Data breaches were around long before the Internet and businesses’ heavy reliance on digital data, but now more than ever, companies are at risk of having valuable customer data compromised.
A data breach is a term used to describe an incident in which sensitive or protected data has been stolen or used by an unauthorized third party. Data breaches can be broken down into four sub-categories: ransomware, malware, phishing scams and distributed denial of service (DDoS) hacks.
Imran Ahmad, partner at Blake, Cassels & Graydon LLP in Toronto, specializes in cybersecurity, privacy and technology law and says the cybersecurity landscape has changed drastically over the past decade. “If you go back 10 years or so, the biggest concern many businesses had was they had a lot of personal information and, if something happened like a data breach, they would be outside of their privacy laws — provincial or federal,” says Ahmad. “That’s still a concern, but the bigger concern now is if they’re hit, for example, with a ransomware attack, their operations are going to seize up and they’re not going to be able to generate revenue.”
According the 2019 study, The Security of Confidential Documents in the Workplace, by the U.S.-based Ponemon Institute, many data breaches result from human error, with 69 per cent of survey respondents indicating one or more of the data breaches their company experienced in the last year involved the loss or theft of paper documents or electronic devices containing sensitive or confidential information.
While human error may be the cause of some data breaches, malicious intent is at the root of many breaches, according to Verizon’s 2018 Data Breach Investigations Report, which states 76 per cent of breaches were financially motivated. Something Ahmad attests to.
“At the end of the day, what the hackers are trying to do is make money, whether it be stealing and selling your data on the dark net or paralyzing your organization with a DDoS or ransomware attack to try and compel you to pay their ransom,” says Ahmad.
Sandeep Gupta, vice-president at Sunray Group of Hotels, says the ripple effects felt after the data breaches are more than just numbers on a page. “A major issue [is] once there’s a data breach, the guest has a negative feeling towards not only the hotel but the brand. This has to be handled with the utmost respect as we’re being trusted with confidential information on a daily basis,” says Gupta. “Loyalty, in general, is sensitive, so being upfront and assisting the clientele once a data breach takes place is extremely important.”
Hotels are at particular risk for cyberattacks due to the sheer amount of data they process daily and the global nature of their customers.
“The hospitality space is more complex than a typical security breach, because many hotels have patrons coming from different jurisdictions and it’s not just where the breach occurred, it’s also where the patron is based,” says Ahmad. “When you walk in to any hospitality establishment, you’re going to be sharing some type of personal information — whether it be credit card details, names or home addresses. And, while there may be good reason for it, it’s a lot of information about someone.”
According to the Ponemon Institute, the average total cost of a data breach is $3.86 million, accounting for the disruption of service, lost customers and lawsuits from affected customers.
Choice Hotels suffered a data breach, through a third-party vendor, in July of 2019, which leaked 700,000 records, including the names, email addresses and phone numbers of its customers.
The database had been open for four days before being shut down and, when the leak was found, a ransom note was discovered demanding $4,000 worth of Bitcoin in exchange for the return of the stolen information. Choice indicated the ransom attempt was “not successful.”
Another significant example is Marriott International’s discovery that the legacy Starwood guest-reservation database had been compromised. The unauthorized access, which began in 2014, was announced in November of 2018.
The compromised database has since been phased out of operation as Marriott continued post-merger integration of Starwood systems.
The attack stole personal records from roughly 383-million customers who made reservations at legacy Starwood properties. The stolen details included approximately 18.5-million encrypted passport numbers, 5.25-million unencrypted passport numbers and 9.1-million encrypted payment-card numbers.
On July 9, 2019, the United Kingdom’s Information Commissioner’s Office (ICO), which enforces the General Data Protection Regulation (GDPR) announced its plan to fine Marriott US$123.7 million. The fine was announced after it was deemed Marriott did not take the proper steps in addressing its massive breach.
The fine announced against Marriott stands to become the second-largest ever handed out by the ICO — the largest being the US$228-million fine announced against British Airways the day prior. Both fines are currently under appeal.
This example shows, while the number of records is important, the sensitivity of those details is paramount in any sort of decision when levying a punishment. “If my first and last name and phone number get leaked out, it is very low on the sensitivity spectrum, because you can get that from a phone book,” says Ahmad. “But, if someone gets all that information, plus my banking information and social-insurance number, at that point you can see how easy it would be for a hacker to create a fake identity or conduct any sort of identity theft.”
With cyberattacks showing a pattern of year-over-year increase, Ahmad stresses a few things that can help any company prevent and minimize the damage caused by any data-security issues that arise. His suggestions include having a standalone cyber-incident response plan, having cyber insurance in place and training staff on a regular basis. “More often than not, it’s an employee clicking on something they shouldn’t have or accepting a transfer they shouldn’t have that winds up resulting in a data breach,” he adds.
A high priority on cyber security is essential in defending against breaches and hoteliers need to take every possible precaution before it’s too late, cautions Gupta. “All the critical customer data we collect is housed in our PMS systems such as Opera and Fosse — they have their own very stringent data-protection regimes,” he explains. “We always hope our cybersecurity will stay ahead of the hackers and we have to put a lot of faith into the systems to prevent the breaches.”
With countries such as Canada, the U.S. and the entire European Union creating stricter laws and regulations surrounding cyber security and data breaches, Ahmad says he doesn’t expect to see a decrease in reports of breaches anytime soon. “When we see these reports coming out, it’s a result of legal compliance and that’s a trend that is going to continue — we’re seeing a much bigger focus on privacy and cyber security. I don’t see that trend subsiding in any meaningful way. In fact, I could see it increasing going forward.”