Hotel News
BITAC® Events!
Operations Oct. 11, 2020 More Info 9 Supplier Spots Left
Building Your Hospitality Business
  Are you a member? Log In  or  Sign Up
Hotel Interactive®, Inc.
Send a summary and link to this article
To Email
Your Name
Your Email
Bot Test
To pass the Bot Test, please type the white text that you see in the gray box. This helps us prevent spammers from abusing the system.
Print Printable Version

Breach Of Etiquette?

Marriott Faces Potential $123 Million Fine From ICO Following Starwood Hack

Wednesday, July 10, 2019
Dennis Nessler
bookmark this
Bookmark to: Digg Bookmark to: Del.icio.us Bookmark to: Facebook
Bookmark to: Yahoo Bookmark to: Google Bookmark to: Twitter
We are on Twitter

It seems that those who wanted their pound of flesh from Marriott International following last year’s massive data breach are going to be more than satisfied. The UK Information Commissioner’s Office (ICO) earlier this week revealed a proposed fine of more than $123 million for the largest global hotel company as a result of breaching European data protection law.

The breach was announced in November of last year following the company’s 2016 acquisition of Starwood Hotels & Resorts but was actually traced all the way back to 2014. The company discovered the Starwood reservation database had been hacked over a four-year period in one of the largest breaches in corporate history involving up to 383 million guests. In addition, the breach affected about 30 million residents of the European Union, according to the ICO.

The notice of intent from the ICO is issued to give other EU data protection authorities, not to mention Marriott, a chance to comment before a final decision is made. Not surprisingly, Marriott has said it intends to contest the fine and “vigorously defend its position.”

The hefty fine, if it stands, would represent some 3% of the company’s global revenue of $3.6 billion in 2018, which would be both significant and unprecedented. In announcing the proposed fine, the ICO--which is a British data protection watchdog—publicly stated that its investigation found that “Marriott failed to undertake sufficient due diligence when it bought Starwood and should also have done more to secure its systems.”

The ICO is now permitted to hand down a fine of up to 4% of a company’s global annual revenue for a breach under the GDPR (General Data Protection Regulation), a marked increase from the maximum fine of 500,000 pounds that was permitted under the previous data protection regime. And the organization apparently has wasted little time taking advantage of that increased power. In addition to Marriott’s penalty, this past Monday British Airways was fined a record $230 million for the theft of data from 500,000 customers from its website last year.

Make no mistake, these fines are meant to send a clear message to these large publicly traded companies that more needs to be done to protect customer’s valuable information. And the reality is this may be just the beginning for Marriott as no less than five U.S. states had launched investigations into the breach as of March, according to Reuters.

But Marriott is far from the only hotel company that has experienced a data breach. Hilton, Hyatt and InterContinental have all acknowledged cyber attacks over the last several years, albeit not to the level of Marriott. Unfortunately, the hotel industry remains one of the most vulnerable and targeted industries by hackers. Point-of-sale systems, in particular, as well as third-party providers, represent key points of entry where guest data can be vulnerable. Hackers can also exploit a hotel’s WiFi network as a means of targeting business travelers.

In response to the proposed fine, Marriott International President and CEO Arne Sorenson said in a statement, “We deeply regret this incident happened. We take the privacy and security of guest information very seriously and continue to work hard to meet the standard of excellence that our guests expect from Marriott.”

The bottom line here is Marriott and other major hotel companies need to prove that now. They need to invest more heavily in systems and SOPs to protect guest data, not just in terms of technology solutions but in terms of key personnel and infrastructure. The issue also needs to be addressed at the property level. Training is key for these properties as breaches are more often than not are the result of human error.

These are all costly investments to be sure at a time when operating costs are increasing and profitability is being squeezed. However, Marriott was just reminded how costly it can be to leave anything to chance.

Dennis Nessler    Dennis Nessler
Hotel Interactive®, Inc.
Feedback Messaging & Feedback
We welcome your opinion! Log In to send feedback.
Already a member?
Log In
Not yet registered?
Sign Up
Need More Information?
  RSS Feed
RSS Feed
Contact Us
Mobile Version