The Hidden Costs of Marriott's Data BreachGreg Gerik 04/11/2018, Industry News
You may have recently encountered news of the Marriott data breach which is now being circulated as the second largest data breach in history. Over 500 million profiles were exposed including sensitive customer information. On average, over 6 million records are stolen daily around the globe. We have almost become desensitised to the increasing frequency of stolen data records.
Unfortunately, many of these breaches, including the Marriott example, could have been prevented. For various business reasons, oversight and policies, financial, business risk analysis, etc., some businesses choose not to take cybersecurity as seriously as others – which comes at a cost. In the 13thannual 2018 Cost of a Data Breach Study: Global Overview from IBM Security and Ponemon Institute listed the global average cost of a data breach at 3.86 million, up 6.4% from last year. Stolen records containing confidential information landed at $148 per record which accounts for an increase of 4.8% from 2017.
Unfortunately, when studies are conducted on the costs of data breaches, they often leave out the intangible costs which, in my opinion, are the greatest risks companies face today regarding data protection. These studies often include the average costs of remediation (credit monitoring, IT costs), lawsuits and potential payments to third parties to address the issues. However, intangible costs are often left out due to their unknown factors.
The best example I can offer is this current Starwood / Marriott breach. In 2015, I was talking to a colleague about a digital project with a global hospitality company. During the course of our conversation, my colleague revealed the primary booking engine created errors in 20% of the bookings - and this had been occurring for years. The budget for upgrades was never approved year after year until the numbers revealed how many millions were lost daily by the current system in place. Those are lost opportunities that have a lifespan of minutes. How many people booked elsewhere because their system was down 20% of the time?
The same can be said for Starwood. This past weekend I was booking travel and attempting to book at a specific hotel location. Unfortunately, for at least 48 hours, if not more, any Starwood property I selected was unavailable. Last year Marriott’s online bookings were averaging about 35 million dollars per day. While this only affected the Starwood properties in their booking engine, that’s still a significant revenue opportunity lost either due to server upgrades or the website crashing from profile password updates.
Additionally, one should consider this was just the immediate aftermath. How much web downtown will come in the next few days/weeks as they work to fix the issues? These are very real costs that do not return to a business in the future.
Another cost not calculated often in breach studies is goodwill. Enterprise companies take their business travel very seriously and will take the burden of account issues with their Marriott travel equally as seriously. Will they consider other alternatives in the future? How much damage will this pose to future contracts? Traditionally, statistics show goodwill to be minimally affected by data breaches. However, that’s not always the case today, e.g. Facebook.
The dirty not-so-secret of the hospitality industry, as a stereotype and as a whole, is that their IT infrastructure is abysmal. The costs of upgrades across all hotel properties is so large, they are always reluctant to budget. Many chains also have franchise considerations which slow transformation considerably and influence those upgrades as well. None of these challenges, however, negates the need for customer privacy and protecting customer data.
As a new, younger generation places a priority on experiences and corporate goodwill, the true costs of cybersecurity should be examined through a larger business lens. Only looking at the analysis based on known remediation costs, will prevent many companies from taking the actions needed to prevent these cybersecurity issues in the first place. Unfortunately, I expect this current Marriott breach could have been prevented with technologies costing much less than the cost of the breach itself. Hopefully this teachable moment will help others, especially in the hospitality industry, take notice.