If you thought Marriott International’s 2016 acquisition of Starwood Hotels & Resorts Worldwide for more than $13 billion was expensive before how about now? This past weekend the company announced a data breach occurred which could potentially impact a staggering 500 million consumers who have visited what were previously Starwood-branded properties over the past four years.
The ripple effect of one of the largest hacks in history is being felt throughout the entire lodging industry, which remains extremely vulnerable to these sort of attacks as a credit-card based business.
For its part, Marriott has been consumed for the past two years with integrating the large brand company, which encompassed as many as 11 brands--including W Hotels, Westin and Sheraton to name a few--and just as importantly the critical and highly touted Starwood Preferred Guest loyalty program.
By most account, the massive Starwood phase-out had been going rather smoothly all things considered, but that all changed with this news. Not surprisingly, Marriott International President and CEO Arne Sorenson took full responsibility for the incident. “We fell short of what our guests deserve and what we expect of ourselves,” he said in a statement.
People much more informed on this subject than I can determine if Marriott is truly to blame for this or are they merely a victim of careless operations by Starwood’s previous leadership? Some experts have suggested it was a very fundamental mistake and there’s no way a company that size should have been keeping all that data in house.
Josh Bergen, President, VENZA, a company that specializes in data protection, talked about the challenge ahead for Marriott as it looks to minimize the damage moving forward. “From our viewpoint, the most important thing is the communication from the brand to the guests and franchisees to prove they are taking steps to continue the fight against cybercrime and hackers,” he told Hotel Interactive®.
To its credit, Marriott has been doing just that, at least in the immediate aftermath of the incident. The company has set up a dedicated website and call center for customers, as well as sending out email notifications to affected guests who were in the Starwood system. In addition, the company is offering free Webwatcher enrollment for a year. The site monitors Internet sites where personal information is gathered and alerts consumers if personal info has been found.
There’s been plenty of discussion about events such as these coming with financial consequences for the companies involved, but as of now the laws in the U.S. inherently protect these companies despite any perceived negligence. Nevertheless, this certainly comes at a huge cost to Marriott in terms of public relations, not to mention actual dollars and cents.
What’s clear is this problem is only going to get worse and likely will impact plenty of other industries as well. According to Bergen, “Protecting guest data is much broader than just the credit card number and with the new GDPR (General Data Protection Regulation), we now live in a time where passport information and other PII (personally identifiable information) are up for sale on the dark web. Protecting guest data is a team effort between the brand’s corporate office/reservations, the franchisees, the vendors, the equipment providers and the guests.”
Often times industry prognosticators talk about the possibility of “black swan” events in terms of terrorist activity and their potential impact on industry performance, but the reality is events like this can be every bit as damaging. There’s no way to ever know how many guests who get an email that they’re information was compromised will decide not to take a trip or stay at a hotel in the near future.
One of the biggest economic factors the industry has had at its back in recent months is consumer confidence, but those same consumers need to be confident that their personal information is protected and it’s incumbent on the entire industry, not just Marriott, to make sure we figure this out.