Marriott International is doing damage control on the heels of a massive data security breach of its Starwood network, the latest in a long line of hacks suffered by players in the hospitality industry.
Disclosed by Marriott on Nov. 30, the breach spanned four years and affected approximately 500 million guests worldwide who had reservations at Starwood properties on or before Sept. 10. Of those 500 million, around 327 million Starwood guests had some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest account information, date of birth, gender, arrival and departure information, reservation date and communication preferences stolen.
An undisclosed number of Starwood guests had their payment card numbers and expiration dates exposed.
Last week, Marriott promised to reimburse passport replacement costs for qualified guests. A Marriott spokesperson confirmed that the company was setting up a system to work with guests reporting passport-related fraud and "if, through that process, we determine that fraud has taken place, then the company will reimburse guests for the costs associated with getting a new passport."
That move directly followed pressure from Sen. Chuck Schumer (D-N.Y.), who released a statement on Dec. 2 urging the hotel giant to pay passport replacement costs for consumers affected by the breach.
Marriott is also now facing at least two actions. Murphy Falcon & Murphy and co-counsel Morgan & Morgan have filed a national class action in U.S. District Court in Maryland on behalf of consumers whose personal information was stolen, alleging that Marriott failed to ensure the integrity of its servers and properly safeguard consumers' information.
A second complaint, filed by Bragar Eagel & Squire in the U.S. District Court for the Eastern District of New York on behalf of investors who acquired Marriott securities between Nov. 9, 2016, and Nov. 29, 2018, asserts that Marriott failed to adequately disclose that the Marriott and Starwood systems were not secure and that a breach had been ongoing since 2014.
Marriott will likely continue to face significant backlash in the coming months, but the company isn't the only hospitality heavyweight to grapple with the threat of cybercrime in recent years.
"We're in an era where breaches that go undetected for four years should be a thing of the past, but they're not," said Brian Krebs, writer of the KrebsOnSecurity blog. "And, unfortunately, it's not surprising to see this within the hotel industry. The hospitality world has been notoriously bad at implementing security to protect their own systems and the data of their guests."
The industry's long list of recent hacks includes InterContinental Hotels Group's 2016 data breach of guest payment cards at almost 1,200 properties in the U.S. as well as Hyatt's 2017 credit card breach, its second major breach in two years.
Notably, Starwood reported a data breach affecting more than 50 properties in November 2015, shortly after being acquired by Marriott. According to Starwood's disclosure, that security breach dated back to at least November 2014.
Despite experiencing repeated hacks, the industry has still been relatively complacent, said Krebs, who complained that "even after nearly every single major hotel company has gotten breached over the last four or five years, hotels are still doing these very obvious things that we have solutions for."
Krebs cited the hospitality industry's continued use of credit card and debit card swiping systems, as opposed to chip-enabled readers that encrypt payment information, as one glaring example. He also criticized the fact that Marriott posted its press release announcing the breach on an unencrypted webpage.
But while Marriott's breach is sizable by any measure, technology consultant Shelly Palmer said he believes that, for the most part, the media frenzy surrounding the incident is "much ado about nothing."
"Hacks like this are happening on an industrial scale," Palmer said, while emphasizing that consumers and businesses alike are largely insured against cybercrimes by their banks and credit card companies.
"It's a victimless crime," he said. "This happens all the time, and there's nothing consumers can do about it. This is bad PR for Marriott, and it will probably generate a lot of questions that Marriott would rather not answer, but this is really just a story about doing business in the 21st century."