Work with me

What Independent Hotels Must Learn from the Marriott FTC Decision

,

Written by:

Meg Thompson

Article Summary: The Marriott International FTC decision, resulting in a $52 million penalty for data breaches affecting 344 million customers, serves as a crucial lesson for independent hotels on cybersecurity. Key areas for improvement include robust authentication measures, managing guest data intentionally, and providing comprehensive staff training on cybersecurity best practices. 

This month the FTC announced action they took on Marriott International and its subsidiaries, addressing multiple data breaches affecting millions of customers. While there’s no reference to independently-run properties, we can expect this ruling’s requirements for a significant cybersecurity program to have a downstream impact on the hospitality industry.

Marriott International has agreed to pay a $52 million penalty following a series of major data breaches that exposed the personal information of more than 344 million customers worldwide. This case revealed several security shortcomings that led to extensive data breaches exposing sensitive guest information, including passport details, payment card numbers, and loyalty program data. 1

Access to the proposed agreement is available on regulations.gov. Public comments are invited until November 12.

Downstream Impact

At its core, this decision emphasizes the importance of hospitality leadership in protecting guest data, in addition to ensuring their physical comfort and safety. Apart from the potential financial penalties, the loss of customer trust has a greater impact on independent properties than it does on Marriott.

In the overwhelming world of cybersecurity information, what actions should independently owned properties take today? While the technical details might seem daunting, there are several practical steps you can take now in advance of any significant changes or investments

To start, boutique inns and large resorts alike should consider whether or not they’re vulnerable in any of the areas Marriott was cited for,2 including:

  • Failed to apply adequate multifactor authentication to protect sensitive information
  • Failed to implement appropriate password controls, which resulted in employees often using default, blank or weak passwords
  • Failed to patch outdated software and systems in a timely manner
  • Failed to adequately monitor and log network environments, limiting the ability to detect malicious actors and distinguish between authorized and unauthorized activity
  • Failed to implement appropriate access controls
  • Failed to implement appropriate firewall controls
  • Failed to implement appropriate network segmentation to prevent attackers from moving freely across its networks and databases

Despite your teeth-gritting anxiety after reading that list, there are some practical improvements that you can implement today without incurring any significant financial risk. You can also schedule a call with us today, we’ll help you review your security posture and identify any areas to prioritize. We offer a free high-level risk assessment to assist you in determining the next steps to take.

This is a graphic showing a mind map of the practical security measures referenced in this article: Training, Policies, Password Reset Reminders, Authentication, Data Management, and Hiring an Expert

Start with Authentication

Password management is one of the easiest and most effective places to start when reviewing your cybersecurity posture. Adding password management policies to your acceptable use policy and implementing mandatory complexity requirements will make your organization more secure.

  • Do you have password policies documented in an acceptable-use policy?
  • What is your level of confidence in managing your own passwords? Is your entire operation at risk if your account is compromised?
  • Multi-factor authentication, or MFA, is a cybersecurity best practice3. Where can you enable MFA today?
    • All social media service have multi-factor authentication available, and it is a common first stop for bad actors.
    • Email is another service to prioritize adding MFA. If your mail is hosted by Google or another 3rd party service, you can enroll in MFA with your mail provider.
    • Enable MFA on your 3rd party booking service like booking.com, and with your direct-booking services.
  • When was the last time you changed your own password?

Intentional Data Management

Think of guest data as being as valuable as the physical property of your hotel. Implement policies that limit data collection to only what’s necessary, ensure it’s stored securely, and that you limit the users that can access the data.

Here are some practical considerations regarding your guest’s data storage.

  • Who can access your guest data? Does reception need to access all guest data? Is there a way to limit what data your users can see?
  • How do you backup your guest data and payment records?
  • Is sensitive data encrypted?
  • If guest data is stored on paper, is it locked securely where only privileged members of staff can access it?
  • If possible, create separate accounts for yourself, your administrators, and your staff in your booking partner tools.

Training Yourself and Your Staff

Just as you train staff in customer service, make cybersecurity awareness a part of your regular training programs. Simple actions like recognizing phishing emails can significantly reduce risks. Phishing attacks can look different to different audiences. Consider reading some examples published by the industry, like this one by booking.com.

This is a good time to give your privacy and acceptable use policies a refresher. Is your privacy policy linked on your website and on your direct-booking website, and does it reflect all of the current ways you collect and store guest data?

Don’t have an acceptable use policy? There are many free templates available from the Center for Information Security.

Have a clear plan for what to do if a data breach occurs, document it, and take time to educate staff on the new policies. Define steps for your staff on what they should do if they think a system or data is at risk, for example, if they oversee a workstation left unlocked with a guest’s name and address clearly showing, how should they respond?

Consider Expert Help

Just as you consult with interior designers and chefs to enhance your guest experience, consider partnering with cybersecurity experts who understand the unique needs of the hospitality industry. At Salt Peak, we specialize in making complex security solutions accessible and effective for hospitality businesses. Our approach is to translate enterprise-level security practices into practical, manageable solutions that don’t interfere with the personal service that defines great hospitality. Contact us today to get started.

As the industry evolves, staying ahead of cybersecurity threats is as important as staying ahead of guest experience trends. Take proactive steps now to protect your guests, your reputation, and your business, ensuring that you remain focused on providing exceptional experiences in a secure environment.

Schedule An Intro Call
  1. FTC Takes Action Against Marriott and Starwood Over Multiple Data Breaches | Federal Trade Commission October 9, 2024 ↩︎
  2. Federal Register, Vol. 89, No. 198 October 11, 2024 ↩︎
  3. Multi-factor Authentication (MFA), CISA January 5, 2022 ↩︎
Title card showing summary of article: Practical Cybersecurity in Hospitality
, , , ,

Leave a Reply

Discover more from Salt Peak

Subscribe now to keep reading and get access to the full archive.

Continue reading