On Friday, hotel group Marriott International became the latest target of relentless hackers. The hotel giant reported that the records of a whopping 500 million customers were involved in a data breach. It admitted, after an internal investigation, that the guest reservation database of its Starwood division had been “compromised by an unauthorised party” since 2014. The Marriott-owned Starwood hotel brand range is tremendous and includes properties like Sheraton, Westin, W Hotels, St. Regis, Four Points, Aloft, Le Méridien, Tribute, Design Hotels, Element and the Luxury Collection. This means that, for four years, hackers have had unfettered access to a treasure trove of personal information belonging to a vast array of hotel guests, from credit card information to home addresses, even to passport numbers. This assault on and breach of personal and confidential data is second only to the 2013 breach of Yahoo, which saw three billion user accounts hacked. Even though online security measures have certainly improved in leaps and bounds recently, the Starwood attack serves as a chilling reminded that, in this digital age, the computer networks of big companies remain vulnerable to hackers.
According to cybersecurity experts, the hotel and hospitality industry has recently become a rich target for nation-state hackers looking to track the travel movements and preferences of key figures like heads of states, diplomats, chief executives as well as other people of interest to espionage agencies. It would seem that Marriott has joined the growing community of hacked hotels. Only last month, the Radisson Hotel Group identified a breach in its Radisson Rewards database. In comparison to the Starwood attack. Radisson’s breach was relatively minor, particularly since no payment card or password information were compromised by the breach. Other notable hotel groups have had their cybersecurity walls breached, such as the Hilton, Hyatt Hotels Corporation and even the Trump Hotel Collection. In light of this, it comes as no surprise that hotel companies, big and small, need to double down in an attempt to render breaches of this magnitude become a thing of the past.
Ted Harrington, executive partner with hospital security consulting firm Independent Security Evaluators, calls for the entire industry to “recognise the severity of the challenge ahead of us”. “Security is not just an IT issue; it is a critical board-level priority and should be treated and resourced accordingly.” He also suggests that chief information security officers be equipped with a suitable budget, headcount, and should report directly to the CEO rather than another member of the C-suite. Nevertheless, Harrington believes that if there’s a silver lining to this breach, it’s that it underscores the significance of security and highlights it as “a mission to be pursued, rather than a cost to be minimised”.
What will hotels get out of pursuing this mission? Crucially, it has been demonstrated in a study published by Emerald Group Publishing Limited that information security breaches have a profound impact on hotel guest perception of service quality, satisfaction, revisit intentions and word-of-mouth. This is a clear indication that hotel operators must continually strive to keep sensitive data collected from their guests safe and secure. Failure to do so can have demonstrable negative consequences on current and future guests. Therefore, it makes more fiscal sense for hoteliers to devote time, effort and money into safeguarding confidential information as opposed to trying to mend the revenue and reputational damage caused after a cyber-attack.
So, how can hotels protect themselves and their guests from data breaches? There are some practical steps you can take today.
Firstly, hotels can destroy information that is no longer required, and indeed the new General Data Protection Regulation that took effect earlier this year makes it difficult to hold on to the data of EU customers.
Furthermore, hotels could provide their staff with ongoing training in order to educate them and make them aware of best practices in online security.
Thirdly, hotels ought to have a proactive crisis plan in plan in the event of a breach, as such a plan has the potential to identify emerging threats and eliminate them before they become a problem.
Finally, the implementation of a mobile security policy can play a part in securing sensitive and confidential data.
In short, there is no shortcut to properly reliable cyber-security and it is time for hotels to re-educate themselves on security procedure and protocols. This can only be highly beneficial in the long run. Our AP team is happy to discuss this further with you and to introduce you to cyber-security experts who can help you assess how prepared your hotel is for data breaches.
Comments