If We Sue Them Will Hoteliers Know We Mean It

August 26, 2020 | rjmcgarvey | InfoSec, Travel, Uncategorized

By Robert McGarvey

I applauded when I saw the headline: “Marriott International faces class action suit over mass data breach.”

The lede sets the table: “Hotel group Marriott International is facing a class action lawsuit in London’s high court from millions of customers, who are seeking compensation after their personal details were stolen in one of the world’s largest data breaches.”

There’s nothing new here. Hoteliers suck at data security. From Trump to White Lodgings, the roll of shame grows louder.  Hotel News Now offers a catalog of the worst offenses going back to 2008 when Wyndham suffered the first of what became three breaches extending into 2010.  

Give a hotel your credit card and you put your finances in jeopardy. Hand over a debit card – with its weaker consumer protections – and you have entered a high risk zone.

So it is about time that consumers are banding together in a class action suit to seek to exact a reputational pound of flesh, plus some actual lucre, from Marriott. The source of the breach is Starwood.  Reported Hotel News Now: “For approximately 327 million of these [breached] guests, the information includes some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest (“SPG”) account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences. For some, the information also includes payment card numbers and payment card expiration dates.”

What’s stunning is that the breach appears to have gone undetected from 2014 to 2018.

Was no one minding the store? Obviously, uh, no.

Alas, as I read about the suit it seems to involve only guests from England and Wales.

Even so, some of us who cannot join the suit still might want to savor Schadenfreude and watch the action. The Internet makes this easy.

This is 2020 so of course there is a Twitter feed about the suit.  

And there’s a website with plenty of information about the suit and the breach that caused it.

Want to be updated on the status of the suit? Here’s where to register.

Michael Bywell, one of the lawyers involved in filing the suit, explained the why of the suit: “Over a period of several years, Marriott International failed to take adequate technical or organisational measures to protect millions of their guests’ personal data which was entrusted to them. Marriott International acted in clear breach of data protection laws specifically put in place to protect data subjects.”

Martin Bryant, who brought the action, added: “I hope this case will raise awareness of the value of our personal data, result in fair compensation for those of us who have fallen foul of Marriott’s vast and long-lasting data breach, and also serve notice to other data owners that they must hold our data responsibly.”

The sad bit is that exactly the same could and should be said about many other hotel management companies because indifference to data security is the industry norm.  Go back and look again at the Hotel News Now database of breaches.  It is only a minor exaggeration to say that if you stayed in a US hotel in the past decade, very probably you are a victim of a data breach.

I wish I could say that because of the publicity over breaches, the fines, and now the lawsuits, hotels are safer today.

But they aren’t. If anything, in the pandemic with the resulting collapse in bookings and revenues, the fear is that many hotels and management companies are cutting back on data security.  And criminals live to exploit weaknesses.

For some years I have said that, sadly, protection against data breaches when traveling is on us.  That’s all the more so now.

That means giving hotels the least amount of information possible.  If asked for information you don’t believe they have a valid need for, lie.

Always use credit cards with the smallest possible balances.

Monitor loyalty accounts with a regularity that suits your balance.  I never check my Bonvoy account (an Amex plat perk) because I have not had an eligible stay. But if I had many thousands of points I’d check weekly.

Assume that when you travel, your data may be hacked. It could be the restaurant where you eat that is breached.  It could be a nation state breaches your cellphone

But in my eyes it’s hotels that pose the biggest security risks.

It’s dangerous on the road, my friends, act accordingly.

Leave a Reply

Your email address will not be published. Required fields are marked *