Long before Marriott International Inc. disclosed a massive security breach, the hotel industry had earned the dubious reputation as a hospitable place for hackers.
Thieves have skimmed credit cards, looted loyalty accounts, and mounted complex schemes to trick clerks into downloading malicious software. In one elaborate series of attacks known as DarkHotel, networks at individual properties were hijacked to spy on corporate executives and politicians. In a cruder ploy, crooks have even seized control of a keyless entry system, locking down rooms until the hotel owner paid a ransom.
Now, as Marriott grapples with the fallout from its Nov. 30 disclosure that as many as 500 million guests had their data exposed to hackers, there is a growing sense that an industry whose bedrock business is providing real-world security isn’t equipped to look after its guests in cyberspace. The company is preparing to deliver written responses next week to a U.S. Senate inquiry amid reports the attack was carried out by the Chinese government.
“People trust us to allow them to sleep safely and securely,” said John Burns, president of Hospitality Technology Consulting. “There’s a longstanding tradition of an innkeeper, that we fulfill that commitment to them. Has it extended naturally, with the same diligence, to the digital environment? Not always.”
Marriott hasn’t yet provided a detailed accounting of the attack, which they continue to probe.
“Our primary objectives in this investigation are figuring out what occurred and how we can best help our guests,” said Marriott spokeswoman Connie Kim in an emailed statement. “We have no information about the cause of this incident, and we have not speculated about the identity of the attacker.”
When Marriott paid $13.6 billion for Starwood Hotels & Resorts in 2016, the aim was to have a bigger company that could compete with Google, Amazon and other online firms that use their knowledge of consumer preferences to gain primacy with customers.
Modern hotel companies see tech firms as competitors because they function like e-commerce platforms, licensing their brands and booking engines to investors who own and run the properties. They want to drive direct booking, cut out online travel agencies and convince travelers to use loyalty points to pay for products from diapers to skydiving lessons — then tailor their marketing based on a guests’ past choices.
Yet these would-be tech businesses have the DNA of real estate developers and catering companies, and their treasure troves of customer data often are accessed through antiquated systems because cost-sensitive investors see more-immediate returns from money spent on new carpeting rather than intangible security measures. The impulse to protect guests can be moderated by the cost and complexity of implementing safeguards across sprawling systems.
“The brand companies take security very seriously, but the cost of keeping up with changes in technology are prohibitive,” says Chad Crandell, chief executive officer of CHMWarnick LLC, a hotel investment adviser. “To spend a lot of money on service and protection and have it fail is not a good place to be either.”
Hospitality was the third-most targeted industry after retail and finance, according to a report this year from information-security firm Trustwave Holdings, in an onslaught that has left few corners of the industry untouched. Hilton Worldwide Holdings Inc., Hyatt Hotels Corp. and InterContinental Hotels Group have all been targeted in past attacks, as have Trump Hotels, Radisson Hotel Group and Mandarin Oriental.
“The industry is behind in a lot of ways,” said Gates Marshall, director of cyber services at CompliancePoint, a consultancy that focuses on privacy and security.
The Starwood purchase did give Marriott scale as the largest hotel company in the world, but it got more than it bargained for, since hackers had penetrated the Starwood reservation system undetected back in 2014. The company could face up to $1 billion in regulatory fines and litigation costs, according to Bloomberg Intelligence.
Marriott Chief Financial Officer Leeny Oberg said at an investor conference on Dec. 5 that it was too early to estimate how much the hack would cost, and that the company was already stepping up investments in cyber-security prior to discovering the breach. Marriott hired a new chief information security officer in January, and its most recent proxy statement included a description of the board’s oversight of cyber risks that wasn’t present in previous filings.
Kim, the Marriott spokeswoman, declined to comment on the nature of the company’s investments in security, and said Marriott updates risk-factor disclosures as they change.
Whether hotel guests punish Marriott for the hack remains to be seen, especially since a series of massive hacks on other companies has numbed many consumers to the loss of personal data.
So far, consumer data accessed in the Marriott hack aren’t being advertised on criminal marketplaces. The attack has been linked to a Chinese government intelligence agency that targeted hotels, insurers and a U.S. government agency, the New York Times reported on Dec. 11. That may spare Marriott some criticism, since customer data isn’t being sold to thieves, and even the most-sophisticated companies can be overmatched by government spies.
The stakes are only getting higher. Hotel companies are experimenting with voice-operated technology and Internet-connected rooms that could mean storing increasingly personal information, like biometric data, or what time a guest likes to go to sleep.
“Many companies have been scrimping on the cyber-security budget,” U.S. Commerce Secretary Wilbur Ross said on CNBC in response to a question about the Marriott hack. “They haven’t been as protective of their own resources as they should have been. So the first thing they should be doing is trying to make sure that they’ve done more to protect themselves than they have been doing before.”