Business Case: Multi-National Marriott Hotels Could Face Consumer Backlash and up to $1 Billion in Regulatory Fines and Litigation Costs for Massive Data Breach Marriott is the world's biggest hotel operator of approximately 6,000 hotels in 127 countries around the world. In December 2018, Marriott discovered and reported an attack on its Starwood room reservation network that had occurred over a period four years! From 2014 to 2018 the personal details of as many as 500 million Marriott Hotel guests had been exposed making it one of the largest cyberattacks reported. Roughly 387 million contained sensitive personal information such as e-mails, dates of birth, passport number, physical addresses, and credit card details. Although Marriott claims that details such as credit card numbers were encrypted it is believed that enough details were taken to allow the attackers to decrypt the information. Following the disclosure of the attack Marriott's shares fell 5.6% in pre-market trading and victims of the attack complained loudly on social media after finding out about the situation through the press before receiving any notification from Marriott.

While the size of the attack doesn't compare to that of Yahoo described in the opening case, the damage to Marriott's reputation is particularly devastating. Its guests rely on the hotel chain to keep them safe and secure in the real-world and the attack seemingly suggests that Marriott is incapable of ensuring its guests digital safety and security. To add insult to injury, the company could face up to $1 billion in regulatory fines and litigation costs. To try to mitigate the impact of the reported attack, Arne Sorenson, Marriott's chief executive reached out to those affected by saying We deeply regret this incident happening. We fell short of what our guests deserve and what we expect of ourselves. We are doing everything we can to support guests, and using lessons learned to be better moving forward.

This latest attack is not the first for Marriott. Long before Marriott International disclosed the most recent cyberattack the hotel giant had already earned the dubious reputation of being an easy target for hackers. Hackers had skimmed credit cards, looted loyalty accounts, carried out elaborate schemes to trick Marriott employees into downloading malicious software, and in one particularly noxious attack dubbed Dark Hotel networks at individual Marriott properties were hijacked to allow hackers to spy on corporate executives and politicians. In another attack, cyber criminals locked down rooms by seizing control of the keyless entry system and would not unlock them until the Marriott owner paid a ransom.

Shortly before the breach, Marriott said that it had begun to increase its investment in cyber security and had hired a new chief information security officer. The cyberattack on the Marriott hotel chain is thought to have been carried out by hackers working on behalf of the Chinese Ministry of State Security, China's communist-controlled civilian spy agency. The intelligence-gathering effort that also hacked health insurers and security clearance files of millions more Americans hasn't been advertised on criminal marketplaces. This may be some consolation to the Marriott who may well face loss of business prompted by more significant backlash from its guests.

The hotel industry on the whole is not known for having robust cyber security technology. It is the third-most targeted industry after retail and finance. Hilton, Hyatt, Intercontinental, Trump, Radisson, and Mandarin Oriental have all been targets in part attacks. As hotel companies experiment with VOIP and Internet-connected rooms that could lead to the collection and storage of even more personal information, the cyberattack stakes are getting even higher.

Questions

1. Marriott had sustained several cyberattacks prior to the one described here. Why do you think it was still vulnerable to the current attack?
2. Give three reasons why you think Marriott failed to detect the current data breach for almost four years.
3. Would the sale of personal data in criminal marketplaces affect the impact of this data breach on Marriott's reputation? Explain.
4. If you were a Marriott customer and were notified about the loss of your personal data, how would you feel and what would you do?