Marriott’s Starwood Data Breach Joins a Decade-Long List of Hotel Data Exposures

When Marriott International revealed a massive security breach at Starwood-branded properties, it joined an unfortunately long line of guest data breaches at hotel companies.

The scope of the breach at the world’s largest hotel group is more spectacular than any other in travel publicized in history. Marriott said the breach affected hundreds of millions of customers who stayed at Starwood-branded properties between 2014 and September 10.

Potential Record Fines

The breach may also expose parent company Marriott to record fines because, unlike most past breaches, some of the activity appeared to happen after Europe put into place General Data Protection Regulation (GDPR) in May 2018, which boosted fines for violations of data security rules.

Exact fine estimates are impossible to gauge, but experts said the prospective range would be potentially higher than the spectrum used by European Union and U.S. officials in the past. European officials have the discretion to fine companies up to 4 percent of annual revenue in the year preceding a data protection incident.

Other investigations are in the offing. On Friday, the New York attorney general’s office said it would open an investigation into the breach.

That office has had success in pursuing prosecutions before. In 2017, Hilton Worldwide agreed to pay a $700,000 fine to the state of New York after data security failures exposed more than 350,000 credit card numbers in two breaches in 2015.

A related issue: When Starwood had a separate malware-driven credit card data breach that it announced in October 2015, it claimed that it checked and found that hackers hadn’t compromised its core guest reservation systems.

Its security experts missed the subsequently discovered separate hack. How Starwood approached that incident may come under review by federal investigators and insurance companies on the hook for covering the hotel group for the risk of events like this.

“When attorneys conduct privacy and data security inquiries as part of mergers and acquisitions, the prospective buyer reviews representations of potential risks from an acquiring company so that it can calculate the appropriate purchase price,” said Bess Hinson, senior associate and chair of cybersecurity and privacy practice at law firm Morris, Manning, and Martin.

“Some people may be curious, given that the timeline is that the big breach can be traced back to 2014, and the company disclosed the minor breach so soon after the acquisition, what representations it gave to Marriott during the M&A process,” Hinson said.

Extraordinary Data Loss

If you confine comparisons of the top 20 largest hotel chains worldwide with the largest airlines, cruise lines, and car rental chains worldwide, it is far and away clear that hotels have allowed themselves to be vulnerable to far more breaches. The nearest comparable incident among airlines was British Airways, which failed to stop a computer hack that compromised credit card data from some 380,000 customers.

But the comparison remains anecdotal. “It’s really difficult to say with certainty whether or not hotels are especially vulnerable to data breaches, more so than other travel suppliers,” said Emory Roane, policy counsel, Privacy Rights Clearinghouse, which tracks data breaches. As of Friday, the group had recorded the 11.5 billion exposed U.S. data records of all kinds.

The Marriott/Starwood hacking is the most serious hotel industry security incident in a decade, as measured by the size of an attack on a core hotel system, the value of data accessed, and the number of people affected.

The last most comparable incident came a decade ago: In 2008 and 2009, hackers attacked Wyndham Worldwide’s network and property management systems three times, allegedly accessing data on more than 619,000 accounts. The theft resulted in what the company later estimated was $10.6 million in fraudulent charges.

Critics, including insurance companies, alleged that Wyndham had been negligent by having stored credit card information in clear, readable text, rather than in an encrypted format, having used easily guessed passwords for system access, having allowed hotels to connect to the network with out-of-date operating systems, and having failed to restrict network access of third-party vendors.

Hackers used software they installed on the Wyndham system in the first attack for their second attack, according to court filings — suggesting that Wyndham could have worked harder to prevent the second and third attacks. Wyndham settled a suit on the matter.

Hotels Fought Watchdogs

Since 2002, the U.S. Federal Trade Commission (FTC) has brought legal actions against companies, including hoteliers, that failed to protect customer data reasonably.

Wyndham sued the FTC in federal court, arguing that the FTC didn’t have the authority and that hotels already have minimum data security standards in place. The industry lobbying group American Hotel and Lodging Association filed an amicus brief, or motion of support.

In 2015, a federal court upheld the government’s right to fine hoteliers for inadequately protecting data.

Marriott may be vulnerable to an FTC action, depending on the details of what happened at its Starwood unit. One potential area of concern: Did Starwood brands, or Marriott since the acquisition, overstate their data protection in public and investor statements?

Hotel Industry’s Spotty Data Safeguards

The Marriott/Starwood breach stands out from most other recent hotel breaches by being a hacking of the company’s core guest reservation system, a container of high-priority customer data, such as passport information, rather than of more common payment card or loyalty membership information.

That said, it joined a spate of smaller hackings of data affecting hotels. Many hotel groups have let their data be compromised multiple times in recent years.

The most common type of attack? Hotel chains have admitted to a series of so-called payment information leaks where hackers exploited point-of-sale systems (POSs) — what used to be called cash registers — that integrate with the main guest reservation systems.

Some of the point-of-sale terminals — often made by third-party providers and used for ancillary services like hotel restaurants and spas — didn’t follow best practices for protecting data. The cash registers became an Achilles heel in hotel ecosystems when hackers placed “malware” on them to skim data related to purchases processed through them.

Exhibit A: In 2016, Kimpton — a brand owned by InterContinental Hotels Group (IHG) with about 60 boutique hotels and 70 restaurants at the time, said thieves had tapped data via its point-of-sale systems at its hotel restaurants and hotel front desks over a five-month period by putting malware on its servers.

The crooks used payment data they stole from Kimpton to make unauthorized charges on those consumer payment cards.

Kimpton let some basic personal data slip through its grasp for about 150,000 members for whom Kimpton has email addresses or physical addresses, and a significant number of customers Kimpton couldn’t trace because the bookings came through third-parties such as online travel agencies.

Kimpton later proposed setting aside up to $600,000 to compensate victims. However, a federal judge recently contested whether that sum is adequate.

Ghosts in the Card Readers

Kimpton was not alone.

In 2017 parent brand IHG said that hackers compromised the point-of-sale systems at more than 1,000 properties it managed. In May 2018, lawyers representing consumers filed a class action against IHG.

In 2017, Hyatt suffered a data breach via its point-of-sale system at 40 international locations, repeating an event that had happened to it at other locations in 2015.

In 2016, Omni Hotels & Resorts revealed a malware attack had “impacted” more than 50,000 customer credit and debit cards at 49 of the chain’s then 60 locations. Millennium Hotels & Resorts also experienced a breach at about 14 properties that year.

In fact, 2015 was an especially bad year, as we reported at the time, with five hotel chains reporting credit card payment detail breaches via point of sale systems, including Hilton Worldwide, Trump Hotels, Starwood, Mandarin Oriental, and hotel franchising company White Lodging Properties managing hotels under various brand names including Hilton, Marriott, Sheraton, and Westin, as noted by Brian Krebs, a security analyst who was the first to report on a few of the incidents on his blog.

For example, Mandarin Oriental 2015 said customers at a minimum of 20 hotels had their credit card data exposed to third-parties, as we reported at the time.

Sabre’s Hotel Tech Saga

The other major security debacle of recent years involved a reservation system provided to many hotels by technology firm Sabre.

Four Seasons, Hard Rock, Loews, Kimpton, Red Lion, and Trump Hotels faced a security debacle because they were customers of Sabre’s Hospitality Solutions SynXis central reservation system. Between August 2016 and March 2017, a flaw in Sabre’s system exposed some transactions to an unauthorized party. The incident didn’t touch the core systems of the parent hotel companies. Thieves potentially had access to only payment information.

Sabre said in a statement at the time that it apologized to affected consumers and clients, noting that no forensic evidence showed that any unapproved party removed any information from the system. Sabre added that “our industry, like many, faces ever-increasing cybersecurity threats that require strong partnerships across the travel ecosystem.” The company declined to speak for this article.

In each case, hackers didn’t access the hotel group’s core reservation system.

Other Weak Spots

Loyalty program systems pose another weak spot, security-wise, for hotels.

Earlier this month, for instance, hackers might have compromised less than 10 percent of members of the Radisson Rewards loyalty program when the chain failed to stop the compromising of access to customer names, physical addresses, contact information, frequent flyer numbers, and loyalty member numbers.

The hotel chain says that no financial data or passwords were involved in the breach.

Hotels aren’t unique in being attacked by hackers.

Earlier this year, Expedia-owned Orbitz said its systems may have leaked the personal information of people that made purchases between Jan. 1, 2016, and Dec. 22, 2017, affecting about 880,000 payment cards.

And while not a strict data breach, Booking.com paid about 10,000 customers who fell victim to a scheme where fraudsters conned its customers out of data.

However, while companies of all kinds have recently seen their data exposed wrongfully to third-parties, a casual look at a timeline of incidents suggests that the hotel industry has had some greater-than-usual vulnerabilities. The incidents might have the side effect of deterring customers from trading data with the hotels in exchange for potential benefits of personalized services, a major commercial goal for hotel managers and owners.

Expect more industry finger-pointing, too, given that management companies and owners and brand franchisors often point fingers at each other about who has responsibility for data security.

“As a result of this incident and newly hiked risk of fines from U.S., European, and UK regulators, I expect there will be an uptick in discussion among owners and management companies about who owns and has data protection responsibility for consumer data,” said Hinson of law firm Morris, Manning & Martin.

For more details, see our story: What Marriott’s Data Breach Means for the Hotel Giant and Guests.