Marriott breach exposes weakness in cyber defenses for hotels
Long before Marriott International Inc. disclosed a massive security breach, the hotel industry had earned the dubious reputation as a hospitable place for hackers.
Thieves have skimmed credit cards, looted loyalty accounts, and mounted complex schemes to trick clerks into downloading malicious software. In one elaborate series of attacks known as DarkHotel, networks at individual properties were hijacked to spy on corporate executives and politicians. In a cruder ploy, crooks have even seized control of a keyless entry system, locking down rooms until the hotel owner paid a ransom.
Now, as Marriott grapples with the fallout from its Nov. 30 disclosure that as many as 500 million guests had their data exposed to hackers, there is a growing sense that an industry whose bedrock business is providing real-world security isn’t equipped to look after its guests in cyberspace. The company is preparing to deliver written responses next week to a U.S. Senate inquiry amid reports the attack was carried out by the Chinese government.
“People trust us to allow them to sleep safely and securely,” said John Burns, president of Hospitality Technology Consulting. “There’s a longstanding tradition of an innkeeper, that we fulfill that commitment to them. Has it extended naturally, with the same diligence, to the digital environment? Not always.”
Marriott hasn’t yet provided a detailed accounting of the attack, which they continue to probe.
“Our primary objectives in this investigation are figuring out what occurred and how we can best help our guests,” said Marriott spokeswoman Connie Kim in an emailed statement. “We have no information about the cause of this incident, and we have not speculated about the identity of the attacker.”
When Marriott paid $13.6 billion for Starwood Hotels & Resorts in 2016, the aim was to have a bigger company that could compete with Google, Amazon and other online firms that use their knowledge of consumer preferences to gain primacy with customers.
Modern hotel companies see tech firms as competitors because they function like e-commerce platforms, licensing their brands and booking engines to investors who own and run the properties. They want to drive direct booking, cut out online travel agencies and convince travelers to use loyalty points to pay for products from diapers to skydiving lessons — then tailor their marketing based on a guests’ past choices.
Yet these would-be tech businesses have the DNA of real estate developers and catering companies, and their treasure troves of customer data often are accessed through antiquated systems because cost-sensitive investors see more immediate returns from money spent on new carpeting rather than intangible security measures. The impulse to protect guests can be moderated by the cost and complexity of implementing safeguards across sprawling systems.
“The brand companies take security very seriously, but the cost of keeping up with changes in technology are prohibitive,” says Chad Crandell, chief executive officer of CHMWarnick LLC, a hotel investment adviser. “To spend a lot of money on service and protection and have it fail is not a good place to be either.”
Hospitality was the third-most targeted industry after retail and finance, according to a report this year from information-security firm Trustwave Holdings, in an onslaught that has left few corners of the industry untouched. Hilton Worldwide Holdings Inc., Hyatt Hotels Corp. and InterContinental Hotels Group have all been targeted in past attacks, as have Trump Hotels, Radisson Hotel Group and Mandarin Oriental.