Back
when I attended Cornell for my master's degree, I learned that one of the
stronger academic programs on campus was what is now called the Cornell School
of Hotel Administration. There was even
an actual hotel on campus run by undergrads in the program, and reportedly (I
never stayed there) it was one of the best hotels in Ithaca, and quite
reasonably priced. But this was back in
the days when guests registered by signing a physical registration blank, which
was filed in a file cabinet. Advance
registrations were made by phone or letter, although faxes were just beginning
to be used in 1976.
In
order to steal a guest's registration information, a thief would have to break
into the hotel office (which was staffed 24/7, meaning it would have to be
robbery, not burglary) and carry off piles of paper. And even if he did, the only records he'd get
would be the ones from that particular hotel.
Fast
forward to last Friday, Nov. 30, when Marriott, the largest hotel chain in the
world, announced that their Starwood chain, purchased in 2016, had suffered one
of the largest data breaches on record, beginning in 2014 and affecting
possibly some 500 million customers worldwide.
Besides the usual name, address, phone number, and email info, this
breach may also have compromised passport and credit card numbers, although the
latter were encrypted. Today's sophisticated
cybercriminals have shown that de-encryption is not beyond their capabilities,
however. Details of the breach are still
sketchy, as the news release from Marriott indicated only that an unauthorized
party copied and encrypted information within their system and "took steps
toward removing it," although whether it was actually stolen is not clear
from the announcement. Nevertheless, the
possibility exists, and this knowledge is less than comforting to the millions
of Starwood guests whose personal data may have been stolen.
It
used to be that running a hotel, or even a hotel chain, didn't require you to
be a world-class information technology expert.
But hotels eventually saw the advantages of centralizing their
electronic records so that no matter where their guests travel, the same
information is available and discounts and other favored-customer perks can be
applied instantly all around the globe.
The same overwhelming network advantages that often transform a slight
numerical superiority in a network situation into a practical monopoly apply
also to hotels as well as to telecomm companies, Internet providers, and other
network-intensive businesses. And such
concentrations of data are attractive to sophisticated cybercriminals who aren't
going to waste their time on independent mom-and-pop businesses when the same
amount of hacking effort can be rewarded with the personal records of 500
million people.
Human
systems and organizations respond slower than the Internet to change, and I
can't help but wonder whether part of the fault for the Marriott data breach
lies with management of the Starwood organization, who may have been very good
hoteliers, but less than competent IT managers.
It's too early to draw any conclusions, of course, but an interesting comparison
can be drawn between hotel-running and banking, say.
Banks
were into computers and their predecessors, IBM punch-card business machines
and weird giant-typewriter-looking things called posting machines, back when the
fanciest information technology you were likely to find in a hotel was the accountant's
adding machine. As the advantages of computerized
banking became clear for purposes of check clearing, banks led the way in
developing machine-readable checks and methods of securely sending financial
data from place to place. The spread of
automated teller machines (ATMs) in the 1980s taught banks how to put secure
networks in places where there was no actual bank, just an ATM. Having been used to thinking about the
possibility of theft constantly as a part of their business, banks naturally
built up the security functions of their digital operations along with the
operations themselves. Their systems are
by no means perfect, but even when data is stolen, they have devised rapid and
effective methods to detect data breaches and to put a stop to their
effects. For example, if someone steals
your credit card number, the credit-card issuer uses sophisticated
buying-pattern software to raise a flag and check with you within hours to see
whether illegitimate charges were made.
While
hotel people have long dealt with thefts of personal property from rooms, the
notion that digital information garnered from customers can itself be more
valuable than anything that guests carry on their persons is a novel one to the
hotel students who were attending Cornell when I was there, at any rate. And while I'm sure that Cornell's current
hotel administration curriculum includes something about IT management, I suspect
it's a recent innovation, and almost certainly wasn't taught forty years
ago. So it's not surprising that a type
of business that historically wasn't that involved in digital systems turns out
to be especially vulnerable to modern-day cybercriminals.
It's
still not clear whether any Starwood customer information was actually used
illegally, but such questions take time to answer. That hasn't stopped some lawyers from filing
a national class-action lawsuit against Marriott. Both the lawyers and the cybercrooks are
taking advantage of the fact that the Starwood chain tends to attract upscale
customers who both have lots of money and connections worth stealing, and who
are more likely to support a class-action lawsuit for that reason. If your humble scribe has stayed at a hotel
in the Starwood chain, I don't remember it, as my taste runs more to Best
Western or LaQuinta.
Still,
for the sakes of the 500 million people affected, I hope this incident turns
out to be less serious than it appears to be now. And I bet that the IT management course at
the Cornell School of Hotel Administration will cover the famous 2018 Marriott
data breach as a case study in the future.
No comments:
Post a Comment