This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies.  Find out more here  Close
Public trust at risk in data breach
May 20 2010

With so much at risk and threats so pervasive, a full-court press will be needed from the hotel industry to regain and secure the public’s trust.

Editor's note: This is the fifth installment in a seven-part series about hotel information data security.

It could be argued that when companies are attacked by computer hackers who loot customer credit card numbers or other personal data, they are as much the victims as their customers. The question for the hotel industry is, who will guests hold accountable—the hackers or the hotel brands?
As data breaches become more commonplace in the hotel industry, with Radisson Hotels & Resorts, Wyndham Worldwide and a Westin hotel most recently falling prey to cyber criminals, the public’s patience with apologies and excuses can be expected to wane. If brands fail to protect data, will guests continue to trust them with their credit cards and patronage?

Reputational damage

Consider the reputational damage suffered by Radisson following its admission last fall that computers at some of its hotels in North America were breached between November 2008 and May 2009. Network World reported Radisson didn’t realize its guest data was compromised until alerted by credit card companies and processors.

In an open letter to guests posted on Radisson’s website, executive VP and COO Fredrik Korallus revealed that credit and debit card numbers, expiration dates and guest names may have been compromised, noting “the number of potentially affected hotels involved in the incident is limited.”

The latter comment hardly could have proved comforting to Radisson guests, who would not know whether they had stayed at one of those hotels and now have to shoulder the extra time and effort to check their bank and credit accounts for bogus transactions.

Wyndham’s response

The Wyndham data breach, discovered by the company in January and publicly acknowledged in late February, was particularly embarrassing and potentially more damaging to the brand’s reputation because it was the third hacking reported by the company in a 12-month period.

Unlike Radisson, which issued a news release to alert the public about the potential threat, Wyndham chose to share information with reporters in response to questions. Wyndham did post an open letter on its website along with frequently asked questions and a data breach claim form—if you can find them.

A search of Wyndham’s website by entering the search terms “open letter,” “breach,” “data breach,” “identity theft” and “payment card” in the site’s own search field failed to turn up the letter, FAQs or claim form. But I found the documents by researching online news stories, which included links to the pages.

The letter, signed by Kirsten Hotchkiss, senior VP, enterprise compliance and employment counsel, said the company believes no more than 37 Wyndham-branded hotels and resorts were involved, and “it is unlikely that identity theft will occur” because personally identifying information was “not at risk of compromise.”

Furthermore, she noted Wyndham provided each of the major credit card issuers with “card numbers that potentially could have been accessed” so that those companies “could take any appropriate action to protect their customers from possible misuse of the cards.” Wyndham also provided a toll-free number for guests to call for information.

“Never mind three strikes and you’re out,” said Paul McNamara in the 4 March issue of Computerworld. “How about three strikes and I’ve got to ask myself if I even want to be in one your hotels in the first place?”

Kelly Todd, a project manager for DataLossDB, which tracks and compiles information about data breaches, told Computerworld in that article, “Personally, I’d try my best to avoid using any business that suffered multiple breaches in a relatively short time frame.”

In a twist of irony, Wyndham neglected to encrypt its online data breach claim form. That means the information submitted by each potential data breach victim could once again be exposed to prying eyes. While the form does not request credit card numbers, it does include fields for the guest’s name, address, telephone number, e-mail address and Wyndham ByRequest number.

Barbara Hernandez expressed concern about Wyndham’s commitment to data security in a BNET travel blog posted 3 March. “Unless Wyndham requires its properties to have uniform and solid security measures, these data breaches will continue,” she said.  “Perhaps it may take customers avoiding the hotel chain for Wyndham to realize the extent of the security risk.”

Corporate commitment and the hacker siege

Questions about corporate commitments to data security come at a time when the hackers are laying veritable siege to the hotel industry. SpiderLabs, a unit of data-security firm Trustwave, recently disclosed that 38 percent of its data-breach investigations in 2009 involved hotels, according to The Wall Street Journal.

The website Info Security cited the most recent reported hospitality data breach, which affected restaurant and valet parking transactions at The Westin Bonaventure Hotel and Suites in Los Angeles, as “further proof that the hospitality is becoming a prime target for hackers.”
Wyndham and Radisson both offered affected guests free online credit monitoring services for a year, although The Westin Bonaventure did not. While online credit monitoring services warn consumers when an unauthorized account is established in their name, it does not warn about unauthorized charges posted to existing accounts.

Barbara De Lollis of USA Today examined the broader industry impact in her 2 March Hotel Check-In blog, noting that most security breaches are discovered by credit card companies—not hotel companies—after guest names, credit card numbers and other sensitive data already have been stolen.

The notion of responsibility was raised by one of her readers, who posted a comment saying “hotels and airlines as well as every other business should be held accountable for failing to provide adequate security for their customers.” USA Today readers concurred by “recommending” that comment more than any other on the topic.

The extraordinary efforts made by hotel brands to collect detailed information about individual guests, often under the guise of collecting preferences to provide better service or enrolling guests in frequent traveler programs, make their computers compelling targets and increase the potential consequences of failure to protect them.

“Hotel databases are a fantastic target for identity thieves,” said Stephen Wilson of the Lockstep Group, quoted in an 20 August 2009, article in SC Magazine about the Radisson breach.

“Hotels don’t just hold credit card numbers and billing addresses (which are held for weeks in advance of a stay and for weeks afterwards to secure incidentals), but for many customers the hotel also has their home address, driver license number, airline memberships and passport number, as frequently collected by hotels in Asia,” he said.  “It’s a complete cornucopia for criminals.”

The industry’s response

With so much at risk and threats so pervasive, a full-court press will be needed to regain and secure the public’s trust. Hotel brands must own up to security shortcomings, disclose plans for fixing their problems (without, of course, revealing information useful to the crooks), commit to data-security standards established by the PCI Security Standards Council and pledge prompt, public notification of any future breaches.

The English poet William Blake said, “It is easier to forgive an enemy than to forgive a friend.” If there is truth in that observation, then hotel brands would be wise to act to protect their customer relationships now, before cyber criminals rob them of something more valuable than credit card numbers.

Rich Roberts (rich@rdrpr.coma 35-year communications veteran who has worked for two of the world’s largest lodging franchisors. He now is president of RDR PR LLC, which provides media relations, speech writing, executive communications, internal communications and crisis communications counseling and services.  Through a network of affiliates, he also offers Web design and content, graphic design and printing and This Just In, a low-cost television advertorial product.

The opinions expressed in this column do not necessarily reflect the opinions of or its parent company, Smith Travel Research and its affiliated companies. Columnists published on this site are given the freedom to express views that may be controversial, but our goal is to provoke thought and constructive discussion within our reader community. Please feel free to comment or contact an editor with any questions or concerns.

6/23/2010 10:08:00 AM
This pandemic problem is NOT all IT and HR Dept. need to STOP thinking of it as an IT problem. People need to understand this is IN the EMPLOYEE WORK PLACE. It's the employees we hire.
Janice Taylor-Gaines
6/3/2010 11:13:00 AM
Great article highlighting the need for everyone to have a much higher computer/data security awareness. Check a (free) blog, "The Business-Technology Weave" (can Google to it) - it reflects what this article is saying. The majority of breaches are due to human error, therefore awareness and common sense are key, in supporting all necessary best practices. The blog author also has a book we use at work, "I.T. WARS" (you can Google that too). It has a great Security chapter, and others that treat security. Highly recommended. Great stuff.
Login or enter a name   Post Your Comment  Check to follow this thread via email alerts (must be logged in)
(4000 characters max)

Comments that include blatant advertisements or links to products or company websites will be removed to avoid instances of spam. Also, comments that include profanity, lewdness, personal attacks, solicitations or advertising, or other similarly inappropriate or offensive comments or material will be removed from the site. You are fully responsible for the content you post. The opinions expressed in comments do not necessarily reflect the opinions of Hotel News Now or its parent company, STR and its affiliated companies. Please report any violations to our editorial staff.

Industry CEOs’ opinions on Marriott/Starwood
Sharing economy might be in Choice’s future
Industry outlook: A crash or soft landing?
Modular construction and hotel design
Yotel: Owners see big return from small rooms
Top CEOs: Both good, bad signs for hotels
Global growth, ligher model in Loews' plan
Extended Stay America's Lopez, Part I
Extended Stay America's Lopez, Part II
ALIS 2016: LIIC members share opinions
Consultants share trends, advice for 2016
STR: Largest brands, companies by chain scale
Global growth, lighter model in Loews’ plans
Hotel Stock Index drops 12.1% in January
Energy roars at heart of unique Yas Viceroy
The history of F&B staples invented in hotels
Past threats offer insight into Zika’s impact
Contact Us
Hotel News Now
18500 Lake Rd.
Suite 310
Rocky River, Ohio 44116
Copyright © 2004 - 2016 Hotel News Now, a division of STR, Inc. All Rights Reserved.   Privacy