What Can You Learn From the Latest Starwood Hotels Data Breach?

Industry News & Information

Data breaches are a dime a dozen these days. You can’t open a paper or check a newsfeed without coming across some kind of scandal involving a hack in which sensitive user data was stolen. In the last year alone, mega corporations, banks, health insurance providers, and government entities have all been breached by hackers, malware, or other online threats. The climate has become one of “if, not when” a hack will occur, and no one is entirely safe.

The most recent data breach to make headlines involved upscale hotel chain Starwood Hotels, a company that includes Sheraton, Westin, W Hotels, and other luxury brands. Starwood isn’t even the only hotel chain to be hacked this year – both the Mandarin Oriental and The Trump Hotel Collection suffered similar breaches.

So how was Starwood Hotels hacked? The chain admitted that malware had infiltrated point of sale (POS) systems, including payment systems in their gift shops, bars, and other retail areas, and that 54 of their hotels had been subject to attack. Luckily, the malware was not found in the guest registration system, so sensitive personal data related to reservations and Preferred Guest Memberships was not compromised, but the breach may still affect some portion of customers who used debit and credit cards at these locations during a certain date range.

Starwood Hotels announced that the malware discovered could have infected some systems as early as November of 2014. During that time, names, credit card numbers, security codes, and expiration dates (the data on a debit or credit card) were exposed, although PINs and contact information were not. In light of the incident, Starwood has taken steps to rectify the situation and make reparations.

When the breach was discovered, Starwood claims the malware was immediately removed and efforts were made to mitigate damage, including contacting authorities and coordinating with credit and debit organizations. Further, identity protection was offered to affected parties, along with credit monitoring services. Of course, Starwood Hotels has also vowed to increase security.

The problem is that many companies are doing exactly the same dance as Starwood Hotels. They’re waiting until a major data breach occurs to beef up their security and monitoring. Starwood is big enough that this black eye won’t cost them too much – their deal to merge with Marriott International Inc. (for a reported $12.2 billion) looks as though it will proceed. But could a smaller company recover from such a breach? Maybe not.

Companies large and small remain under-protected when it comes to digital security, a point that the Starwood Hotels breach (and other recent incidents) aptly demonstrates. Consumers and credit providers are taking steps to protect their interests, most recently through the use of EMV (Europay, MasterCard, and Visa) chips that store and protect user information, as well as create unique transaction codes for every payment.

However, businesses can certainly do more to protect user data, not to mention their own reputations. Starwood may be big enough to weather the storm caused by a data breach, but smaller competitors might not be so lucky. Data breaches can cost companies untold revenue, not only from known costs like security upgrades and reparations, but also from unknown losses related to unsatisfied customers and poor public opinion.

Looking on the bright side, data breaches can force businesses to make necessary changes and upgrades to outdated or subpar security systems. However, companies suffering from such attacks will have to first survive the fallout associated with legally mandated notifications and restitution, not to mention potential lawsuits.

The good news is that businesses can take a lesson from the Starwoods of the world. Starwood Hotels, in particular, could have benefited from some kind of security monitoring. If their admissions are to be believed, their system was infested with malware for approximately a year before they even noticed. Proper monitoring software would likely have caught the breach immediately.

Naturally, there are other steps businesses can take to protect themselves as well, including firewalls, encryptions, strong password policies and programs, and the assistance of a managed services provider, just for example. Hackers can get through a lot, but they’re likely to go for easy targets. Businesses that take preemptive steps on the security front can not only decrease the likelihood of attack, but also reduce the damage done should a data breach occur.