Last week, Marriott International CEO Arne Sorenson testified before the U.S. Senate regarding last fall’s hack of its Starwood guest reservation database. Sorenson apologized for the breach and offered a timeline of events in a statement.
According to updated numbers, the incident involved approximately 18.5 million encrypted passport numbers and approximately 5.25 million unencrypted passport numbers, about 663,000 of which are associated with the U.S. For payment cards, the incident involved approximately 9.1 million encrypted payment card numbers, of which approximately 385,000 were unexpired as of September 2018. “Thus far, we have not received any substantiated claims of loss from fraud attributable to the incident,” Sorenson said in his testimony.
HOTELS spoke with Robert Cattanach, a partner at the international law firm Dorsey & Whitney, on what Sorenson’s testimony means for Marriott and the hotel indsutry at large. (Cattanach has previously worked as a trial attorney for the United States Department of Justice and was also special counsel to the Secretary of the Navy).
HOTELS: What kind of short and long-term impact do you expect this will have on Marriott?
Robert Cattanach: The biggest concern is erosion of trust. Consumers have choices, and, all things being equal, are more likely to consider other options. This is not to say that there will be some mass migration away from Marriott, but one pauses to consider how much companies like Marriott spend to promote their brand generally and the past compromises will require some time and money to bring back the customer connection to where it was pre-breach
H: Are we really going to see these kinds of large-scale breaches lead to a change in U.S. federal security requirements? (Or is this just a very public slap on the wrist for Marriott?)
RC: The Marriott breach was just the latest in what appears to be a never-ending cycle of data compromises. The state legislators are already taking matters into their own hands by enacting more aggressive security requirements, so even legislators sympathetic to the plight of businesses being exploited by hackers are facing pressure from those very same businesses to provide some uniformity in regulation at a federal level to relieve businesses of the burden of coplying with a plethora of one-off state requirements.
H: What was the biggest mistake Marriott made in its handling of the Starwood breach? What could it have done better? Has it done enough for affected customers?
RC: This was not a one-off event, which suggests that the corporate culture of the company with regard to data security was seriously flawed. No company is perfect, but the lapses here suggest that the top leadership of the company failed to make customer data security as a core value. Hindsight is always 20-20, so its easy to say Marriott should have done specific things, but that misses the point: top management simply didn’t stress the importance of data security, and the resulte was inevitable.
Affected customers will expect two things: 1. Tell me what specific things you are doing to make sure this does not happen again; and 2. Show me that you care about the concerns I now have about my data – not just the usual promise of credit monitoring (which as a practical matter is virtually meaningless) but give me something that I value to show that you care — maybe a complimentary night’s stay, a voucher, but something I can actually use.