The hotel and hospitality industry has been rocked by significant data breaches over recent years, drawing attention from regulatory bodies and the media alike. Recently, the U.S. Federal Trade Commission (FTC) required Marriott International and its subsidiary Starwood Hotels & Resorts Worldwide to implement stringent data security measures following multiple breaches affecting millions of customers.
According to the FTC, three large data breaches between 2014 and 2020 affected more than 344 million customers globally. Samuel Levine, director of the FTC's Bureau of Consumer Protection, emphasized, “Marriott’s poor security practices led to multiple breaches affecting hundreds of millions of customers.” This statement came alongside the announcement of new requirements for the hotel giant as part of the settlement.
To rectify these security lapses, both Marriott and Starwood have agreed to create and enforce a comprehensive information security program. Notably, they will also allow U.S. customers the option to request the deletion of their personal information associated with email addresses or loyalty accounts. “Protecting guests’ personal data remains a top priority for Marriott,” the company stated, affirming its commitment to improving data security practices across its global hotels.
Further underscoring the gravity of these breaches, Marriott agreed to pay $52 million to 49 states and the District of Columbia, resolving related allegations of inadequate data security practices. While the company has made no admission of liability concerning the underlying allegations, the financial penalty signals the serious risks posed by inadequately protected consumer data.
Hot on the heels of Marriott's settlement, Otelier, a software platform widely used by hotels for management operations, confirmed its own data breach impacting millions of customer records from establishments including Marriott, Hilton, and Hyatt. Between July and October of 2024, cybercriminals exploited compromised employee credentials to access and exfiltrate approximately 7.8 terabytes of sensitive data.
Details leaked included hotel guests’ personally identifiable information (PII) such as names, email addresses, phone numbers, and physical addresses. Otelier reported to Have I Been Pwned (HIBP) the apparent exposure of 39 million reservation records and up to 212 million user records. Although the data did not include victims’ full account passwords, attackers were able to steal booking information, putting customers at risk for targeted phishing attacks.
Oteliers's response included the hiring of external cybersecurity experts to conduct forensic analysis and validation of its systems to mitigate future breaches. The company also stated, “We have implemented additional cybersecurity measures and are in contact with impacted victims.” Efforts are being made by the affected hotels to reinforce data security, including suspending automation services offered by Otelier.
The attack on Otelier exemplifies the vulnerability of customer data within the hospitality sector, which has increasingly become appealing to cybercriminals. The potential financial gain from exploiting personal information, especially from high-net-worth clients, makes the hospitality industry particularly susceptible to such attacks.
Reflecting on the broader issue, the industry's vulnerability to data breaches has been revealed time and again. Notably, MGM Resorts suffered data breaches leading to $45 million settlements and the exposure of 10.6 million hotel guest records over multiple incidents. Hilton Hotels has faced similar challenges, with breaches resulting in significant settlements following the exposure of over 363,000 guest accounts. Adding to this, Hyatt Hotels experienced data breaches compromising credit card information between March and July of 2017, and 250 hotels were attacked by skimmers across approximately 50 countries.
These incidents indicate not just individual hotel failings, but highlight systemic issues within the industry. The Federal Trade Commission's involvement, alongside class-action lawsuits and public outcry, puts pressure on hotels to establish rigorous data security protocols to protect sensitive customer information effectively.
Experts warn the hospitality industry must remain vigilant, especially as threat actors continuously refine their methods and exploit any vulnerabilities left unchecked. Recent developments show excessive delays could lead to even more severe repercussions for organizations willing to neglect their cybersecurity obligations.
Despite Marriott’s recent efforts and promises to improve its security practices, the question remains: will existing frameworks and regulations be sufficient to thwart future attacks on the hotel sector?