When Marriott International disclosed the massive data security breach of its Starwood network on Friday, technology and cybersecurity experts were not surprised it happened. 

"We're in an era where breaches that go undetected for four years should be a thing of the past, but they're not," said Brian Krebs, writer of the KrebsOnSecurity blog. "And unfortunately, it's not surprising to see this within the hotel industry. The hospitality world has been notoriously bad at implementing security to protect their own systems and the data of their guests."

Krebs cited the hotel industry's continued use of credit card and debit card swiping systems, as opposed to chip-enabled readers that encrypt payment information, as one glaring example. He also pointed out that Marriott posted its press release announcing the breach on an unencrypted web page. 

"Even after nearly every single major hotel company has gotten breached over the last four or five years, hotels are still doing these very obvious things that we have solutions for," he said.

The industry's long list of recent data hacks includes InterContinental Hotels Group's 2016 data breach of guest payment cards at almost 1,200 properties in the U.S., as well as Hyatt's 2017 credit card breach, its second major breach in two years. 

Notably, Starwood reported a data breach affecting more than 50 properties in November 2015, shortly after being acquired by Marriott. According to Starwood's disclosure, that security breach dated back to at least November 2014. 

Technology consultant Shelly Palmer similarly views the hospitality industry's security systems as inadequate. "Like many industries that are venerable and mature, hotels have legacy systems that were not designed for the world we live in today," he said.

Palmer added, however, that while the Marriott breach "is a big one, by any measure," the media frenzy surrounding the incident is "much ado about nothing."

"Hacks like this are happening on an industrial scale," said Palmer, while emphasizing that consumers and businesses alike are largely insured against cybercrimes by their banks and credit card companies. "It's a victimless crime. This happens all the time, and there's nothing consumers can do about it. This is bad PR for Marriott, and it will probably generate a lot of questions that Marriott would rather not answer, but this is really just a story about doing business in the 21st century." 

Despite data hacks being commonplace, Palmer has several suggestions for consumers concerned about their personal and payment information falling into the wrong hands. He recommends purchasing cyber insurance, which can often be added to homeowner's insurance plans, and making sure to only connect smart devices and computers to private networks, especially when traveling overseas.

Krebs advises consumers to regularly check their credit card and debit card statements, while sticking to credit whenever possible. 

"If you make a payment with a credit card, it's a provisional charge," explained Krebs. "But when you get hit with fraud on your debit card, you have to contact your bank and count on them to put the money back, while in the meantime, hope that you don't bounce checks."

According to the Federal Trade Commission, if a consumer reports a fraudulent ATM or debit card transaction within two business days after learning of the theft, he or she is liable for a maximum loss of $50. If it's been more than two business days but less than 60 calendar days, the maximum loss jumps to $500.

"If you've been paying attention at all over the last few years, you should have already adopted the notion that all that data about you, including your credit card information and your social security number, is for sale already," Krebs said. "You shouldn't wait for some company to tell you that. If you don't have fraud on your card, it's probably just because no one has bought your information yet."

Comments
JDS Travel News JDS Viewpoints JDS Africa/MI