Are planners—and everyone else—who has booked at Starwood properties since 2014 taking a collective gulp or merely shrugging over the news from Marriott International that as many as 500 million guest records have been breached? And what should be learned from this latest instance of massive cybertheft?
Greg Sparrow, senior vice president and general manager at CompliancePoint, an Atlanta-area consultant for cybersecurity and risk management, bemoans the fact that repeated occurrences of data theft at major companies in recent years has led to a “desensitization” of public reaction. “That means the bad guys are doing better than the good guys,” he says.
Marriott says it inherited Starwood’s compromised data when it bought the competitor company in September 2016. “Why did it take almost two years for them to identify that?” Sparrow asks, adding that among the first tasks in such mergers is posing questions, such as, “What’s the state of the system you’ve acquired?” “Has there been a potential breach?” “Is there malware?”
“There are absolutely best practices out there to mitigate this stuff,” he says. “You’ll never completely eliminate it, but you can do a lot.”
In a statement announcing the data theft, Arne Sorenson, Marriott president and CEO, says his company is “devoting the resources necessary to phase out Starwood systems and accelerate the ongoing security enhancements to our network.”
A National Data Protection Law
But Sparrow doesn’t entirely blame Marriott for not detecting the theft earlier. “Hospitality has widely distributed networks that extend around the world. There are many points of entry. If you’re operating on razor-thin margins, protecting data is not the highest priority,” he says. “And, culturally, we don’t put real priority on keeping these breaches from occurring. There are no consequences for the companies involved. We don’t have a national privacy law, and companies won’t truly prioritize data protection without that.”
Some states, such as California, have passed strong data privacy laws. And the European Union’s GDPR includes stiff penalties for both data controllers and processors when systems are compromised. Yet the United States as a whole has lagged behind. “We just don’t have the regulatory landscape to deal with these big data breaches,” Sparrow says.
So, what does that mean for planners and all hotel guests? Sparrow’s answer will surprise no one, but is worth repeating.
“Try to silo your risk,” he begins. By that he means, use different passwords for each of your hotel rewards accounts. Never use the same passwords for email and social media accounts, and certainly not for financial accounts.
“People need to realize there’s risk in storing information,” he says. “Companies need to think long and hard about what has to be saved and retained. If there’s no good business reason for it, get rid of it.”
As consumers, he urges, we should “be mindful of the type of information that’s being asked for.” Among the stolen Starwood data, in some cases, were individual passport numbers. Sparrow says they should have been encrypted along with credit card information. “They’re more valuable on the black market than credit card numbers,” he says.