I feel sorry for Marriott…
By Terence Ronson, Hospitality Professional, Technology Consultant, Public Speaker and Inventor
Unless you've been hiding under a rock over the last few days, you would have undoubtedly heard of the recent breaking news story which has had a tsunami-like effect on the hotel industry…..Marriott [to include Starwood and all its subsidiary brands] got hacked, and allegedly, data involving some 500 million guests were exposed.
THAT'S AWFUL - but in all honesty, it was an accident waiting to happen.
All of the major robberies, and with this I include hacks who embark on unapproved removal of an asset - successful or failed, have focused on BIG targets - whether it be the US elections, Beyoncé's jewels, banks, Brinks trucks, the Royal Mail train in 1963, UBER, Hyatt, Target, Home Depot, Cathay Pacific, Dunkin Donuts, USPS, DELL, EMC, Yahoo, or an Apple Store. These are all high-profile targets which have been like honeypots to these felons. Marriott, which now includes Starwood, has grown so huge, it inadvertently put itself firmly and squarely in their sights and became a sitting target. It was really just a matter of time before the inevitable happened - and they would be hit.
Sadly, but not surprisingly, we live in a world which is also unfortunately populated by people with malicious intent who either do this for kicks or are commercially driven based on the potential value of the data which can be sold or exchanged for crypto on the dark web. One may even be tempted to classify this event as an act of cyberterrorism or espionage. And let's not forget the lawyers - the wolves at the door [aka Ambulance chasers], just waiting to lay stake to a class action claim. It's a sad reality - and so I feel sorry for Marriott.
As a Consultant to the industry, [and in full transparency, I have done work for Marriott so I have had a close perspective on how they operate], I know for a fact that this hotel group and so many other companies go to great lengths and expense to exercise duty of care and use their best endeavors to protect the data given to them for safekeeping so they can provide the best services to their clients. They constantly implement and update hardware defenses, employ tokenization and various encryption protocols for PCI DSS compliance as well as perform extensive vetting of software and hardware vendors, hosting/cloud providers and employees who handle the data. And while we are on the subject of vetting perspective vendors, look at the recent hoo-hah surrounding Huawei and the position some governments took in regards using them for their 5G data networks.
Some of the data collected by hotels are for Government compliance, and some for marketing purposes - but the overarching reason is to provide great personalized service. The heavy burden of keeping that data safe is only compounded by government legislation imposed in certain countries and jurisdictions, which add yet another layer to the firewall - one of those being the recent GDPR [General Data Protection Regulation] introduced in Europe on 25th May 2018. I'm very sure more jurisdictions will follow to include the Cybersecurity laws of China, and who knows what Brexit may bring if they install physical borders for the movement of people, then it's almost foreseeable, data flow controls will follow.
But the inevitable reality is that there will be individuals, corporations, some possibly state-sponsored, lurking in the dark with evil intent. Do you really stand a chance against them and their specialized tools? As fast as the security device companies find a new way to secure or encrypt data - someone cracks it with some kind of wizardry or an even bigger hammer. We've seen many instances where companies such as Apple have released a new version of a software, only to have it cracked the next day - and so the process of closing that breach has to happen with panic-stricken Elves working overtime. Don't kid yourselves, this is a full-time problem internally and externally - akin to shoring dikes when flooding occurs. Once you sandbag part of the wall, another crack appears and so on.
For the last forty years, hotels have, albeit gradually, embraced technology to help process, control and digest the enormous amounts of personal and transactional data that passes through its walls with one major element being Central Reservations [CRES] often with GDS connections. Some of these systems have been around for a very long time and could probably do with an upgrade - maybe utilizing Blockchain. When people make bookings - we use that data to allocate accommodation, provide various services, and associated logistics. The technology came with a promise to make things better - it was to enhance manpower, provide faster and more accurate access to data, and let's not forget, deliver personal service - every Hoteliers dream, by matching the guest's expectation. However, when you collect something valuable like terabytes, petabytes or even zettabytes of personal data about people - that's such an attractive honeypot.
I am hopeful that the data forensics team will comb through any crumbs or fingerprints that may have been left behind - and do whatever it takes to seek out and bring the infiltrators to justice.
One has to ask oneself - Is there a solution? Well, I for one, don't have an answer for this - I suspect though it will get worse before it gets better, and that's a sad fact also. The more data we expose, be it to places like Hotels or on Social Media, the more likely it will be targeted and used for dastardly purposes and so I repeat myself when I say, "I feel sorry for Marriott" and I can feel other hoteliers thinking - "there but for the grace of God, go I".
But as is often the case, we need a disaster to happen before things get fixed and so hopefully, this will be a loud enough wake-up call for technology suppliers, governments and industry bodies to find a solution. And to these entities - I throw down my gauntlet
© 4th December 2018