However, Marriott’s woes might be only just beginning, the inattention that they have paid to data security issues and the enormous scale of personal information that has been lost may very well draw the ire of the regulators tasked with ensuring the compliance of companies with European-wide GDPR rules, Starwood may face significant financial penalties of up to four percent of its global annual revenue if found to be in breach of those rules.
Too little too late?
It seems bewildering (to say the least) that Marriott would not have noticed a security breach that has been continuous since 2014 and has affected around half a billion of their customers. This is the second largest data breach in history – after 3 billion Yahoo accounts were hacked, but far more serious than another unfortunate milestone in data security breaches – when about 150 million Under Armour MyFitnessPal diet and fitness app accounts was compromised. To say Marriott breach demonstrates a lack of focus is to understate the case to an almost ridiculous degree.
There have been cases where companies have engaged in merger activity without being aware of any potential issue regarding data security of the organization that they are purchasing. However, in the case of Marriott and Starwood this may not have been an issue. However, the question remains – was this a case of an enormous failing to perform proper due diligence prior to snapping up Starwood in September of 2016 for $13 billion and creating the largest hotel chain in the world.
Marriott management should have been aware that the Starwood systems were vulnerable. After all, Starwood has been hacked in the past. In 2015, Starwood, along with other luxury hotel brands such as Trump Hotels and Mandarin Oriental, fell prey to credit card breaches. Malware aimed at stealing credit and debit card information was found on payment systems at restaurants and retail outlets in 54 Starwood hotels in the United States. Given this fact the question of due diligence by Marriott must again come under the spotlight.
“We deeply regret this incident happened,” Marriott President and CEO Arne Sorenson said in a statement. “We fell short of what our guests deserve and what we expect of ourselves. We are doing everything we can to support our guests, and using lessons learned to be better moving forward.”
Regulators starting their investigations
To say that authorities are not happy about the Marriott data breach is to grossly understate how seriously the matter is being treated.
The Attorney General of Maryland (where Marriott is headquartered), Brian Frosh, tweeted that his office was launching an investigation into the breach.
“The Marriott data breach is one of the largest and most alarming we’ve seen,” Frosh tweeted. “My office is launching an investigation to find out the circumstances that led to the breach and its impact on consumers.”
Barbara Underwood, the Attorney General of New York, als0 tweeted that she had opened an investigation into the breach.
“New Yorkers deserve to know that their personal information will be protected,” Underwood wrote.
In addition, the Federal Trade Commission is likely to investigate the Marriott breach, said David C. Vladeck, former director of the FTC’s Bureau of Consumer Protection and now a Georgetown Law professor. The FTC declined comment.
There can be no doubt that Marriott has been remiss in its approach to data security. The sensitive nature of the data that was subject to unauthorized access, as well as the number of years that such access was for all intents and purposes ignored point to a systemic failure on behalf of the hotel chain. In fact, it could be characterized as gross negligence. One can only hope that Marriott and Starwood take swift action to ensure that a data breach of this kind does not happen again – they certainly fell short of what is required as far as data security is concerned and the reputational and financial implications may very well prove devastating.