Security breaches of hotel guest data are not uncommon, but few have been quite on the scale of the most recent incident involving 500 million Starwood Hotels guests.
On Friday, Starwood owner, Marriott International, which bought Starwood Hotels & Resorts in 2016 for $13.3 billion, revealed it had recently discovered a massive security breach involving guests who had stayed at Starwood-branded properties from 2014 to September 10, 2018.
Guest information that may have been hacked included credit card information and passport numbers. The potential blowback on Marriott is still unfolding.
Marriott discovered the breach on September 8 and the incident, according to Marriott spokesperson Connie Kim: “We have successfully contained the incident,” although this continues to be “an ongoing investigation.” It’s not clear why Marriott chose to disclose the breach on Friday.
But at a time when the world’s largest hotel company has dealt with one of the largest ever hotel worker strikes on record, as well as mounting dissatisfaction from disillusioned Starwood Preferred Guest (SPG) loyalty members who have expressed their displeasure with the merger of SPG with Marriott’s own Marriott Rewards program, news of this security breach will be yet another setback for the world’s largest hospitality company.
The security breach also raises a number of questions:
Should Marriott shareholders be worried?
In Marriott’s SEC filing regarding the breach, the company wrote that it does not believe this incident will have a significant financial impact on the company: “The company does not believe this incident will impact its long-term financial health. As a manager and franchisor of leading lodging brands, the company generates meaningful cash flow each year with only modest capital investment needed to grow the business. The company remains committed to maintaining its investment grade credit rating.”
Marriott shares dropped from their closing price of $121.84 on November 29 to $113.60 on Friday, November 30.
David Katz, and equity analyst with Jeffries, wrote in a note to investors: “We believe the announcement of the SPG database breach will pressure shares in the near term, but the ultimate implication to estimates will likely be marginal, in our view. Ultimately, we believe the pressures will be transitory and the investment merits of FCF [free cash flow] generation will come back to fore. Valuation remains a gating factor.”
Still, it’s too early to quantify how much impact this type of bad publicity or brand image problem this news may have.
In a note to investors, Michael J. Bellisario, senior research analyst with Baird, wrote that he anticipates “somewhat negative” investor sentiment in the near term. He added, “We’ll be keeping a close eye on customer demand/loyalty, which could slip a bit in the near term, in our opinion. This security incident adds to recent customer concerns about merger-related hiccups, particularly surrounding the loyalty program integration, but we believe Marriott will continue to take the necessary steps to protect its biggest asset–its customers and their loyalty–and to ensure a successful merger integration process.”
Bellisario also said that Marriott’s recent challenges may give a boost to two of its U.S. competitors, Hilton and Hyatt, “from a stock perspective.”
As for direct costs of this breach, Bellisario said they include “increased near-term technology and legal costs to resolve the data breach net of applicable insurance deductibles, increased cyber-security costs over the long-run to better protect customer data, and the near-term cost of a one-year enrollment in WebWatcher, which an annual subscription retails for approximately $130 (but likely a lower cost for Marriott), for affected guests in the U.S. if they choose to enroll.”
Will Marriott pay hefty fines for violating the European Union’s General Data Protection Regulations (GDPR), a new set of rules regarding privacy protection?
Marriott couldn’t say whether or not it would, but an expert in GDPR and data protection said it’s likely.
Cathryn Culverhouse, a solicitor at U.K.-based law firm DMH Stallard, said, “Marriott (is) likely to be investigated by the ICO (regulatory body Information Commissioner’s Office in the UK) and could receive a hefty fine — up to 4 percent of their annual global turnover — given the large scale breach of sensitive information. This is likely to have a damaging impact on the hotel’s reputation.”
Culverhouse added: “If a customer of Marriott has been affected by the breach they should be notified by Marriott without delay — although delay is not defined within GDPR and such a timeline will depend on the circumstances. These customers also have a potential claim against Marriott for compensation in respect of any losses.”
Intense scrutiny and hefty fines from the EU may not be the only consequence Marriott faces in the wake of this data breach.
New York Attorney General Barbara Underwood, however, has opened an investigation into the data breach. Underwood’s communications director Amy Spitalnick wrote in an email to Bloomberg,”Under New York law, Marriott was required to provide notification to our office upon discovering the breach; they have not done so as of yet.”
What about that new reservations system integration that Marriott was working on? Is that impacted by this?
In September, Skift reported on the new attribute-based reservations system Marriott is in the process of integrating across all of its 6,700 hotels. As of November 6, however, only about 500 hotels have implemented the new system, CEO Arne Sorenson noted on a third quarter earnings call. The new system is expected to be put into place throughout Marriott’s portfolio by next year.
Essentially, however, the security breach reported today has no impact on the implementation of the new reservations system, called ERS.
“The cutover is going as planned,” Marriott’s Kim said. “This incident is completely separate from the work that was happening. I would say this shouldn’t have an impact on the reservation systems. They are two separate incidences, two separate tracks.”
What’s Marriott doing in the meantime?
Marriott has set up a call center and website to address consumer concerns.
“We got this out as quickly as we could,” Kim said. “We wanted to let the consumers know. Right now, we don’t have all the information but the goal and intent is to get the info out as soon as possible and make the info available to consumers who were impacted. That’s why we have the call center and the website in multiple languages. That was really the intent. It’s active and ongoing, but this incident has been contained.”
She added, “We’ve seen no additional evidence of this sort of actor in the system since September 10. We have successfully contained the incident.”
Marriott’s assurances, however, may be cold comfort to the 500 million guests potentially affected by the breach, and many may wonder why it took the company nearly two months to publicly report it. However, examining previous customer data breaches, the timeline Marriott followed aligns with what other major companies that have dealt with similar incidents.
What should consumers do if they’re worried about their data being exposed?
Given that this is one of the biggest data breaches in history, there are many people who may have been impacted, and the nature of the information stolen is extremely sensitive.
CreditCards.com industry analyst Ted Rossman said, “The names, addresses, passport numbers and other sensitive personal information that was exposed is of greater concern than the payment info, which was encrypted. People should be concerned that criminals could use this info to open fraudulent accounts in their names.”
He added, “To guard against criminals opening fraudulent accounts, I recommend freezing your credit. It will prevent crooks from opening new credit in your name and can be accomplished for free in just a few minutes by contacting Experian, Equifax and TransUnion.”
Back in 2015, Starwood warned it had discovered malware that thieves use to steal information at some of its hotel’s cash registers. But Starwood at the time said nothing came of it. “We have no indication at this time that our guest reservation or Starwood Preferred Guest membership systems were impacted,” Starwood President Sergio Rivera wrote in a letter to affected customers.
“The malware was designed to collect certain payment card information, including cardholder name, payment card number, security code and expiration date. There is no evidence that other customer information, such as contact information, Social Security numbers or PINs, were affected by this issue.”
However, as New York Times Your Money columnist Ron Lieber has pointed out, the process of getting information on what to do for consumers has been not been clear, and he pointed out that Marriott is only giving impacted consumers in the U.S., UK, and Canada a year-long subscription to WebWatcher, a company monitors internet sites where personal information is shared and generates alerts if evidence of the consumer’s personal information is found.
Attention all Starwood guests/breach victims: Marriott's instructions re enrolling in their breach protection (which should last longer than the year they are offering btw, ugh) are not clear. Here are some better ones. (THREAD) https://t.co/deLmatfgdI
— (((Ron Lieber))) (@ronlieber) November 30, 2018
Skift Editor’s Note: This story was updated to include remarks from Baird Senior Research Analyst Michael J. Bellisario and from New York Times Your Money columnist Ron Lieber, as well as information about New York State’s investigation in to the data breach.