News of major data breaches at airlines, hotels and retailers have become an almost daily occurrence, but how a company handles or mishandles the realization that its customers’ sensitive financial and personal information has been exposed can be even more damaging than allowing the hack in the first place. As Marriott begins its damage control in the wake of a mind-bogglingly huge cyber-intrusion, it has learned valuable lessons from those who walked the path before.
The leadership at Marriott International is determined not to make the same missteps as other companies which have suffered serious data breaches in the past. As the multinational corporation responds to the fallout from the news that the data of more than 500 million Starwood Preferred Guests (SPG) may have been accessed by hackers, the mistakes of its predecessors are serving as a sort of roadmap of what not to do.
This summer, British Airways management failed miserably, by most accounts, in its response to the realization that thousands of its customers’ private financial and personal information had been exposed by Russia-affiliated cyber criminals. The airline was at first hesitant to even reveal the hack had occurred at all and it was later learned that the initial begrudging admission drastically undersold the scope and severity of the months-long security breach.
Faced with a similar hack, in which the sensitive data of millions of its customers was exposed, officials at Cathay Pacific took obfuscation to a whole new level. The company told lawmakers that it kept quiet about the cyber-attack for several months because its employees were too busy attempting to protect passengers’ private information to stop and take the time to tell passengers that their personal details had been exposed in the first place.
Both airlines lost a great deal of trust and public goodwill through efforts to try to downplay the seriousness of the security lapses. For obvious reasons, officials at Marriott have taken a much different tack toward cleaning up this latest cyber-mess.
In fact, Marriott representatives (lurkers) were active on FlyerTalk forums since the news broke, offering advice, confirming known facts, announcing a hotline for questions regarding the hack and linking to complimentary credit monitoring services for those affected by the data breach. While the posts had a conversational air, it seems clear the information and talking points were in fact disseminated through carefully regulated centralized communication channels. Still, the effort offered at the very least, the appearance of transparency.
“Please visit info.starwoodhotels.com for more information about this incident, available resources and steps you can take,” the Starwood social media team helpfully suggested.
Despite the jaw-dropping numbers, almost guaranteed to inspire sensationalized headlines, the company was quick to announce the ugly details of the hack in plain language. Marriott not only published a statement confirming the scope of the hack, but also information breaking down a number of uncomfortable details.
“The company has not finished identifying duplicate information in the database, but believes it contains information on up to approximately 500 million guests who made a reservation at a Starwood property,” Marriott said in its remarkably frank statement. “For approximately 327 million of these guests, the information includes some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest (“SPG”) account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences. For some, the information also includes payment card numbers and payment card expiration dates, but the payment card numbers were encrypted using Advanced Encryption Standard encryption (AES-128).”
The hospitality conglomerate’s chief approached the subject head-on as well.
“We deeply regret this incident happened,” Marriott International CEO Arne Sorenson said in a statement. “We fell short of what our guests deserve and what we expect of ourselves. We are doing everything we can to support our guests, and using lessons learned to be better moving forward. Today, Marriott is reaffirming our commitment to our guests around the world. We are working hard to ensure our guests have answers to questions about their personal information, with a dedicated website and call center. We will also continue to support the efforts of law enforcement and to work with leading security experts to improve. Finally, we are devoting the resources necessary to phase out Starwood systems and accelerate the ongoing security enhancements to our network.”
Update: The following is correspondence between the author and Tracey Schroeder Vice President, Global Head of Consumer Public Relations.
Does the SPG attack bear similar hallmarks to other recent cyber incursions such as the British Airways hack?
We can’t speculate.
How will guests learn how much of their personal information was compromised?
Marriott began sending emails on a rolling basis on November 30, 2018 to affected guests whose email addresses are in the Starwood guest reservation database. As the matter is still under investigation, we are still working to uncover specifics.
What will Marriott do to make customers who fall victim to fraud whole again?
We have established a dedicated website (info.starwoodhotels.com) and call center to answer guests’ questions about this incident. The call center is open seven days a week and is available in multiple languages. We began sending emails on a rolling basis starting yesterday, November 30, 2018, to affected guests whose email addresses are in the Starwood guest reservation database. And we are providing guests the opportunity to enroll in WebWatcher free of charge for one year.
How will a WebWatch subscription help?
WebWatcher monitors internet sites where personal information is shared and generates an alert if evidence of your personal information is found.
Is it correct that evidence of the hack was not discovered until after the SPG and Marriott Rewards programs were merged?
The internal alert was received on September 8 which caused us to investigate further. This incident is not related to the merging of the loyalty programs.
How did Marriott guests avoid falling victim to this cyber attack?
The investigation only identified unauthorized access to the separate Starwood network.
Any guest who booked at a Starwood property prior to September 10, 2018 could be affected, including associates. We are providing our associates the same support and resources and sharing information as we have it. The investigation is still underway so it is premature to speculate.