How Marriott reacts to a mass data breach from here on will affect not only the company, but shape how travel companies treat data. The Marriott data breach impact could have a significant role in the future of the industry.
On Friday 30 November, Marriott International announced that the personal records of up to 500 million people have been stolen by an unauthorised party.
Marriott data breach impact
The breach affects the company’s Starwood network, which includes brands such as W Hotels, Sheraton, and Le Méridien. The fact that the breach first occurred in 2014 will lead to questioning of the due diligence Marriott conducted when acquiring Starwood back in 2016.
It is justifiable to ask just how this could happen and the breach is particularly alarming given the nature of the data stolen. The company has confirmed that the information could include any combination of passport numbers, emails, date of birth, gender, and mailing addresses. It also could not rule out that credit card details have been accessed.
From a PR perspective, such a data breach is an unmitigated disaster, particularly given the fact that the initial breach occurred four years ago. It also comes at a time when data security is very much under the spotlight.
However, Marriott has the chance to not only rebuild consumer trust, but also provide the blueprint for how travel companies handle data in future.
Industry-leading detection and response technologies are now a must
The collection of very personal data is unavoidable in the travel & tourism sector as proof of identity is essential.
Therefore, Marriott must now invest very heavily in improved detection and response-based technologies such as deception-based technologies, endpoint detection and response, software defined segmentation, and behavior analytics.
It simply cannot afford another mass breach as a four-year detection gap has significantly dented confidence in its controls.
These solutions must be of an industry-leading standard and set the bar for what is expected in the wider travel & tourism sector.
Post-breach consulting input will be critical if Marriott is to set the bar for the industry
In the more immediate term, Marriott must show that it is employing appropriate post-breach consultants from a leading player like Accenture, IBM, FireEye, Herjavec Group, or root9B.
These firms will help formulate a credible PR strategy to demonstrate that management will now take all actions possible to protect critical digital assets.
They will also look to understand the hackers and what drives them. Identifying the characteristics of a hacker in one breach can help pre-empt others, and if Marriott can demonstrate that it is using such services, its claims of reducing future data security risks will have far more credibility.
Marriott has a chance to repair the reputational damage inflicted by shaping the future for the better and being seen as the catalyst for improved industry standard systems would be a great fillip. It must seize this opportunity to turn a great negative into a positive.