Hospitality: When Will We See a Hotel Safe Data Pledge?

By Robert McGarvey

Hotel groups have mismanaged data security for at least a decade. This negligence has put our data in the crosshairs of cyber criminals.

In the Marriott case, the source of the malaise is Starwood, which Marriott acquired in a merger. With Starwood, the group also acquired a massive data breach. Hotel News Now reported that approximately 327 million guests were affected by the breach.

Why am I re-hashing this sorry affair now, two years after the breach was announced? Because the saddest part is that the industry hasn't learned from it.

Hoteliers suck at data security.

Let's look at the data impacted at Starwood. According to the data breach press release by Marriott International at the time, the information included "some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest ("SPG") account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences."

Obviously, for criminal hackers, that's a valuable trove of data. And so online looters have been feasting on hotels and their data -  on us! - for years.

Thus the roll of shame grows longer. Hotel News Now offers a catalog of the worst offenses going back to 2008 when Wyndham suffered the first of what became three breaches extending into 2010.

What are the lessons learned so far?

As far as consumers and business travelers are concerned, it is only a minor exaggeration to say that if you stayed in a US hotel in the past decade, in great likelihood you are a victim of a data breach.

Guests have caught on. They know: give a hotel your credit card, and you put your finances in jeopardy. Class action litigators rejoice. They can't wait to develop a new revenue stream.

I wish I could say that hoteliers had learned their lesson, too. And that hotels were safer today, because of the negative publicity over data breaches, the fines, and the lawsuits.

But they aren't. And if there are any exceptions, nobody has noticed, because it has not been communicated.

I understand if hotels don't want to advertise to the public the details of preventive measures to protect their guests' financial data and privacy. PR and cybersecurity content marketing professionals would know how to handle the messaging part.

The problem is that more than two years after the Marriott mess, there's no positive change to report. The opposite is the case.

Here are three steps hotels can take to win back wary consumers:

• Commit, for real, to proactive cybersecurity as a critical business expense and not as an annoying drain on revenues that guests never appreciate.
• Commit to full transparency and honest communication about breaches and do it soon after the breach is detected.  Mumbo jumbo opacity is the hotelier norm when a breach is detected. That lowers guest confidence and puts us more at risk as criminals gain more time to use the stolen data.
• Commit to telling the world about the cybersecurity steps you took. Of course not with enough detail so that crooks can dodge them. But with enough detail so that guests can sleep soundly at night.

Where to start? In May, the American Hotel & Lodging Association introduced the Hotel Safe Stay Pledge to safely welcome back guests and employees in the age of Covid-19.

The hospitality business has crawled almost to a standstill this year. From a cybersecurity perspective, this could be an opportunity for hoteliers.

They should take inspiration from their own Safe Stay initiative. Why not use the remaining time before the post-pandemic travel boom to develop and implement a nationwide Hotel Safe Data Pledge?

Robert McGarvey (Twitter: @rjmcgarvey) is a veteran technology reporter who has often covered cybersecurity and data breaches especially in financial services and hospitality.