Marriott, the largest hotel chain in the world, announced in November 2018 that it had been the victim of a major data breach—a cyber-attack that hackers had begun several years prior, in 2014.
In its 2018 announcement, the multi-billion-dollar company estimated that 500 million guests had been affected by the breach. Over the 4-year stretch, any guest who used the company’s Starwood reservation system had their privacy jeopardized.
Since its November announcement, Marriott has amended the number of affected guests to 383 million—still an overwhelming amount of people. The potentially stolen guest information includes:
- Phone numbers
- Email addresses
- Starwood Preferred Guest account information
- Payment card numbers
- Arrival and departure times/dates
In addition, Marriott International said that 5.25 million unencrypted passport numbers were stolen along with 20.3 million encrypted passport numbers and 8.6 million encrypted debit and credit card numbers.
Consumers from All 50 States Suing Marriott
On January 9, a federal class-action lawsuit was filed in Maryland federal district court on behalf of more than 150 people who previously stayed in Marriott properties. The group claims that Marriott did not do enough to protect them from the data breach that jeopardized their personal information.
The class-action suit has identified the $13.6 Billion purchase of Starwood properties made by Marriott in 2014 as a big part of the problem. It is alleged that Marriott did not do its due diligence in protecting people’s data upon their major purchase. And in spite of warnings that the Starwood reservation system was vulnerable to cyber-attackers, Marriott did little. In addition, Marriott caught the security breach in September of 2018 but took an additional 3 months to alert their customers.
Needless to say, the data breach has severely affected Marriott’s public image, and its stock continues to slide since their initial November announcement. The damage to Marriott’s reputation and public image is major. But Marriott hopes to reverse the damage done.
Marriott Reboots Its Rewards Program
In an effort to distance itself from the cyberattack that compromised millions of its guests’ personal information, Marriott has announced it will reboot its loyalty program, using a different brand name. “Marriott Bonvoy” will soon replace the existing loyalty programs that are specific to each individual chain owned by Marriott: Marriott Rewards, The Ritz-Carlton Rewards, and Starwood Preferred Guest. The company also owns the St. Regis luxury hotel chain.
Marriott will roll all brand rewards programs under its umbrella into 1, single program: Marriott Bonvoy. Announced on Wednesday, January 16, the relaunch of their rewards program will take place on February 13.
Too Little Too Late?
Marriott maintains 30 brands across 6,700 properties located in 129 countries around the world. With properties seemingly everywhere, Marriott must find better ways to protect the personal data with which customers entrust them. A company with such a robust business expansion plan should have an equally robust cybersecurity team in place to prevent data breaches from happening in the first place.
The public has responded with hostility toward Marriott for many reasons, one of which is due to the fact that the company’s self-auditing and internal security let the cyberattack go on for 4 years before detecting it. Given the amount of people whose private information is located within the data systems of the company, 4 years is much too long to take to discover theft.
If the self-auditing and security systems that are in place at Marriott allow for such an attack to go unnoticed, it would make sense for the company to look to more comprehensive cyber defense plans.
The company is also catching heat for only encrypting some people’s data while inexplicably leaving others’ unprotected. Mark Wetherford, former deputy undersecretary for cybersecurity at the Department of Homeland Security (DOHS) said,
“It boggles the Mind. Why was 20 percent of their sensitive passport data encrypted? This is not simply credit card information that is easily changed. This is incredibly sensitive and personal identification information that can be abused.”
Intelligence and cybersecurity sources contend that the data breach may have been the work of a hostile foreign intelligence service. In an interview with NBC News, an unidentified U.S. intelligence official said the hack on Marriott’s Starwood reservation system “fits the pattern” of China’s state-sponsored cyberattacks. This, however, has not been verified.
The Federal Bureau of Investigation (FBI), in partnership with other foreign intelligence agencies, is still looking for more signs of where this cyberattack originated and hope to have more information in the coming weeks.