Step into the breach14 October 2019
In November 2018, in what could prove a paradigm-shifting moment for the hospitality industry, Marriott International reported the second-largest data breach on record. With the UK watchdog already having announced plans to fine the hotel giant £99 million, what lessons has the sector at large taken away from this crisis and what is happening to data security questions as regulators clamp down? Patrick Kingsland investigates.
Late last year, Marriott International announced that it had fallen prey to hackers, in what was the second-largest data breach ever recorded. The breach, which affected Starwood’s guest reservation database, involved around 339 million customer records dating back to July 2014.
As well as some combination of name, address, phone number and other personal information, the third party accessed millions of passport numbers (20.3 million encrypted and 5.25 million unencrypted). There were also 8.6 million encrypted payment card numbers, along with a small number (less than 2,000) of unencrypted ones.
“We want to provide our customers and partners with updates based on our ongoing work to address this incident as we try to understand as much as we possibly can about what happened,” Arne Sorenson, Marriott’s president and CEO, said in the aftermath. “As we near the end of the cyber forensics and data analytics work, we will continue to work hard to address our customers’ concerns, and meet the standard of excellence our customers deserve and expect from Marriott.”
But the tone and reach of the response was not entirely Marriott’s call to make, with legislation and punishments for security and data infractions hitting unprecedented heights, having evolved significantly in scope and impact. Responding to the incident, the UK’s Information Commissioner’s Office (ICO) announced it intended to fine Marriott £99.2 million. The data protection authority, which took the lead on the investigation on behalf of other EU states, said that the breach had affected around 30 million EU residents, and had infringed their privacy rights under General Data Protection Regulation (GDPR), implemented into EU law in May 2018.
“GDPR makes it clear that organisations must be accountable for the personal data they hold,” says the ICO’s Elizabeth Denham. “Personal data has a real value so organisations have a legal duty to ensure its security, just like they would do with any other asset. If that doesn’t happen, we will not hesitate to take strong action where necessary to protect the rights of the public.”
Although the data breaches began before Marriott’s acquisition of Starwood, they appear to have continued well past that point. According to The Wall Street Journal, Starwood’s employees had long found the reservation system difficult to secure, a situation not abetted when a large number were let go following the sale. And the old program had still not been migrated to Marriott’s own reservation system two years later.
“[Accountability] can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected,” says Denham.
The proposed fine, announced in July, is still pending at the time of writing. The ICO has said it will give Marriott the chance to discuss the sanctions, while Marriott has said it intends to “vigorously defend” its position.
“We are disappointed with this notice of intent from the ICO, which we will contest. Marriott has been cooperating with the ICO throughout its investigation into the incident,” said Sorenson.
However, this is clearly a watershed moment for anyone paying attention to the EU’s new data security laws. GDPR gives the authorities the right to fine businesses up to 4% of their annual turnover. In Marriott’s case, the damage is around 3% of its global revenues (based on a turnover of $3.6 billion in 2018).
The number of customer records dating back to July 2014 that were affected by the data breach in Starwood’s guest reservation database.
Considering the size of the other fine the ICO announced that week – £183.4 million to British Airways, or 1.5% of the company’s total revenues – we can see how impactful GDPR might be. It marks a major departure from the earlier Data Protection Act, which capped fines at £500,000.
What’s more, this isn’t the only regulatory change that could spell a headache for the hotel industry. As of September 2019, businesses also need to comply with the Revised Directive on Payment Services (PSD2), a European directive aimed towards improving the safety of ecommerce.
While this directive is more limited in scope than GDPR – it applies only to payment service providers, rather than to businesses in general – it will have implications for hoteliers’ booking systems. Unfortunately, it will also create a new world of complications.
“For all of us who operate within the field of travel, PSD2 is another regulatory attempt to protect the consumer, but without fully contemplating the practical impacts to how our increasingly complex industry operates,” PhocusWire’s Renee Robbie recently observed.
Renee Robbie, PhocusWire
Like GDPR, PSD2 has the larger aim of putting customers in control of their own data and keeping that data safe. Above all, it is designed to cut the risk of online (‘card not present’) fraud, which accounts for almost two thirds of all fraud in Europe.
Whereas, in the past, it was sufficient to ask the customer for their credit card information, you now need ‘Strong Customer Authentication’ to authorise a transaction. The merchant must ask for two out of three factors: something the customer has (like a credit card); something the customer knows (like a password); or something the customer is (like a biometric ID).
Barriers and complications
Strong customer authentication is a clear way to improve security. However, it comes with friction for the customer and a certain operational risk for hotels. If you’re a customer booking a hotel through an online travel agent, and you’re asked for multiple pieces of security information, there’s a risk you may not have that information to hand. If you’re really impatient, you may abort the transaction halfway through the booking.
Elizabeth Denham, ICO
Then there’s the risk of cancellations. For many hotels, it’s common to take the customer’s card number at the time of booking, and charge it using a card reader if that person is a no-show. Under the new rules, this would no longer be possible as you don’t have double authentication. According to a study by VISA, the industry average no-show rate is 1–2% of all reservations, equating to a potential hit of between $50–100 million a year.
As Mirai reports, there is a possible workaround that could help in the short-term: as bookings made by telephone and email (MO-TO) are exempt from double authentication, you can configure the card reader to the MO-TO setting to carry out the transaction. While this solution is probably workable for now, it isn’t an ideal longterm strategy.
A further complication is the sheer complexity of the hotel distribution chain. If you’re using an online travel agent like Expedia or Booking.com, it isn’t necessarily clear who needs to comply with the regulation – is it the OTA or the hotel?
“The confusion around how authorisation will be communicated between OTAs and hotels – and the ensuing risk of revenue and reputation damage – could indirectly lead to hotels shifting to a merchant OTA model when it may not make sense for their organisation, impacting the already delicate dynamic between hotels and OTAs,” Triptease’s Rob Funnell observed, in an article entitled ‘Is the hotel industry sleepwalking into a regulatory crisis?’.
The look ahead
While there are many more technicalities to untangle, the good news is that PSD2 will affect only a relatively small proportion of bookings – specifically the nonrefundable bookings a customer makes via a website, rather than in person at the hotel. What’s more, hotels, unlike the payment platforms themselves, won’t be penalised for non-compliance. You won’t see any hundred-million-pound fines here if something goes awry.
The broad consensus is that, over the short-term, PSD2 won’t make much difference to the hotel industry – for one thing, very few parties in the payments ecosystem are ready to comply. However, coupled with GDPR, it does spell a real turning point for an industry that has historically been more concerned with pleasing customers than mitigating risks.
With regard to the Marriott data breach, the ICO fine is unlikely to be the last of the financial damage. According to a recent study by IBM and Ponemon, which explored the costs of large data breaches, a breach of 50 million records might be estimated to cost a company $350 million. Scaling that up to 339 million records, the hit would be around $2.4 billion. (These estimated costs include brand damage, legal fees and remediation, for example.)
Whatever the true sum, data security is evidently coming into focus as never before. After all, while the Marriott data breach is the worst to hit the industry, it isn’t the only one. According to a 2018 report by information security company Trustwave, hospitality is the third most targeted industry after retail and finance, and the likes of Hilton, Hyatt, Radisson, Mandarin Oriental and IHG have all been targeted in the past.
The upshot is that hotel companies will need to invest heavily in doing the difficult work – ensuring their security situation is as good as it can be – or risk penalties on the same level as Marriott’s. Their bottom line, and guests’ peace of mind, depends on it.
GDPR – one year on
Within the space of a year, GDPR has massively shaped the global privacy landscape. The regulation has prompted many other countries around the world to take a closer look at their own security and privacy laws.
Argentina and Japan have already started to align their national data protection legislation with GDPR, and Brazil has implemented a similar legislation called the General Data Protection Law that will come into effect on 15 August 2020.
Within the US, the states of California, New York and Colorado have passed local data privacy laws, and the US Congress is considering a federal data privacy law as pressure mounts for stricter data protection across the country.
There’s no doubt that GDPR has been a force for good and prompted organisations to take privacy protection more seriously. If adhered to correctly, GDPR enables organisations to become more cyber secure, efficient and competitive within the marketplace.
By demonstrating GDPR compliance, companies are likely to benefit from reduced organisational risk and build greater levels of trust with their customers. This transparency will, in turn, enhance brand reputation and lead to the development of more meaningful relationships.
However, as cybercrime evolves and criminals become more deceptive in their attack methods, organisations will need to continually address privacy and security risks to ensure they are accountable for the personal data they hold and compliant with the legislation.
Source: Geraldine Strawbridge, MetaCompliance