Editor's note: This is the fifth installment in a seven-part series about hotel information data security.
It could be argued that when companies are attacked by computer hackers who loot customer credit card numbers or other personal data, they are as much the victims as their customers. The question for the hotel industry is, who will guests hold accountable—the hackers or the hotel brands?
As data breaches become more commonplace in the hotel industry, with Radisson Hotels & Resorts, Wyndham Worldwide and a Westin hotel most recently falling prey to cyber criminals, the public’s patience with apologies and excuses can be expected to wane. If brands fail to protect data, will guests continue to trust them with their credit cards and patronage?
Reputational damage
Consider the reputational damage suffered by Radisson following its admission last fall that computers at some of its hotels in North America were breached between November 2008 and May 2009. Network World reported Radisson didn’t realize its guest data was compromised until alerted by credit card companies and processors.
In an open letter to guests posted on Radisson’s website, executive VP and COO Fredrik Korallus revealed that credit and debit card numbers, expiration dates and guest names may have been compromised, noting “the number of potentially affected hotels involved in the incident is limited.”
The latter comment hardly could have proved comforting to Radisson guests, who would not know whether they had stayed at one of those hotels and now have to shoulder the extra time and effort to check their bank and credit accounts for bogus transactions.
Wyndham’s response
The Wyndham data breach, discovered by the company in January and publicly acknowledged in late February, was particularly embarrassing and potentially more damaging to the brand’s reputation because it was the third hacking reported by the company in a 12-month period.
Unlike Radisson, which issued a news release to alert the public about the potential threat, Wyndham chose to share information with reporters in response to questions. Wyndham did post an open letter on its website along with frequently asked questions and a data breach claim form—if you can find them.
A search of Wyndham’s website by entering the search terms “open letter,” “breach,” “data breach,” “identity theft” and “payment card” in the site’s own search field failed to turn up the letter, FAQs or claim form. But I found the documents by researching online news stories, which included links to the pages.
The letter, signed by Kirsten Hotchkiss, senior VP, enterprise compliance and employment counsel, said the company believes no more than 37 Wyndham-branded hotels and resorts were involved, and “it is unlikely that identity theft will occur” because personally identifying information was “not at risk of compromise.”
Furthermore, she noted Wyndham provided each of the major credit card issuers with “card numbers that potentially could have been accessed” so that those companies “could take any appropriate action to protect their customers from possible misuse of the cards.” Wyndham also provided a toll-free number for guests to call for information.
“Never mind three strikes and you’re out,” said Paul McNamara in the 4 March issue of Computerworld. “How about three strikes and I’ve got to ask myself if I even want to be in one your hotels in the first place?”
Kelly Todd, a project manager for DataLossDB, which tracks and compiles information about data breaches, told Computerworld in that article, “Personally, I’d try my best to avoid using any business that suffered multiple breaches in a relatively short time frame.”
In a twist of irony, Wyndham neglected to encrypt its online data breach claim form. That means the information submitted by each potential data breach victim could once again be exposed to prying eyes. While the form does not request credit card numbers, it does include fields for the guest’s name, address, telephone number, e-mail address and Wyndham ByRequest number.
Barbara Hernandez expressed concern about Wyndham’s commitment to data security in a BNET travel blog posted 3 March. “Unless Wyndham requires its properties to have uniform and solid security measures, these data breaches will continue,” she said. “Perhaps it may take customers avoiding the hotel chain for Wyndham to realize the extent of the security risk.”
