Franchisees to Feel Hit of Marriott’s Hack, 500 Million Consumers Affected

Hacked graphic

On Friday, Marriott International, Inc. announced that the records of some 500 million guests from its Starwood hotels reservation system have been hacked. The cybercrime is the second largest known hack in history, second only to the 3 billion Yahoo customers whose information was stolen by alleged “state-sponsored actors,” who were later officially charged by the FBI.

Marriott’s breach was discovered on September 8, 2018, and went back as far as 2014. The stolen records contained passport, credit card and other guest information.

“We deeply regret this incident happened,” said Arne Sorenson, Marriott’s president and chief executive officer.  “We will also continue to support the efforts of law enforcement and to work with leading security experts to improve.  Finally, we are devoting the resources necessary to phase out Starwood systems and accelerate the ongoing security enhancements to our network.”

Lessons to be learned

When Marriott announced it was buying the Starwood hotels and resorts brand in November 2015 for nearly $14 billion, it would acquire a reservation system that had already been hacked for nearly a year. Starwood itself announced a few days later that the database affecting 54 of its properties had been hacked.

Marriott would finalize its acquisition of Starwood in September 2016, cyberbreach and all.

Now as 2018 draws to a close, Marriott says 327 million consumers who made a reservation at a Starwood hotel property— e.g. Westin, Sheraton, Ritz Carlton, Le Meridien — could have had their name, mailing address, phone number, email address, passport number, Starwood Preferred Guest account information, date of birth, gender, arrival and departure information, reservation date, communication preferences, or combinations thereof hacked.

Marriott over the last several months had been working hard to integrate Starwood’s loyalty program with Marriott’s.

Journalist and cybersecurity expert Brian Krebs advises companies that lessons can be learned from Marriott’s huge hack. “Assume you are compromised,” he warns other companies on his blog, KrebsonSecurity. He says that although nowadays it is not possible to keep “bad guys” from hacking company databases, there are things that companies that are serious about cybersecurity do. “They’re reshuffling the organizational chart so that people in charge of security report to the board, the CEO, and/or chief risk officer — anyone but the Chief Technology Officer,” says Krebs. “They’re constantly testing their own networks and employees for weaknesses, and regularly drilling their breach response preparedness (much like a fire drill). And, apropos of the Marriott breach, they are finding creative ways to cut down on the volume of sensitive data that they need to store and protect.”

For franchisees, a major hurdle in an already slowing brand

Nearly 6,700 hotel properties are associated with Marriott’s 30 hotel brand names in 130 countries. In North America, Marriott owns less than a percent of the hotels under its flags. Some eighty-two percent of the hotels in its system here are owned and operated by franchise owners. The company manages an additional 17 percent of hotel properties that others own.

Franchisees and property owners should expect lower guest demand for hotel brands under Marriott as more about the breach is learned.

This hack is a major blemish on the brand. Before this, Marriott was known for its operational excellence. That perception in excellence in service execution should help a tarnished brand come back. Still, as of late, its performance has not been up to the level of its reputation. For example, take hotel revenue per available room, or RevPAR. Calculated by multiplying a hotel’s occupancy rate by its average daily room rate, it is a major measure of performance at the hotel level. In its last third quarter report in October, comparable RevPAR for hotels under the Marriott flag were up a modest 0.6 percent for North America. Meanwhile, competitor Hyatt had a larger increase of 1.4 percent in the U.S., and Hilton hotels grew comparable RevPAR by 1 percent (see chart).

As Marriott has become bigger through acquisitions —e.g. Gaylord Hotels in 2012, Delta Hotels in 2015 and Starwood in 2016 — it has taken on baggage. The weighed-down franchisor announced in its last quarter earnings conference that it anticipates an even slower growth for 2019. Now the four-years-in-the-making cyberhack will be a further hurdle, a big one, for Marriott hotel franchisees and its property owners in a highly competitive race.

BMM photo: Sheraton Waikiki 2017, 12 Days of Christmas sand sculpture. First day, “A Menehune with a Christmas Tree.”

Related reading:

Don Sniegowski


Marriott hack could be largest cyber insurance loss in history

Marriott's insurance is estimated to not have nearly enough insurance to cover the consequences of this hack., a news site that covers catastrophe bonds, reinsurance and risk transfer, reports:

Marriott has at least $250 million up to as much as $350 million of affirmative cyber insurance cover, an amount that is expected to get wiped out from the resulting claim for costs associated with recovery from this loss of data… This has the potential to be the largest standalone or affirmative cyber insurance loss in history and if there is any leakage to other policies it could become another large market-wide cyber loss, with the potential for reinsurance carriers to be impacted.