In mid-January 2020, Marriott International suffered a new data breach which affected around 5.2 million guests.
Marriott claims the security breach could have revealed 5.2 million guests 'personal details. This is the second data breach by Marriott in recent years following a breach in 2018.
The breach was identified at the end of February 2020 and dates back to mid-January 2020.
Marriott says it discovered in late February that the network of an unspecified hotel chain had been hacked, and hackers who obtained the login credentials of two Marriott employees may have accessed the guest details. The firm has reason to believe the operation began as early as mid-January.
The breach may have taken personal details such as names, birthdates, and telephone numbers, along with language preferences and loyalty account numbers.
Marriott stated, "While our investigation is continuing, we currently have no reason to assume that the details involved included passwords or PINs for Marriott Bonvoy account, payment card details, passport information, national IDs or driver's license numbers."
Adding to it, Marriott said it contacted guests whose details may have been taken via email and launched a website dedicated to those who were affected. The company offered the program for tracking the personal information of visitors whose details could have been compromised.
It could be considered an honest mistake to suffer one data breach but to suffer two in less than two years looks like carelessness. There are some promising signs that the company has learned some valuable information security lessons in spite of how it may look to an outsider. From this experience, the entire hospitality industry should now know better.
1. Develop a Security-Centric Culture at the Top Level.
When the security of customer identities and profiles is priority number one. A security-centric mindset ensures a serious approach to customer data security. The approach should be top-down instead of bottom-up, with responsibility resting with the CEO and board.
2. Stay ahead of the security curve.
It’s okay to be cautious in adopting innovations, but when it comes to customer data security products, companies should be proactive, constantly reviewing and trying new developments to stay ahead of hackers.
3. Make your security spend for customer data security unbudgeted.
Invest whatever it takes to protect sensitive customer data. Yes, stay within your financial metrics, but don’t cap the budget, because capping it means you’re compromising. Give the security team whatever they request to protect the brand. It’s not going to cost billions.
4. Recognize that customer data security is not a cost center but a revenue center.
Companies need to understand that customer data security is part of the revenue center, not the cost center. With better security, you are not only preventing breaches, but you are also building trust within your customer base to generate more revenue.
Let’s hope that Marriott and its peers in the travel industry have learned that, while the security of customer accounts may not be their core business, it still needs to be priority number one.