Marriott's Starwood Data Breach Joins a Decade-Long List of Hotel Data Exposures
Skift Take
Several years ago, the hotel industry fought U.S. federal watchdog efforts to fine chains for negligent data protection practices, arguing that hotels had things under control. Hmm. A rash of hotel security incidents since then undercuts the claims of hotels, which need to take a more bank-like approach to data protection.
When Marriott International revealed a massive security breach at Starwood-branded properties, it joined an unfortunately long line of guest data breaches at hotel companies.
The scope of the breach at the world's largest hotel group is more spectacular than any other in travel publicized in history. Marriott said the breach affected hundreds of millions of customers who stayed at Starwood-branded properties between 2014 and September 10.
Potential Record Fines
The breach may also expose parent company Marriott to record fines because, unlike most past breaches, some of the activity appeared to happen after Europe put into place General Data Protection Regulation (GDPR) in May 2018, which boosted fines for violations of data security rules.
Exact fine estimates are impossible to gauge, but experts said the prospective range would be potentially higher than the spectrum used by European Union and U.S. officials in the past. European officials have the discretion to fine companies up to 4 percent of annual revenue in the year preceding a data protection incident.
Other investigations are in the offing. On Friday, the New York attorney general's office said it would open an investigation into the breach.
That office has had success in pursuing prosecutions before. In 2017, Hilton Worldwide agreed to pay a $700,000 fine to the state of New York after data security failures exposed more than 350,000 credit card numbers in two breaches in 2015.
A related issue: When Starwood had a separate malware-driven credit card data breach that it announced in October 2015, it claimed that it checked and found that hackers hadn't compromised its core guest reservation systems.
Its security experts missed the subsequently discovered separate hack. How Starwood approached that incident may come under review by federal investigators and insurance companies on the hook for covering the hotel group for the risk of events like this.
"When attorneys conduct privacy and data security inquiries as part of mergers and acquisitions, the prospective buyer reviews representations of potential risks from an acquiring company so that it can calculate the appropriate purchase price," said Bess Hinson, senior associate and chair of cybersecurity and privacy practice at law firm Morris, Manning, and Martin.
"Some people may be curious, gi
