Monday, December 03, 2018

Marriott's Data Breach: Not In Our Line of Work

Back when I attended Cornell for my master's degree, I learned that one of the stronger academic programs on campus was what is now called the Cornell School of Hotel Administration.  There was even an actual hotel on campus run by undergrads in the program, and reportedly (I never stayed there) it was one of the best hotels in Ithaca, and quite reasonably priced.  But this was back in the days when guests registered by signing a physical registration blank, which was filed in a file cabinet.  Advance registrations were made by phone or letter, although faxes were just beginning to be used in 1976. 
In order to steal a guest's registration information, a thief would have to break into the hotel office (which was staffed 24/7, meaning it would have to be robbery, not burglary) and carry off piles of paper.  And even if he did, the only records he'd get would be the ones from that particular hotel.

Fast forward to last Friday, Nov. 30, when Marriott, the largest hotel chain in the world, announced that their Starwood chain, purchased in 2016, had suffered one of the largest data breaches on record, beginning in 2014 and affecting possibly some 500 million customers worldwide.  Besides the usual name, address, phone number, and email info, this breach may also have compromised passport and credit card numbers, although the latter were encrypted.  Today's sophisticated cybercriminals have shown that de-encryption is not beyond their capabilities, however.  Details of the breach are still sketchy, as the news release from Marriott indicated only that an unauthorized party copied and encrypted information within their system and "took steps toward removing it," although whether it was actually stolen is not clear from the announcement.  Nevertheless, the possibility exists, and this knowledge is less than comforting to the millions of Starwood guests whose personal data may have been stolen.

It used to be that running a hotel, or even a hotel chain, didn't require you to be a world-class information technology expert.  But hotels eventually saw the advantages of centralizing their electronic records so that no matter where their guests travel, the same information is available and discounts and other favored-customer perks can be applied instantly all around the globe.  The same overwhelming network advantages that often transform a slight numerical superiority in a network situation into a practical monopoly apply also to hotels as well as to telecomm companies, Internet providers, and other network-intensive businesses.  And such concentrations of data are attractive to sophisticated cybercriminals who aren't going to waste their time on independent mom-and-pop businesses when the same amount of hacking effort can be rewarded with the personal records of 500 million people.

Human systems and organizations respond slower than the Internet to change, and I can't help but wonder whether part of the fault for the Marriott data breach lies with management of the Starwood organization, who may have been very good hoteliers, but less than competent IT managers.  It's too early to draw any conclusions, of course, but an interesting comparison can be drawn between hotel-running and banking, say. 

Banks were into computers and their predecessors, IBM punch-card business machines and weird giant-typewriter-looking things called posting machines, back when the fanciest information technology you were likely to find in a hotel was the accountant's adding machine.  As the advantages of computerized banking became clear for purposes of check clearing, banks led the way in developing machine-readable checks and methods of securely sending financial data from place to place.  The spread of automated teller machines (ATMs) in the 1980s taught banks how to put secure networks in places where there was no actual bank, just an ATM.  Having been used to thinking about the possibility of theft constantly as a part of their business, banks naturally built up the security functions of their digital operations along with the operations themselves.  Their systems are by no means perfect, but even when data is stolen, they have devised rapid and effective methods to detect data breaches and to put a stop to their effects.  For example, if someone steals your credit card number, the credit-card issuer uses sophisticated buying-pattern software to raise a flag and check with you within hours to see whether illegitimate charges were made. 

While hotel people have long dealt with thefts of personal property from rooms, the notion that digital information garnered from customers can itself be more valuable than anything that guests carry on their persons is a novel one to the hotel students who were attending Cornell when I was there, at any rate.  And while I'm sure that Cornell's current hotel administration curriculum includes something about IT management, I suspect it's a recent innovation, and almost certainly wasn't taught forty years ago.  So it's not surprising that a type of business that historically wasn't that involved in digital systems turns out to be especially vulnerable to modern-day cybercriminals. 

It's still not clear whether any Starwood customer information was actually used illegally, but such questions take time to answer.  That hasn't stopped some lawyers from filing a national class-action lawsuit against Marriott.  Both the lawyers and the cybercrooks are taking advantage of the fact that the Starwood chain tends to attract upscale customers who both have lots of money and connections worth stealing, and who are more likely to support a class-action lawsuit for that reason.  If your humble scribe has stayed at a hotel in the Starwood chain, I don't remember it, as my taste runs more to Best Western or LaQuinta.

Still, for the sakes of the 500 million people affected, I hope this incident turns out to be less serious than it appears to be now.  And I bet that the IT management course at the Cornell School of Hotel Administration will cover the famous 2018 Marriott data breach as a case study in the future.

Sources:  I referred to reports on the data breach carried by NBC News at and the Hawaiian paper the Star Advertiser at

No comments:

Post a Comment