Marriott International faced the potential for extensive fines after revealing a security breach at hotels it acquired with the purchase of Starwood Hotels & Resorts.
The company saw its share price fall by almost 6% on the news, as the importance of doing thorough diligence on intangible as well as tangible assets was cast into focus.
CFO Leeny Oberg told the Barclays Gaming and Lodging Conference that it was “too early” to pin a number on the cost to the company of the breach.
Moody’s warned that the breach of Marriott’s Starwood guest reservation database was a potentially credit-negative event, commenting that it would take “months before the company can quantify the costs”.
The breach, which Marriott revealed on 30 November, affected reservation information on or before 10 September 2018, the company said.
Marriott said in the filing that it had discovered the breach on 8 September, before discovering the full extent of the information that had been taken on 19 November. The group learned during an internal investigation that there had been unauthorised access to the Starwood network since 2014. Under the GDPR regime in Europe, companies must inform regulators of breaches within 72 hours of becoming aware of them. The group faced financial penalties of up to 4% of its annual global revenue.
The group said that the database affected contained the details of around 500 million guests and that about 327 million of those may have had their passport numbers, email, and other personal data taken. Credit and payment card data also may have been stolen.
“We deeply regret this incident happened,” said Arne Sorenson, Marriott’s president & CEO “We fell short of what our guests deserve and what we expect of ourselves. We are doing everything we can to support our guests, and using lessons learned to be better moving forward.”
As observer close to the situation, who declined to be named, told Hotel Analyst: “Starwood was a sieve. They knew it was a sieve, they had already disclosed two events prior to the acquisition. Going into the integration, there was a huge focus on how to triage and prevent issues like this, and I suspect it was priced into the initial deal but got forgotten in the competition to close the deal that ensued.
“Fundamentally, Marriott themselves – not the Starwood parts – are textbook in their approach to information security: they take no risks, do all the right things, tick all the right boxes. And do a really good job. But from an information security perspective they bought a lemon, and they know it. This breach has fingerprints going back years – and the reality is it’s probably only the controls Marriott introduced that brought it to the surface – if it was still under Starwood control they wouldn’t be aware of it.
“The challenge now is managing the clean-up, but a bigger issue would be dealing with owners from whom significant investments have been demanded in the name of compliance and information security. It could be spun as a good thing, allowing them to secure further investment, or it could be used by owners to beat them a little harder. It would be interesting to see what longer-term pressure this brings to bear on the franchise portfolio, that have been traditionally excluded for significant controls and standards.”
In November 2015 Starwood Hotels & Resorts disclosed that malware had been found on its point-of-sale systems at 54 North American hotels. The company said that the breach had not affected the guest reservation system or Starwood Preferred Guest.
A similar breach occurred in 2016 when HEI Hotels & Resorts confirmed that there had been a data breach at 20 hotels it operated for Starwood Hotels & Resorts, Marriott International, Hyatt Hotels International and Intercontinental Hotels & Resorts. The breach related to credit card details and point-of-sale terminals.
Commenting on the position in Europe, Tom Page, global head of hotel & leisure group, CMS, told us: “This will be a very big scalp for any regulators looking to make an example of a company with deep pockets in the first big case since GDPR, so I imagine some will try quite hard to find something to pin on them. Marriott will have their work cut out to convince regulators they have done everything by the book and could not have done anything about this sooner. Of course the bigger fines in EEA only come for non-compliance with GDPR since May 2018. So any deficiencies from Sep 2014 to May 2018 would be under the old regime.
“So if Marriott have done everything right since May then they could escape a larger GDPR fine and just face a much smaller fine for Starwood’s non-compliance in previous years, although this would be under national laws across each EU country, which in EU were based on common Data Protection Directive, but not necessarily implemented identically in each country.
“Regardless of fines, just the costs of dealing with regulatory investigations, compensation claims, class action law suits and owner/franchise relations in every single country in the world that has data protection legislation and a Starwood guest citizen is going to be a massive cost in itself.”
HA Perspective [by Katherine Doggrell]: So buyer beware and for those of us who thought the greatest issue in buying Starwood Hotels & Resorts was what to do with Le Meridien, think again. You just don’t know what’s under the hood in these cases and my goodness what a pickle. As many have noted, it comes across as rather unfair to Marriott International, which has done everything right in regards to its own data protection and, in terms of technology, has set an example as an innovator in the sector. Although, one notes, Marriott’s controls can’t be that good if it took them two years after the acquisition of Starwood to notice. And as one observer told us, many details have yet to appear: it doesn’t say that this particular breach started in 2014 (it could be something else entirely) and doesn’t say whether details of guest stays in 2014 (or earlier) have been stolen.
You’re only as strong as your weakest link and, after two years of talking about how brilliant and cost-saving the takeover was going to be (around USD250m, readers will recall), that USD250m looks to be somewhat under threat. For 2017 Marriott’s revenue was USD22.894bn – 4% of that would be enough for all of us to enjoy a very happy Christmas and that’s just the fine under GDPR. Other jurisdictions are likely to be interested too.
Not a good week for Marriott International and just when the integration was progressing nicely. But short of going off the grid and holing up with a shotgun in the Adirondacks, what’s a consumer to do? Data breaches are almost a way of life to those of us not trading using gold or magic beans. Some of us, this hack (excuse the almost-pun) included, are wary of handing over an excess of personal details, but passports and credit cards are standard procedure and all that is required for a full fleecing. And not always in the obvious emptying of one’s account – victims of the Yahoo hack found themselves being blackmailed by mysterious figures who ‘knew their secrets’. We may not all have bodies in the garden, but enough of us are keeping things from the inlaws to make such tactics a success.
Where there may be an impact is in that non-essential data handover – the loyalty programme. Marriott International’s key battleground with the OTAs. If the likes of Booking and Expedia aren’t rushing out press releases about how secure their own systems are, they’re missing a trick.
Additional comment [by Andrew Sangster]: This is a worrying breach but it is not, unless it is very badly handled, likely to create serious damage to Marriott in the long-term. Morgan Stanley analysts in the US estimated that the potential fines and settlements will total USD200m. Given that industry journal Insurance Insider estimates that Marriott is likely to claim USD300m, the net effect does not look too bad.
But not so fast. This is a US-centric view and it might well be the case that in Europe and elsewhere, authorities see this as an opportunity to burnish their data protection credentials.
The General Data Protection Regulation in force across the EU makes Marriott liable for up to 4% of its global sales. This is a potential exposure of USD900m. GDPR is meant to take account of how well a company reacts to a data breach which may mitigate this exposure.
My own personal experience has not been great. I received an email six days after the leak hit the news headlines, with the fabulous intro “Dear Valued Guest”. The email took until page nine before it gave any information that was even remotely specific to me (as an EU citizen) and p12 until it mentioned the UK. Personalised it was not.
A bigger worry though is why this has occurred. The blame game has already started with Marriott fingering Starwood and some former Starwood execs are already firing back. Certainly, it looks a bit foolish of Marriott to have sacked the Starwood IT team before it had plugged all the holes.
Given the difficulties of merging Starwood and Marriott data – it took over two years for there to be a unified loyalty scheme – it would have been prudent to have hung on to some staff a bit longer to assist in this process. It might well be that cost control has got in the way of more sensible management practice.
The biggest potential damage here is reputational. But given that many other hotel companies are even worse, Marriott is likely to be able to ride this one through.
Data security is not going to be a big motivator when people are selecting their hotels but it is a good indicator of how well-run a hotel company is. The issue thus sits in the Environment, Social and Governance bucket. And ESG is creeping up investor agendas.
Of itself, ESG does not drive better returns. But good ESG scores indicate a well-run company. A properly balanced measure will account for the fact that even the best-managed operation sometimes makes mistakes. It is how you fix the problem and whether it happens again which will determine the long-run outcome.
Marriott has its detractors, but it is rarely people alleging that it is a business that lacks disciplined management. Morgan Stanley looks right in stating that the share price drop was overdone.