The 2018 Starwood Hotels breach is only the latest in a long line of high profile intrusions that hotels have faced. It’s notable primarily for how many customer records were exposed — 500 million worldwide according to parent company Marriott — and that the breach wasn’t discovered for four years. This makes the breach a particularly extreme outlier according to Ponemon Institute research data. A recent Ponemon report found that it takes an average of 197 days to discover a breach, and an average of 69 days to close it.
Given the amount of time it took to discover the breach, and the specifics around why, it’s worth wondering if the personal data of hotel guests is really secure when they check in. It’s an important question, especially because 46% of customers say their confidence in a hotel’s cyber defense influence if they book a stay there according to the Morphisec Hospitality Guest Threat Index.
Why are Hotels Data Breach Targets?
Hotels are rich targets for bad actors. Marriott International alone manages 1.16 million hotel rooms worldwide, which means they are able to provide lodging to a minimum of 423.4 million people in a single year. That’s more than the entire population of the United States, and roughly a third of the population of China.
For each of those guests, Marriott collects a plethora of personally identifiable and financial information. They have on file names, addresses, credit card information, passport and identity documentation, and the list goes on. If that data isn’t secure, then there is a high risk of malicious actors breaking into platforms like the reservation system or the in-house restaurant POS to capture critical customer data.
The personal information is key for identity theft, while the credit card data would assist with powering card-not-present financial fraud. How common is it for hotel guests to have their data stolen? Nine percent of U.S. consumers over the age of 18 have been the victims of data breaches from booking and staying at hotels, according to the Morphisec Hospitality Guest Threat Index report.
So how many people have been breached? The population of the United States over the age of 18 is estimated to be 254.7 million as of July 1, 2019. If 9% of all American adults have been breached, that equals roughly 22.9 million people using the U.S. Census estimates. This is solely from breaches related to hotel stays. With such a massive number of people impacted, the question now is what actions hotels have taken to prevent breaches from happening.
How are Hotels Securing Customer Data?
Credit where it’s due, the hotel industry has stepped up its efforts to protect customer data from breaches. According to the 2019 Lodging Technology Study, IT leaders at hotels have rated improving data and payment security as their top strategic goal. The number of hotels with breach protection has also doubled since 2017, and continues its upward trend.
AirBnB deserves special mention in this regard. They recently created the position of Chief Trust Officer and implemented mandatory multi-factor authentication to name a few of the actions the room-sharing company has taken. As a result of these steps, AirBnB is now more trusted among consumers in their 20s and 30s than traditional hotels. Conversely, older consumers tend to trust traditional hotels more than AirBnB.
The point is that hotels are making investments and taking important steps designed to protect their customers. Given their plethora of rich customer data, and the unsecured Wi-Fi networks that hotels provide for guest use, it’s crucial for cybersecurity protections to be put in place.
Are Hotel Guests Safe from a Data Breach?
Roughly 70% of consumers don’t think hotels are investing enough in cybersecurity, according to the Morphisec report. This is a crucial number, especially given how much the average consumer is concerned with the security of their PII and financial data. Given the severity of the 2018 Marriott breach, and the fact that UK regulators recently fined the company $124 million, IT security leaders at hotel chains would do well to understand the consumer perception of their work.
No one can say with complete confidence that anyone is ever safe from a data breach. Hotels should continue to invest in breach protection and, in cases where it’s possible, enhance their security architecture to protect against advanced threats. Marriott may be the latest major hotel data breach, but it’s unlikely to be the last. Unfortunately, that means the data of hotel guests can only be as safe as hotels are able to make their databases.