Hospitality Data Breach in Hotel Industry

The hotel industry is particularly exposed to the challenge of protecting personal data, and now a victim of a growing number of hacks. More than 500 million customers in the world have experienced theft of their personal data (name, address, phone number, email) followed by unauthorized access since 2014.

After becoming a victim of massive piracy on a database dedicated to the reservations of its customers, the world leader of the hotel business Marriott International (Westin, Le Méridien, Sheraton) comes to know what each company dreads the most: the violation of personal data.

It is difficult to evaluate the consequences on the reputation of the Marriott group and the impact on the attrition rate, but six months after the entry into force of the general regulation on the protection of personal data, this violation resonates naturally as a shockwave in the hotel industry.

The protection of personal data as the primary problem

The violation of the Marriott Group is unfortunately not an isolated case (Darkhotel Piracy, Hobart Henry Jones Art Hotel, Romantik Seehotel Jaegerwirt). The question is no longer whether this event will happen again, but rather when the next piracy will take place, and at what scale.

The industry faces a daunting challenge in terms of ensuring the security of personal data while dealing with cybercrime. Today, the players concerned have not really taken the appropriate measures for the issue, and the risks to personal data theft leave them responsible for anything that happens in the future.

According to IBM, the recent study on the cost of a data breach reveals that the average cost of 50 million data breach would be $350 million. With these figures, the overall cost of Marriott’s violation could be estimated at $3.5 billion.

With the sanctions provided, the Marriott International group could potentially be fined 4% of its worldwide turnover. This turns out to be approximately $ 916 million, almost the equivalent of the foundation created by AccorHotels with the help of Qatar to develop the hotel industry in Africa.

Hoteliers have a significant amount of personal data in their hands. With a few clicks, customers share their mailing address, phone numbers, and date of birth of the lady or gentleman. After making a reservation, a contract of trust is established with the hosting hotel which is greatly responsible for the protection of their clients and their data.

With this logic of accountability, the need to protect data naturally reaches out to partners, service providers and subcontractors (central reservation, restaurants, janitorial services, etc.) for which the commitments regarding protection and confidentiality need to be strengthened.

So, what are the causes of data breach and theft in the hotel industry? Here are a few most common causes that are unfortunately in practice around the world.

   The cause of about half of the incidents is related to human errors (handling errors/errors of inattention/non-compliance with the organization’s security policy). Example of a non-compliance with the organization’s security policy: An employee (including members of management) transfer without control/authorization of the organization’s customer data to his personal computer or a webmail service third parties to work from home; (the computer/webmail service is then the target of hacking)

   A number of targeted malicious external acts aimed at financial gain: recovering payment information, diverting the payment destination, obtaining financial intelligence, etc.

   Some other violations are related to technical/development errors that have resulted in the disclosure of personal data to the wrong person. For instance, setting up a new web client service.

The attack on one of Fastbooking’s servers (digital hotel management solution provider), which impacted more than 1000 hotels in 2018, is a great warning for all hotels to consider the distribution of responsibilities very seriously.

In this respect, this is a real problem because the subcontractors accept it with difficulty to agree on the contract terms of the controller, which are often considered too restrictive. They prefer to favor their own conditions which may legally expose the controller if poorly defined.

Compliance in a changing sector

One of the principles of the data protection is to minimize personal data in order to collect only those that meet a specific purpose. This requirement is difficult to resolve with the expectations of the customer who wants an increasingly personalized offer. The new means of communication, be it chatbot as a new tool for customer relations, or tools capable of centralizing instant messages (SMS, WhatsApp, Facebook Messenger) require increased vigilance.

Moreover, if hoteliers and restaurateurs have a CCTV system, they must ensure that it is used in compliance with the regulations, both in terms of respect for the privacy of clients and employees. No information concerning an employee personally can, in fact, be collected by a device that was not previously brought to his knowledge.

How long can hotels keep individual records for foreigners or residents staying in the US? What about CARDEX customer files, which in addition to contact details and booking history, can sometimes contain the habits and preferences of customers, such as favorite drinks, first names of children and diet)? What will legal bases be used to process this personal data?

Although a large part of the market is distinguished by the number of independent hotels, most major hotel chains would follow a loyalty program with a high penetration rate. These programs provide more value to the customer and are real marketing tools with over 1.2 million rooms on more than 6700 hotels worldwide.

Faced with ever more sophisticated cyber-attacks that combine with a growing amount of data in increasingly digital environments, the hotel industry must react to this alarming situation. This is a call for accountability for the industry, which must take concrete actions that meet the challenges. This will entirely fulfill the contract of trust with the client and prevent them from sleeping with their rooms with one eye open.

By Kristina Payne January 18, 2019 24 Comments