 
Aug. 15, 2016
HEI Confirms Data Breach Hit at Least 20 Major Chain-Branded Properties in U.S.
The malware is disabled, but guest credit-card data might have been compromised from as far back as March 2015.
 
July 11, 2016
Customers' Credit-Card Data Hacked at Omni Hotels
The malware intrusion affected point-of-sale systems at some hotels.
 
Dec. 1, 2015
Hilton Confirms Payment Card Security Breach Reported in September
The company has taken action to eradicate the malware from its point-of-sale systems.
 
March 5, 2015
Mandarin Oriental Hotel Group Confirms Hacking
Credit-card numbers were breached before the December holidays.
 
Feb. 3, 2014
Marriott and White Lodging Services Respond to Data Breach
Guest data on purchases at restaurants and gift shops was compromised.

Marriott, which acquired Starwood two years ago, first discovered the breach in September, which affected guest information related to reservations at Starwood properties on or before Sept. 10. Brands of concern are W Hotels, St. Regis, Sheraton Hotels & Resorts, Westin Hotels & Resorts, Element Hotels, Aloft Hotels, the Luxury Collection, Tribute Portfolio, Le Méridien Hotels & Resorts, Four Points by Sheraton and Design Hotels. Reservations for Starwood branded time-share properties also were affected by the breach.
 

Arne Sorenson, president and CEO of Marriott International
Arne Sorenson, president and CEO of Marriott International

"We deeply regret this incident happened," said Arne Sorenson, Marriott's president and CEO. "We fell short of what our guests deserve and what we expect of ourselves." Sorenson added: "Today, Marriott is reaffirming our commitment to our guests around the world. We are working hard to ensure our guests have answers to questions about their personal information, with a dedicated website and call center. We will also continue to support the efforts of law enforcement and to work with leading security experts to improve. Finally, we are devoting the resources necessary to phase out Starwood systems and accelerate the ongoing security enhancements to our network."
 
Marriott has set up a website and call center for concerned guests (in the U.S., call 877-273-9481). The company will begin sending emails on a rolling basis starting today, Nov. 30, to affected guests whose email addresses are in the Starwood guest reservation database.
 

Kevin Iwamoto, senior vice president at GoldSpring Consulting and author of M&C's "Industry Insights" column
Kevin Iwamoto, senior vice president at GoldSpring Consulting and author of M&C's "Industry Insights" column

Meetings industry experts have voiced their concerns about the vulnerability of attendee data for several years -- often to no avail. As recently as October, Kevin Iwamoto, senior vice president at GoldSpring Consulting and author of M&C's "Industry Insights" column, told Northstar Meetings Group, "Our industry still has a long way to go for data privacy. All the phishing and hacking, especially from foreign countries, is a huge concern. We have very unfriendly countries basically targeting us and our infrastructure."
 
Iwamoto continued: "In our industry, where we have access to all of someone's private data, including credit-card information, it's just a matter of time until some country or major hacker says, ‘Hey this is a goldmine.' This is easy pickings, and it's already started. Look at how many hotel companies have been hacked. It's just a matter of time before something even worse happens."
 
Too often, planners assume that securing attendee data isn't their responsibility, said Amy O'Malley, CMP, who specializes in global workplace solutions at CBRE, the world's largest commercial real estate services and investment firm. "Event professionals are understandably concerned about the attendee experience when it comes to hotel accommodations, meeting room setup, food and beverage, etc. But relatively few are as thoughtful about participants' personal data." In a checklist developed for Meetings & Conventions, she outlined key measures, including, "Thoroughly vet technology vendors to ensure that their handling of data conforms to your standards."
 
Iwamoto has long been a self-described evangelist on data protection and a frequent speaker on the EU's General Data Protection Requirement (GDPR), which took effect this past May. In the M&C article "Should GDPR be Rebranded as GDDPR (General Denial of Data Protection Regulation)?", he noted that the measure requires opt-in consent forms regarding the collection of personal data; implicit and transparent descriptions of how personal data will be used, by whom, and for what reasons; the need to respond to data breaches within 72 hours; documentation of the deletion of data, and other critical safeguards.
 
"What has been most disappointing and shocking to me is the level of denial that people have expressed to me," wrote Iwamoto in February. "It's the classic five stages -- denial, anger, bargaining, depression and acceptance -- that industry professionals are dealing with now. I understand that everyone has their own acceptance process and timelines, but I would be remiss if I didn't point out to everyone that May 25, 2018, is the date that the EU has established for compliance and standardization of data privacy -- GDPR. In other words, you need to get through the five stages quickly at this point, because you have a lot to deal with both internally within your company, and externally with your supplier partners."
 
According to the Associated Press, shares of Marriott fell 6 percent before today's opening bell.