Editor's note: This is the fifth installment in a seven-part series about hotel information data security.
It could be argued that when companies are attacked by computer hackers who loot customer credit card numbers or other personal data, they are as much the victims as their customers. The question for the hotel industry is, who will guests hold accountable—the hackers or the hotel brands?
As data breaches become more commonplace in the hotel industry, with Radisson Hotels & Resorts, Wyndham Worldwide and a Westin hotel most recently falling prey to cyber criminals, the public’s patience with apologies and excuses can be expected to wane. If brands fail to protect data, will guests continue to trust them with their credit cards and patronage?
Consider the reputational damage suffered by Radisson following its admission last fall that computers at some of its hotels in North America were breached between November 2008 and May 2009. Network World reported Radisson didn’t realize its guest data was compromised until alerted by credit card companies and processors.
In an open letter to guests posted on Radisson’s website, executive VP and COO Fredrik Korallus revealed that credit and debit card numbers, expiration dates and guest names may have been compromised, noting “the number of potentially affected hotels involved in the incident is limited.”
The latter comment hardly could have proved comforting to Radisson guests, who would not know whether they had stayed at one of those hotels and now have to shoulder the extra time and effort to check their bank and credit accounts for bogus transactions.
The Wyndham data breach, discovered by the company in January and publicly acknowledged in late February, was particularly embarrassing and potentially more damaging to the brand’s reputation because it was the third hacking reported by the company in a 12-month period.
Unlike Radisson, which issued a news release to alert the public about the potential threat, Wyndham chose to share information with reporters in response to questions. Wyndham did post an open letter on its website along with frequently asked questions and a data breach claim form—if you can find them.
A search of Wyndham’s website by entering the search terms “open letter,” “breach,” “data breach,” “identity theft” and “payment card” in the site’s own search field failed to turn up the letter, FAQs or claim form. But I found the documents by researching online news stories, which included links to the pages.
The letter, signed by Kirsten Hotchkiss, senior VP, enterprise compliance and employment counsel, said the company believes no more than 37 Wyndham-branded hotels and resorts were involved, and “it is unlikely that identity theft will occur” because personally identifying information was “not at risk of compromise.”
Furthermore, she noted Wyndham provided each of the major credit card issuers with “card numbers that potentially could have been accessed” so that those companies “could take any appropriate action to protect their customers from possible misuse of the cards.” Wyndham also provided a toll-free number for guests to call for information.
“Never mind three strikes and you’re out,” said Paul McNamara in the 4 March issue of Computerworld. “How about three strikes and I’ve got to ask myself if I even want to be in one your hotels in the first place?”
Kelly Todd, a project manager for DataLossDB, which tracks and compiles information about data breaches, told Computerworld in that article, “Personally, I’d try my best to avoid using any business that suffered multiple breaches in a relatively short time frame.”
In a twist of irony, Wyndham neglected to encrypt its online data breach claim form. That means the information submitted by each potential data breach victim could once again be exposed to prying eyes. While the form does not request credit card numbers, it does include fields for the guest’s name, address, telephone number, e-mail address and Wyndham ByRequest number.
Barbara Hernandez expressed concern about Wyndham’s commitment to data security in a BNET travel blog posted 3 March. “Unless Wyndham requires its properties to have uniform and solid security measures, these data breaches will continue,” she said. “Perhaps it may take customers avoiding the hotel chain for Wyndham to realize the extent of the security risk.”
Corporate commitment and the hacker siege
Questions about corporate commitments to data security come at a time when the hackers are laying veritable siege to the hotel industry. SpiderLabs, a unit of data-security firm Trustwave, recently disclosed that 38 percent of its data-breach investigations in 2009 involved hotels, according to The Wall Street Journal.
The website Info Security cited the most recent reported hospitality data breach, which affected restaurant and valet parking transactions at The Westin Bonaventure Hotel and Suites in Los Angeles, as “further proof that the hospitality is becoming a prime target for hackers.”
Wyndham and Radisson both offered affected guests free online credit monitoring services for a year, although The Westin Bonaventure did not. While online credit monitoring services warn consumers when an unauthorized account is established in their name, it does not warn about unauthorized charges posted to existing accounts.
Barbara De Lollis of USA Today examined the broader industry impact in her 2 March Hotel Check-In blog, noting that most security breaches are discovered by credit card companies—not hotel companies—after guest names, credit card numbers and other sensitive data already have been stolen.
The notion of responsibility was raised by one of her readers, who posted a comment saying “hotels and airlines as well as every other business should be held accountable for failing to provide adequate security for their customers.” USA Today readers concurred by “recommending” that comment more than any other on the topic.
The extraordinary efforts made by hotel brands to collect detailed information about individual guests, often under the guise of collecting preferences to provide better service or enrolling guests in frequent traveler programs, make their computers compelling targets and increase the potential consequences of failure to protect them.
“Hotel databases are a fantastic target for identity thieves,” said Stephen Wilson of the Lockstep Group, quoted in an 20 August 2009, article in SC Magazine about the Radisson breach.
“Hotels don’t just hold credit card numbers and billing addresses (which are held for weeks in advance of a stay and for weeks afterwards to secure incidentals), but for many customers the hotel also has their home address, driver license number, airline memberships and passport number, as frequently collected by hotels in Asia,” he said. “It’s a complete cornucopia for criminals.”
The industry’s response
With so much at risk and threats so pervasive, a full-court press will be needed to regain and secure the public’s trust. Hotel brands must own up to security shortcomings, disclose plans for fixing their problems (without, of course, revealing information useful to the crooks), commit to data-security standards established by the PCI Security Standards Council and pledge prompt, public notification of any future breaches.
The English poet William Blake said, “It is easier to forgive an enemy than to forgive a friend.” If there is truth in that observation, then hotel brands would be wise to act to protect their customer relationships now, before cyber criminals rob them of something more valuable than credit card numbers.
Rich Roberts (firstname.lastname@example.org) a 35-year communications veteran who has worked for two of the world’s largest lodging franchisors. He now is president of RDR PR LLC, which provides media relations, speech writing, executive communications, internal communications and crisis communications counseling and services. Through a network of affiliates, he also offers Web design and content, graphic design and printing and This Just In, a low-cost television advertorial product.
The opinions expressed in this column do not necessarily reflect the opinions of HotelNewsNow.com or its parent company, Smith Travel Research and its affiliated companies. Columnists published on this site are given the freedom to express views that may be controversial, but our goal is to provoke thought and constructive discussion within our reader community. Please feel free to comment or contact an editor with any questions or concerns.