Marriott International is taking a $126 million hit to pay for the massive data breach discovered in its Starwood Hotels division in November 2018. The news reinforces the need for meeting planners to protect the data security of their attendees who book or stay at hotels.
The hotel giant reported in its latest quarterly report that it set aside the charge, which it anticipates will cover an approximately £99 million GDPR (General Data Protection Regulation) fine (approximately U.S. $120 million) the United Kingdom’s Information Commissioner’s Office announced it may levy.
The data breach affected approximately 383 million guest records, lower than initially estimated, including credit card information and passports.
The Starwood database breach is expected to far surpass the 2017 Equifax breach, which is estimated to have compromised the information of nearly 150 million customers.
It also resulted in the consumer credit reporting company offering a much publicized settlement to those affected by the breach.
Marriott discontinued the Starwood Reservations Database at the end of 2018, and offered to pay for passports affected by the breach in 2018.
The Marriott data breach is one of a number of customer data security breaches reported my major hotel chains in recent years, including IHG, which confirmed a major data breach at 12 of its properties in 2016, and Hyatt, which saw 41 hotels hit in 2017.
Marriott set up a website for customers to inquire about the breach shortly after the incident was discovered in November 2018: https://answers.kroll.com.
While it's impossible to completely safeguard yourself and attendees against data breaches, there are some general best practices that meeting planners can follow.
How to Help Protect Your Attendees' Data
Meeting planners should take the following precautions to shore up their cybersecurity:
- Understand what types of information you hold.
- Ask the right questions.
- Employ the right resources (internal or third-party).
- Use the right behavior (before, during and after an event).
- Modify agreements to address cybersecurity.
- Avoid USBs unless you know where they’re from and disable USB ports and Windows Help/Microsoft Support options at registration kiosks.
- Collect presentations in advance.
- Inform participants of social media policies.
- Have protocols for how to display business intelligence.
- Disconnect from the internet if it is not needed.
- Run registration information at a local level.
To protect credit card data, consider the following cybersecurity measures:
- Know how to recognize legitimate hotel booking sites.
- Don’t store information that you don’t need (called tokenization).
- Be careful about how you collect and give credit card information.
- Consider using paper for on-site registration forms. Though realize that paper registration forms also carry risk!
More tips for shoring up your cybersecurity at meetings and events are available here.
Marriott Takes Steps to Protect Its Guests
Marriott said it has taken the following steps to help guests monitor and protect their information and also suggested some advice for those who fear their data is at risk.
Dedicated Website and Call Center for Marriott Guests
Marriott established a dedicated website (info.starwoodhotels.com) and call center to answer questions about the incident. The company said the frequently-asked questions on the dedicated website may be supplemented from time to time.
The call center is open seven days a week and is available in multiple languages.
Marriott noted that call volume may be high, and that it appreciated the patience of callers.
Email Notification to Affected Guests
Marriott began sending emails on a rolling basis starting, November 30, 2018, to affected guests whose email addresses are in the Starwood guest reservation database.
Free WebWatcher Enrollment for Guests
Marriott is providing guests the opportunity to enroll in WebWatcher free of charge for one year.
WebWatcher monitors internet sites where personal information is shared and generates an alert to the consumer if evidence of the consumer’s personal information is found. Due to regulatory and other reasons, WebWatcher or similar products are not available in all countries.
Guests from the United States who activate WebWatcher will also be provided fraud consultation services and reimbursement coverage for free.
To activate WebWatcher, visit info.starwoodhotels.com.
What to Do If Your Personal Information Is Stolen
According to the Credit Sesame website, consumers should take the following five steps if they have been a victim of identity theft in order to prevent further damage:
Action Item No. 1: Contact Any Institution Directly Affected
If you know your credit card was stolen, report the theft to the credit card issuer. If your checkbook or debit card was stolen, contact your bank. For this step it’s really helpful if you’ve prepared a list of institutions and phone numbers in advance.
Don’t write down account numbers, PINs or passwords—that would be just one more way for a thief to gain access to your personal information. But know what you’ve got.
Keep a list of what’s in your wallet, along with the contact information for each item.
The best place to keep this list is on an encrypted secure online file storage site.
Action Item No. 2: Contact the Federal Trade Commission (FTC)
File an Identity Theft Affidavit and a police report (see No. 4 below), and create an Identity Theft Report. You can file your report online, by phone (toll-free): 1-877-ID THEFT (877-438-4338); TDD (toll-free): 1-866-653-4261, or by mail—600 Pennsylvania Ave., Washington DC 20580. The FTC will provide you with information about what to do next.
Action Item No. 3: File a Police Report
To complete the Identity Theft Report, you’ll need to contact your local law enforcement office and report the theft. Be sure to get a copy of the police report and/or the report number.
Both your police report and the FTC Identity Theft Affidavit combine to create your Identity Theft Report.
Your Identity Theft Report will help you when working with the credit reporting agencies or any other entities the identity thief may have contacted to open accounts in your name.
Action Item No. 4: Protect Your Social Security Number
If your social security number was or may have been compromised, contact the Social Security Administration (800-269-0271) and the Internal Revenue Service (800-829-0433).
Action Item No. 5: Contact the Post Office
If you have reason to believe the identity thief may have submitted a fraudulent change-of-address to the post office, contact the Postal Inspection Service, which is the law enforcement and security branch of the post office.
Editor's Note: Lifehacker also provided some general tips for what to do in the event of a data breach that planners, suppliers or attendees may find useful.
Meeting Planners MUST Establish Duty of Care
No matter how much planners prepare, data breaches are bound to happen in our increasingly digitized world. However, it’s still important that meeting planners establish duty of care protocols to protect attendees. It is important to stay alert and protect attendee data.
Related Reading on Risk Management From Meetings Today:
- Cybersecurity Musts for Meeting Planners
- Companies Still Scrambling to Become GDPR Ready
- Duty of Care Simplified: A Meeting Planner's Guide
This article was originally published on November 30, 2019. It was updated on August 7, 2019.