MARRIOTT INTERNATIONAL IS still assessing the cost of a massive data breach of the company’s Starwood reservation system that exposed the information of potentially 500 million guests. However, according to a filing the company made with the Securities and Exchange Commission, its long-term financial health will not be affected.
However, the extent of the damage to the consumers affected by the breach could take even longer to assess, and one security expert said Marriott and other hospitality companies need to take steps to prevent future leaks.
“I think it’s pretty clear that businesses are not doing enough,” said Greg Sparrow, senior vice president and general manager at CompliancePoint computer security firm.
Last week, Marriott said the investigation into the breach began in September after one of its internal security tools detected an attempt to access the database in the U.S. It determined that since 2014 an unauthorized party had been copying and encrypting information from the database. While the company is still sifting out duplicate data, it currently believes that the data came from about 500 million guests.
The information included mailing addresses, phone numbers, email addresses, passport numbers, Starwood Preferred Guest account information, dates of birth and gender. Some payment card numbers and expiration dates also were exposed, but the company believes they are protected by its encryption.
In the SEC filings, Marriott said “it is premature to estimate the financial impact” the breach will have on the company. It indicated it had cyber insurance and is working with the insurance company to assess its coverage.
“The company does not believe this incident will impact its long-term financial health,” Marriott wrote in the filing. “As a manager and franchisor of leading lodging brands, the company generates meaningful cash flow each year with only modest capital investment needed to grow the business. The company remains committed to maintaining its investment grade credit rating.”
Sparrow said he has not necessarily seen an increase in the number of data breaches at hotels in recent years. However, the size of the breaches in terms of amount of data compromised has grown.
“Now you’re seeing astronomical numbers,” he said. “I think it’s always been an industry that is ripe to see the breach of sensitive data.”
Like any businessman, a hacker is looking for a good return on their investment, Sparrow said. Hotels too often provide a large trove of data with easy access. The biggest vulnerability for hotels is the fact that they tend to have large, distributed networks that provide multiple points of entry.
“You’ve got to make sure that you have all those places hardened,” Sparrow said.
Marriott may have inherited the breach when it bought the Starwood system. In 2015 the company investigated and fixed a minor breach, but Sparrow said its remediation may have left one attacker still intact.
“They just didn’t open up their view and say ‘Are there other things happening in this environment?’” he said.
This is why Sparrow recommends that companies perform a thorough investigation of any legacy system included in an acquisition, even though many do not want to take the expense or risk breaking the legacy system. “They’re assuming a lot of risk with those systems moving forward into the acquisition.”
Most hackers find a way in through multiple points of entry, but then they have to find a way to remove data from the system without detection.
“That outbound data flow is often the red flag,” Sparrow said.
As in the Marriott case, hackers will encrypt the information so a company’s security system doesn’t know what is being removed. “They’re using encryption protocols to circumvent security controls that are watching what’s going out.”
However, Sparrow said one can still look for protocols and operations that simply don’t belong to detect the breach. The problem is the standard “perimeter security” approach most companies take, he said. They focus on preventing entry to the system, but once that entry is achieved there is very little in place to detect the internalized threat.
Sparrow recommends a layered approach to security that can quickly detect intruders inside the system, and then having procedures in place for handling the threat. “They have to assume that there’s going to be a breach and they have to have a plan to deal with that.”
While Marriott believes most of the credit card information taken in the breach is protected by its own encryption, Sparrow said the personally identifying information taken, like passport numbers and passwords, can still be used or sold on the black market. In fact, he said that information can be even more valuable because it remains useful for much longer than credit cards, which are easily cancelled.
“There’s lots of different ways to monetize the data on the black market,” he said.
The financial impact of the breach could go beyond the loss from the actual data compromised as hotels in the Starwood brands contend with fraudulent chargebacks, according to Srii Srinivasan, CEO of Chargeback Gurus consulting firm.
“We have seen when there are data breaches of this kind, fraudulent payment chargebacks spike by up to 5 percent,” Srinivasan said. “This could tack on, in the case of a company like Marriott, many millions of dollars to the cost of recovering from the hack. While dealing with a data breach, companies and their banks will often side with the customers and write off the chargeback claims as a cost of doing business, but this is an unnecessary loss they may be accepting.”
To mitigate the impact from such false claims, Srinivasan suggests companies create and action plan for handling chargeback claims using employees or a chargeback management company. Not every chargeback should be automatically accepted, but rather checked against analytics and reason codes to determine their true nature. Particular diligence in these procedures should be taken for up to a year after the breach.
Starwood brands include W Hotels, St. Regis, Sheraton Hotels & Resorts, Westin Hotels & Resorts, Element Hotels, Aloft Hotels, The Luxury Collection, Tribute Portfolio, Le Méridien Hotels & Resorts, Four Points by Sheraton and Design Hotels. Starwood branded timeshare properties are also included in the database.
“We are working hard to ensure our guests have answers to questions about their personal information, with a dedicated website and call center,” said Marriott President and CEO Arne Sorenson. “We will also continue to support the efforts of law enforcement and to work with leading security experts to improve. Finally, we are devoting the resources necessary to phase out Starwood systems and accelerate the ongoing security enhancements to our network.”
The dedicated website is info.starwoodhotels.com, and the call center is open 24/7 in multiple languages. Also, the company is sending email notifications to affected guests on a rolling basis, and they are offering free enrollment in WebWatcher, a service that monitors the internet for usual activity with clients’ information.
The Marriott breach is second in size only to the 2017 breach at Yahoo that affected 3 billion accounts, according to CNN.com. CNN also reported that Marriott’s stock fell 4 percent in premarket trading Friday on news of the breach.
In October, Radisson Hotels found a breach in its Radisson Rewards system. In that breach, an unauthorized party gained access to some member’s name, address (including country of residence), email address, and in some cases, company name, phone number, Radisson Rewards member number and any frequent flyer numbers on file.
The company revoked the unauthorized access and flagged all affected accounts to monitor for suspicious behavior. It also warned members to look out for attempts to “social engineer” attempts to get more information.
“You should also be aware that third parties may claim to be Radisson Rewards and attempt to gather personal information by deception (known as ‘phishing’),” the company said. The phishing can include links to fake websites. “Radisson Rewards will not ask for your password or user information to be provided in an e-mail.”
Last year saw several data breaches at major hotel chains. In May Sabre reported a breach in its online reservation system that did compromise payment card information. Around the same time Hard Rock Hotel properties reported a breach in its reservation system as well.