Marriott called to pay for guest passports amid data breach

Amid Marriott International's ongoing data breach, Sen. Chuck Schumer, D-N.Y., is calling for the company to pay for new passports for guests who have had their personal information stolen by hackers. Marriott said the company will reimburse customers who are targeted for fraud following the theft of their passport information, but Schumer said the company should be responsible for providing $110 replacement passports.

“Right now, the clock is ticking to minimize the risk customers face and one way to do this is to request a new passport and make it harder for thieves to paint that full identity picture,” Schumer said.

Brands impacted by the breach include Starwood Hotels & Resorts Worldwide properties such as Sheraton, Westin, St. Regis, Le Meridien and W Hotels. While the hackers had access to Starwood’s guest reservation database for four years, investigators found no evidence that Marriott hotel guests were compromised. Because of the covert nature of the hack, neither Marriott nor Starwood were aware of the hackers’ presence until this past September.

Marriott learned of the breach thanks to a security alert it received on Sept. 8. Following an internal investigation, the company discovered Starwood’s security had been compromised since 2014. A statement from Marriott said investigators also found an unauthorized party had “copied and encrypted information, and took steps toward removing it.”

Hidden Hack

According to Marriott, hackers gained access to Starwood’s reservation database starting in 2014 through September of this year, putting the information of approximately 500 million guests at risk.

For as many as 327 million guests, compromised information could include passport information, telephone numbers and email addresses. In addition, some other guests' credit card information was within the hackers' reach, according to the company.

XM Cyber's Principal Security Architect Rich Gardner finds troubling is that the stolen information also includes payment card numbers and payment card expiration dates, but the payment card numbers were encrypted using Advanced Encryption Standard encryption (AES-128). There are two components needed to decrypt the payment card numbers, and at this point, Marriott has not been able to rule out the possibility that both were taken.

“What this means is that the person or people that hacked into this system must have been there for quite some time in order to find the two keys to decrypt the credit card information,” he said. “Or, the credit processing system or the application that stored the credit card information was poorly designed.”

Marriott, the largest hotel company in the world with more than 6,700 properties in its system following its 2016 acquisition of Starwood for $13.6 billion, will be notifying customers whose records were located in its database. To facilitate this process, Marriott has established a dedicated website and call center to work with guests who have questions about the status of their personal information.

Arne Sorenson
Marriott International
President/CEO Arne Sorenson
at ALIS earlier this year.
Credit: Robert Rooks Photography

“We deeply regret this incident,” stated the megachain's President and CEO Arne Sorenson. “We fell short of what our guests deserve and what we expect of ourselves. We are doing everything we can to support our guests, and using lessons learned to be better moving forward.”

While still too early to estimate any financial impact of such a breach, Marriott said it is working with insurance carriers to assess the potential damage. As part of its statement, Marriott contended the breach will not impact the company’s long-term financial health.

For any organization that deals in consumer data, breaches have become a fact of life. Last month, Radisson Hotel Group announced its Radisson chain was impacted by a data breach. In Radisson’s case, hackers were not able to access credit card or password information, but were able to obtain member names, addresses, email addresses, company names, phone numbers, Radisson Rewards member numbers and frequent-flyer numbers. On top of this, Orbitz revealed hackers accessed the information of nearly 900,000 guests in March.

Fines Abroad

What differentiates breaches such as Marriott’s and Radisson’s from previous hacks at IHG or Hyatt Hotels Corporation is the passage of the European General Data Protection Regulation, which went into effect this past May. GDPR maintains any breach must be reported within 72 hours of discovery, and could lead to fines of up to 10 million euros, or 4 percent of a company’s annual global revenue, if security deficiencies are found by investigators.

Pete Trombetta, analyst at financial service company Moody’s, said in the short term litigation, liability and direct costs associated with any investigations will be immediate concerns for Marriott, but the real damage from a breach of this size likely will take shape down the road.

“Longer-term risks include any concerns guests may have about staying at a Marriott property [because] Marriott and Starwood merged their rewards program in August,” Trombetta said.

Sam Curry, chief security officer for cyber security firm Cybereason, said 2018 has been “the year of the breach,” with hundreds of major brand names falling victim to data thieves. These include T-Mobile, British Airways, Air Canada and now Marriott.

“With mega breaches like this one, in general we have become desensitized with the astronomical numbers. What does 500 million, 1 billion or 5 million names mean when we start to get this high? It’s likely that every living human on the face of Earth has been hacked,” Curry said. “Brands are suffering regularly and time will tell what happened with Marriott and people will need to be held accountable.”

Ian Eyberg, CEO of security firm NanoVMs, told Hotel Management he anticipates Marriott will be facing heavy fines due to its strong European presence and the application of GDPR. He clarified the three-month lag between Marriott’s discovery of the hack and its announcement to the general public is routine, particularly because it’s difficult to ascertain how long a hacker has been able to access a system and the need to prepare for damage control. 

However, Eyberg also said unless serious changes are made to the security infrastructure used by most businesses, issues with data security are likely to increase in the near future. This is partly due to archaic systems propping up many companies' networks on the back end, but that is only one piece of the puzzle.

“Companies are just stockpiling data and that is very, very valuable to hackers,” Eyberg said. “When integrating with various service providers in the future, drill into this question of security: Is standard protection going to cut it? No. Do we have to go to our developers and see if there are better solutions? Maybe. The problem is not going away, it’s arguably getting worse.” 

Fraudulent Chargebacks

For companies such as Marriott, the concerns this raises for its customers and ability to keep its data safe may only be the start of the harm they could be subjected to.

According to Chargeback Gurus CEO Srii Srinivasan, the cost of a data breach can continue on for months as frausters and unscrupulous customers can take advantage of Marriott’s weakened position and victimize them with fraudulent chargebacks.

“We have seen when there are data breaches of this kind, fraudulent payment chargebacks spike by up to 5 percent,” Srinivasan said. “This could tack on, in the case of a company like Marriott, many millions of dollars to the cost of recovering from the hack. While dealing with a data breach, companies and their banks will often side with the customers and write off the chargeback claims as a cost of doing business, but this is an unnecessary loss they may be accepting.”

Companies dealing with a data breach should also prepare themselves for a wave of chargebacks that can be mitigated. Srinivasan said that for large businesses like Marriott, this can be an opportunity to better understand their customer experience, tracking each chargeback to determine if it was due to a hack, a fraudulent claim or attributed to a quality of service issue.

“Every chargeback tells a story and it is best to apply industry-standard analytics to determine where chargebacks are originating from and how a company, big or small, can gain insights into their customer’s experience,” Srinivasan said.