If you’ve held a meeting at a Westin, Sheraton, St. Regis, or other hotel brand under the former Starwood umbrella in the last four years, your attendees—and you—might be victims of a serious data breach. On November 30, Marriott International revealed that Starwood, which it acquired in 2016, had been hacked going back to 2014, exposing the personal information of up to 500 million guests.
Marriott says the hackers stole information that included names, phone numbers, email addresses, passport numbers, dates of birth, gender, and arrival and departure information of 327 million people. For millions of others, credit card numbers and their expiration dates may have also been revealed.
Marriott has begun sending emails to affected guests and has established a dedicated website (info.starwoodhotels.com) and a call center to answer questions. The Marriott brands affected by the breach include Westin, Sheraton, St. Regis, W Hotels, The Luxury Collection, Le Meridien, Tribute Portfolio, Element, Aloft, and Four Points by Sheraton.
Corbin Ball, president of meetings-technology consultancy Corbin Ball Associates, notes that this data breach will be felt widely across the business travel market. What's more, “there is not much meeting professionals can directly do to solve this, except to push Marriott to respond quickly and transparently in addressing the issue,” he says. In addition to a call center to respond to questions, Marriott is providing WebWatcher free of charge for one year. The service monitors Internet sites where personal information is shared and generates an alert if the consumer’s personal information is found. For guests from the U.S., the service also includes fraud consultation and reimbursement coverage. “We [business travelers] all need to monitor our credit card activity carefully through such services,” says Ball. “There is likely major exposure to General Data Protection Regulation penalties as well” for Marriott.
While this data breach is unique for its sheer size—CNN reports that it’s the second largest in history—attorney Joshua Grimes of Grimes Law Offices in Philadelphia reminds meeting professionals that data protection is a critical issue that's not going to disappear. “The Marriott data breach is just the latest revelation that personal data of hotel guests was compromised by hackers,” he says. “Data theft has affected other hospitality and meeting industry companies, as well as many other businesses. Meeting professionals need to be proactive" regarding data security within their own organization and among the suppliers they use.
Grimes recommends these five steps to minimize and mitigate your future risk related to attendees' personal data:
• Make sure your computers and networks are secure by running antivirus software, changing passwords regularly, and educating personnel on avoiding risky websites.
• Give attendees’ personal information only to businesses who provide demonstrable assurances that they take all reasonable measures to protect your data and secure their networks from hacking.
• In your written contracts, include clauses indemnifying your organization from damages caused to you and your customers if a contractor's computers are hacked.
• Secure a cyber-insurance policy for your organization to help mitigate the financial effects of a cyber-security breach.
• If your organization and/or your customers are covered by the General Data Protection Regulations of the European Union, make sure that everyone receiving personal data of attendees, exhibitors, and others is GDPR-compliant in terms of disclosures and handling of data.