Marriott International’s $13.6bn purchase of Starwood Hotel & Resorts was a bet that its popular loyalty programme would bring more travellers to its Courtyards and Residence Inns. It turns out Marriott was also buying a massive security risk.
A cyber breach in Starwood’s reservation system had allowed unauthorised access since 2014, the company said. Hackers accessed records on as many as 500mn guests, in many cases including passport numbers, travel histories and loyalty programme accounts, and even some encrypted credit card data.
“We fell short of what our guests deserve and what we expect of ourselves,” said Marriott chief executive officer Arne Sorenson in a statement. “We are doing everything we can to support our guests, and using lessons learned to be better moving forward.”
For Marriott, the acquisition was fraught from the beginning, with Starwood disclosing a security breach just days after the deal was announced. Loyalty members also worried that Marriott was less hip, less customer-friendly, and would use its size to take away cherished benefits. When integration started in August, members complained that they were losing status, having problems redeeming rewards and enduring long waits for customer service.
The hack adds another headache to the integration process. The stolen data could allow criminals to break into the Marriott portal and redeem their points for gift cards or hotel stays. Unlike banks with stolen credit cards, the hotels might not have an obligation to make the customers whole, said Michael Reitblat, chief executive officer of Forter, a company that helps retailers fight fraud.
“Marriott’s biggest asset is the network effect of customers in the loyalty program,” said Michael Bellisario, an analyst at Robert W Baird & Co. “The big question is: ‘Does it impact the Marriott brand, and the customer desire to be rewards program members?’ It’s still too early to tell.”
Modern hotel companies don’t own much real estate. They act as funnels, connecting hotel guests to property owners through online reservation systems. Loyalty programs are especially important because members are repeat customers who book directly over the company’s website, and owners don’t have to pay commissions to online travel agencies.
Hotels are especially vulnerable to security breaches, because many still swipe credit cards at check-in rather than implement chip readers, said Brian Krebs, a cybersecurity expert. Last year, he said, both Hyatt Hotels Corp and the Trump hotels collection had security breaches and in 2016, he uncovered similar breaches at InterContinental Hotels Group.
“The only way a company the size of Marriott can have a breach this big, for this long is that nobody’s looking for it,” Krebs said. Hilton Worldwide Holdings Inc acknowledged in 2015 that hackers had stolen customers’ credit card data using malware installed on its card readers at some locations. The New York Attorney General’s office said 350,000 credit cards were exposed when it reached a $700,000 settlement with Hilton two years later.
Marriott shares closed down 5.6%, their biggest decline since June 2016, as regulators, investors and customers assessed the fallout from the hack. The company informed the UK Information Commissioner’s Office of the breach, according to an email from the data watchdog. Attorneys general from New York and Illinois have opened investigations. Senator Mark Warner, a Virginia Democrat, issued a call today for legislation to address cybersecurity.
Marriott could pay fines and settlements totalling $200mn, analysts from Morgan Stanley wrote in a note today. Even so, the sell-off because of the “data breach is an overreaction. We see a 2-3% impact as more appropriate,” the analysts wrote.
“The hospitality industry’s rhetoric about cybersecurity far outpaces its actual investment in it,” said John Dickson, principal at Denim Group, a cybersecurity firm. “For having so much personal information, they’re too cavalier about cybersecurity.”
The biggest risk facing the company is that the breach will harm Marriott’s relationship with the frequent guests it paid so dearly to acquire.
“Starwood customers were used to, not just benefits, but they were used to picking up the phone and having someone answer right away,” said Gary Leff, an influential travel industry blogger. “They’ve faced execution challenges, and that’s been frustrating for customers. At a certain point you drive people to Hilton.”
The company determined on November 19 that the stolen data contained information from the Starwood reservation database. Marriott is continuing to investigate the breach. The company carries cyber insurance and is working with carriers to assess coverage, according to a regulatory filing. The company is also offering guests one year of free access to a service that monitors whether consumer information is being shared.
“In all likelihood, they targeted this type of database because of its data richness,” said Mark Testoni, president of SAP National Security Services, the US-based cybersecurity arm of software giant SAP SE.
Marriott detected an attempt to access a reservation database on September 8, according to the company’s statement. In its quarterly filing dated November 6, Marriott added a warning about security breaches to its disclosures without providing details on specific attacks.
“This is much more than a consumer data breach,” Michael Daly, chief technology officer for Cybersecurity and Special Missions at Raytheon Intelligence, Information & Services, said in an e-mail. “When you think of this from an intelligence gathering standpoint, it is illuminating the patterns of life of global political and business leaders including who they travelled with when and where.