The hospitality and travel industries have attracted some of the most significant cybercrime incidents in the last few years, and there are several reasons for this. The sector deals with billions of transactions, uses rich customer data, and relies on many layers of third-party vendor technologies. This is a system ripe for sophisticated hackers to exploit.
When Starwood Hotels and Resorts reported that its guest database of 500 million customers was stolen, it was shocking by virtue of the scale of the breach. But perhaps the most unexpected news is that while this “unauthorized access” was discovered in early September of this year, it can be traced back to 2014.
You may remember that in 2015 Starwood had to notify customers of another massive data compromise:
“Starwood informed consumers about the discovery of malware on computer systems involving Sheraton, Walt Disney World Dolphin, Weston, St. Regis, and W Hotel properties. While news of any data loss can cripple business relations, this announcement came just four days after Marriott International and Starwood announced a merger, involving a $12.2 billion buyout of Starwood by Marriott.”
There are no reports yet that link these two events, but it does beg the question – “How was this missed?” While the specifics around this latest incident have not been publicly disclosed, Starwood has confirmed that stolen information for approximately 327 million guests includes some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest (“SPG”) account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences.
Travel and hospitality companies must see this as a warning of an accelerating trend. The processes governing the capture and storage of rich customer data must be re-evaluated.
Here are two vulnerable areas to assess:
Third-party technology vendors
Travel and hospitality rely on multiple third parties to book related services such as airlines and car rental partners. They also have a growing reliance on point-of-sales tools, such as kiosks and other remote terminals – all in the name of customer convenience – and these layers add system management and security complexity unparalleled in other verticals.
We can confirm the lack of vendor access oversight leads to compromised data. Industry statistics point to 63% of data breaches involve third-party vendors making this is a leading threat to enterprise security.
In Europe, increased regulatory scrutiny because of GDPR has secured headlines. But, compliance by companies around the world has not yet happened. In the case of Starwood, the incident may have occurred as far back as 2014. The new requirements global brands must adhere to may help tighten up internal security processes. However, with this delayed discovery of stolen data, it appears the increased compliance demand has not yet made an impact.
The best defense is a good offense. Protect your network by understanding the assets most likely to be targeted, maintaining transparency around network and data access, and enforce internal security best practices to firm up the front lines.