Security breaches of hotel guest data are not uncommon, but there are a few which have been on a massive scale.
We’ve all heard about the data breach revealed Marriott International Hotels when the company bought Starwood Hotels. Unfortunately, Starwood Hotels had been a victim of an ongoing security breach that lasted from 2014 all the way to September of 2018.
In this multi-year-long attack, the private data of more than 500 million Starwood Hotel guests was harvested by hackers. Everything from guest credit card information, passport numbers, phone numbers, email accounts, and guest reward membership information was compromised.
While Starwood Hotels were in no way a small hotel-chain, they weren’t anywhere near as large as Marriott International. Starwood had failed to identify the data breach for years and hadn’t even noticed that there was a problem.
Marriott hadn’t considered the potential vulnerabilities in the current data systems of Starwood Hotels prior to purchasing the company. Only after Starwood Hotels had been acquired by Marriott International was the data breach discovered, and at this point, it was far too late for Marriott.
How could something like this have happened, especially when data security and privacy is one of the big topics in business today?
Had Marriott known about the data security breach before buying Starwood Hotels, this story would likely have gone very, very differently.
Instead, Marriott not only inherited this massive issue, but the hotel giant also had taken on responsibility for the consequences of this data scandal.
Marriott International chose to publicly announce the discovery of this data leak. However, they didn’t report the breach immediately either; it took them two months from the time of discovery before they reported this issue.
This two-month lapse of time between the discovery of the data breach and finally reporting it resulted in some heavy criticism about how Marriott International chose to respond to this critical issue.
In today’s world, people expect authenticity and transparency, especially when it comes to the mishandling of sensitive and personal information. No matter how bad the PR fallout may be, it is always much worse when an organization attempts to withhold, censor, or simply fail to report a personal data security breach. Despite the length of time Marriott took to report the data breach, they did make the right choice in being proactive, rather than trying to cover it up.
The resulting fallout from this security breach cost Marriott International a lot.
Immediately following the announcement, Marriott International’s stock dropped a significant amount, giving its biggest competitors—Hilton and Hyatt Hotels—an advantage in the marketplace.
Heavy costs were incurred in a variety of ways, including multiple legal violations, insurance costs, the need to upgrade and implement better technology across the entirety of their systems, long-term cybersecurity cost investments, and even in offering a one-year subscription data security protection service to their affected customers.
Marriott International also had to answer for violating the European Union’s General Data Protection Regulations (GDPR), which includes legal fees and heavy fines.
It’s even been suggested that Marriott International be responsible for providing new passports to every single guest affected by this data security breach.
So, the moral of this story? Don’t be the next Marriott and Starwood Hotel—you simply can’t afford it.
In fact, smaller businesses are frequently targeted by hackers because their data security privacy policies tend to be less secure. Not only are small businesses less likely to discover a data breach, but they also may have far more difficulty in containing and removing the threat entirely.
This makes smaller boutique hotels an attractive target because even small hotels can have large amounts of private guest information.
Be sure to consider these steps carefully when reviewing your hotel’s data protection policy.
1. Audit Your Data Processes
Running a data security system audit across your hotel’s various systems is one of the most important security measures you can take. This includes your POS systems, third-party booking sites, your hotel’s various data systems, and even your electronic key card programming system. And while you need to require and enforce strict usage guidelines, these same guidelines shouldn’t hinder guests from connecting their devices to your hotel’s Wi-Fi network. All guest data collected by your systems must be handled and carefully stored. You need to have clearly defined standards for who has access to this data and for how long it’s stored in your system’s data banks. Your audit should also extend to your third-party partners as well. Your security is only as strong as the weakest link in your system; vulnerability through a third-party vendor creates a “backdoor entrance” into your hotel’s network that can be exploited.
2. Cybersecurity Training for Your Employees
Security needs to become a cultural norm at your hotel. Similar to third-party vendors, your system security only works when the people using it follow the correct cybersecurity practices. People can easily make a mistake, fall for a phishing scam, open the wrong email, or even fall victim to social engineering. Ensuring proper training of all your employees can greatly reduce potential threats to your hotel guest’s data. Promote a culture of accountability with your employees and invest in regular training to help them recognize, safely navigate, and report any and all instances of suspicious activity.
3. Real-Time Cyber Attack-Based Security
The technology and digital landscape are constantly evolving, which makes it impossible to account for every potential vulnerability and threat. As unnerving it may be, even the top-security systems of governments are vulnerable to attack. Thus, integrating attack-based security systems is a proactive way to help ensure you’re protecting your hotel guest’s private data. Real-time attack-based data security works to detect, prevent, and neutralize attacks as they are occurring. Detecting a data breach as it’s happening gives your data security professionals the time needed to implement the correct security measures to minimize the impact of an attack.
4. Ensure You’re Using Compliant Partners and Tools
This can be done as a part of your security systems audit, but in order to maintain strong protection, this should be done every time you engage in a new third-party partnership—before you sign any contracts and give them access to your systems. This best practice is vital to your system security as well as in protecting your guest’s private data. A commitment to only working with compliant partners and tools only strengthens your position as a data safe and secure hotel. It helps to boost hotel guest confidence about how you handle their data while also protecting your hotel from potential threats.
5. Hack Your Current Systems to Find Vulnerabilities
Employing an ethical hacking service can help you find potential vulnerabilities in your data security systems. They can also help you to understand how to close these gaps. Using a service like this can help you to discover both future and current to your data security system. Former employees who may still have access to systems or even current employees who may be coerced into selling information to malignant parties is harder to detect, but regular ethical hacking service can help to protect you from threats both inside and out.
6. Inform Your Guests and Allow Them to Opt-In
7. Report Cybercrime Responsibly
Cybercrime is an unavoidable reality, and it must be reported responsibly. Reporting a data breach is never easy, but it will work in your favor when reported quickly and responsibly. This helps officials and cybersecurity professionals to learn more about how and why the attack occurred, as well as what was taken and perhaps most importantly, how to prevent future attacks. It’s also important to remember that you should always collect as much information as possible about the data breach, especially regarding private information. This will assist you with informing your hotel guests about what happened, how you’re working to protect their data from further interference, while also giving them the opportunity to take extra measures toward further securing their own data.
One of the main concerns among travelers everywhere is how a company will handle their private data. People want to know without a doubt that their personal information is protected, no matter where they are.
For more ideas, tips, and best practices to help you manage your hotel and thrive in the competitive hospitality industry, visit us blog.