The recent revelation of the second Hyatt data breach in the past two years has not only impacted the guests’ personal information, but also affects the loyalty, trust and consumer perception of all Hyatt Hotels Corporation guests — past, present and future. So how can Hyatt and other hotels recover and prove to guests that they are safe and trustworthy?
Breach fatigue may be the new normal, but the second successful attack on Hyatt is sure to raise the eyebrows of regulators, not to mention plaintiffs’ lawyers, said Robert Cattanach, partner at the international law firm Dorsey & Whitney. Cattanach, who previously was a trial attorney for the United States Department of Justice, said both Hyatt hacks involved the loss of customer credit card information, with the first attack affecting even more properties.
“While the company claims that it has implemented additional security measures to strengthen the security of its systems, no explanation was given as to why these additional measures were not implemented after the first attack,” he said. “Estimates of actual harm have yet to be provided, which is typically the weak spot of any attempted class action, but the liability exposure seems problematic regardless.”
HOTEL MANAGEMENT chatted with Matt Rizzetta, CEO of North 6th Agency, a brand communications and social media company, to find out how Hyatt can recover and what other hotels can learn if a data breach happens to them.
Why are data breaches particularly bad for the guest relationship in the hotel industry?
"While data breaches are not unique to the hotel industry, the brand crisis is exacerbated in the hospitality industry when a data breach happens due to the intimate connection between the customer and the hotel brand," Rizzetta said. "The communications strategy needs to reflect the intimate nature of the guest/brand relationship. There needs to be a much more hands-on direct outreach and communication plan—while other industries can get away with a prepackaged statement, the hotel industry cannot. They are dealing with a breach of trust that breeds loyalty with that brand."
What should Hyatt do specifically to recover from a data breach?
"First, leadership needs to show their faith in their brand. The Hyatt executives’ names are already on the press releases but they also need to show their face directly," Rizzetta said. "Hyatt needs to make a concerted effort in a personalized way to reach out to its consumers. That means an increased social media presence. I know this poses great challenges, but it’s worth it in the long run."
According to Rizzetta, Hyatt also needs to share specific steps to the public on what they are doing to recover from this data breach.
"This is not a time for broad strokes—they need to share the very specific steps they are undertaking to make sure this never happens again," he said. "What data systems and security providers are they working with and what are they doing differently. How they are constantly improving their technologies. Hyatt needs to bring a very specific game plan to the table."
Hyatt is at a huge disadvantage because this is the second data breach in as many years, Rizzetta said.
"They are in dangerous waters—they have to get it right. Hyatt needs their message to be personalized, customized and clear that this will never happen again," he said. "Competitors can be very opportunistic in this time and we do expect some direct competitors to try and capitalize on Hyatt’s misfortunes."
How to protect your hotel from a data breach
Of course, it's best to prevent a data breach in the first place instead of dealing with the fallout afterward. Hotels need to understand where their weaknesses lie in case of an attack — which systems are most vulnerable to an attack? These, like all systems, should be kept updated. Investing in strong firewalls and a properly protected network is integral to keeping dangerous malware away.
Human error remains the most effective exploit for hackers, said Stu Sjouwerman, founder and CEO of employee training and security company KnowBe4. By sending falsified emails or loaded links that upload malware onto company computers, employees often give invaders access to a company’s data through errant clicks from sources that appear legitimate. Sjouwerman said the best defense is a strict online policy bolstered by strong employee training.