In 2014, hotel chain Starwood Hotels and Resorts was subject to a cyber hack that compromised the data of more than 300 million customers and resulted in a fine of $26.5m (reduced from an initial $128.1m) for its new owner Marriot International. The data breach remained undiscovered until 2018, by which time a multitude of personal information, from passport details and birthdates to credit card details and mailing addresses, had been exposed and potentially stolen.
Yet even since this event, hotel chains have continued to fall victim to cyber-attacks on account of weak security systems. Hotel and casino conglomerate MGM Resorts International had six terabytes of data stolen from its systems in September 2023, rendering guests unable to check in and causing disruption across the chain’s parking systems, ATMs, and slot machines.
“The attack, for which ransomware-as-a-service group ALPHV claimed responsibility, reportedly used social engineering to identify an MGM employee who worked in IT support,” explains David Bicknell, a principal analyst at GlobalData. “The next step was simply to call the MGM help desk. It was claimed that the attack took about 10 minutes to execute.” The cyberattack on MGM Resorts in Las Vegas resulted in the company losing around $100m, according to a filing made with the Securities and Exchange Commission (SEC).
“The attack shows how, for all the best laid plans and preparations by the biggest companies, simple social engineering can reveal the weakest link in many companies, including travel specialists,” continues Bicknell. “The impact on travel companies’ clients, whether they are airline passengers or hotel guests, can be significant and memorable, for all the wrong reasons.
“The growing number of cyberattacks and increased interest in the use of AI, are only likely to compound travel cyber challenges, not solve them.”
A changing world of data protection
Hotel chains are tempting targets for data thieves on account of the enormous quantity of personal information they are required to process to complete bookings. “The industry has adopted emerging technologies such as artificial intelligence, the Internet of Things (IoT), and the Cloud,” notes Nicholas Wyatt, head of R&A, Travel & Tourism at GlobalData. “It holds hugely valuable and sensitive data on every traveller, as well as payment data. This can all be valuable to bad actors who may harvest this data and then potentially sell it.”
Companies such as Marriot have operations in thousands of locations worldwide, and access to many more through their various subsidiaries. Their systems are therefore a gold mine of information on a variety of people, from business professionals to holidaymakers, across the globe.
The rapid expansion of hotel chains through the acquisition of different brands has further exposed data breaches. The infamous Starwood/Marriot data breach occurred within the guest reservation database of Starwood, a brand purchased by Marriott for $14.7bn in 2015. Starwood had been the subject of the hack since 2014: before, during, and after the acquisition process. Marriott’s failure to notice this during due diligence proved to be a grave mistake for all parties involved.
Marriott’s data disaster was made worse by European Union legislation regarding personal information. By law, companies and their subsidiaries which handle personal data of European citizens, regardless of the location of their headquarters, are required to follow EU data privacy laws, known as the General Data Protection Regulation (GDPR). The GDPR also applies in the UK, even after Brexit. It was under this law that, after an investigation, the UK data privacy regulator – the Information Commissioner’s Office (ICO) – fined Marriott the $26.5m penalty in October 2020. In its decision, the ICO specifically cited Marriot’s failure to undertake sufficient and proper due diligence on the target and failure to secure the target’s systems after completion.
For a buyer therefore, “understanding EU and UK data privacy laws and how your target collects, stores, uses, and transfers personal data is really vital during due diligence in understanding the risks associated with a deal,” says Philip Whitchelo, chief strategy & marketing officer at Sterling Technology – a global virtual data room provider which provides a platform for companies to securely share information with bidders and investors during mergers, acquisitions, and asset sales.
“It is essential that all companies, especially those operating in the online space, invest in cybersecurity measures to avoid the risk of causing detrimental and lasting damage to their security, profitability, and reputation,” adds Wyatt. “Breaches can impact consumer confidence and trust.”
Not only this, but the financial repercussions can be momentous. The ICO initially proposed that Marriott should be fined $128.1m, which would have been one of the largest ever penalties issued under the GDPR – although still considerably less than the maximum possible penalty of 4% of worldwide turnover.
Implementing proper due diligence procedures
Whitchelo argues one of the reasons the fine was so high was Marriot’s failure to comply with multiple provisions of the GDPR: “The ICO was of the opinion that Marriott failed to undertake sufficient cybersecurity due diligence concerning Starwood and then compounded that by an ongoing failure to secure Starwood’s IT systems after the acquisition, which resulted in the data breach remaining undetected for a further two years.”
To prevent themselves from falling victim to similar situations, acquirors have moved cybersecurity due diligence to the top of the agenda when evaluating acquisition targets – especially those, such as hotels, which handle large volumes of sensitive personal information that is likely to be attractive to bad actors.
The adoption of the GDPR, in May 2018, has played a crucial role in enforcing cybersecurity to a standardized level across the European Union. Any company that holds personal data of EU citizens needs to comply. The fines for non-compliance can be up to 4% of annual worldwide turnover. In general, all companies must handle personal information. If a target company does not have appropriate technical and organisational measures in place to protect personal information, it could be subject to large potential fines. Acquirers need to do appropriate cybersecurity due diligence on targets otherwise they could be taking on big additional risks.
So how does one conduct “cyber due diligence”? What do advisors and corporate development teams need to be aware of as cybersecurity attracts more scrutiny?
“If you are the buyer, you will want assurances that the target has taken appropriate steps to protect confidential information against breaches and is fully compliant with data privacy regulations. You will also need to conduct cybersecurity risk assessments of the target. If you are a target, the question is how do you make this easier for the buyer? What should you provide at a basic level? What could you offer? Targets will need to consider cybersecurity as part of any vendor due diligence process,” says Whitchelo.
Failure by targets to consider these issues fully during due diligence can result in a reduction of the target’s value or even the buyer dropping out entirely. However, there are steps vendors can take to ensure a smooth sale, including conducting an internal cybersecurity assessment. Whitchelo says this will not only “make life easier for your buyers,” but also “enable you to discover any ongoing breaches that you didn’t know about.”
Discover further insights
To discover further insights into the challenges and opportunities facing the sector, download our new report “‘Challenges and opportunities for the global hospitality sector in a post-COVID-19 world”, published in association with Sterling Technology – the premium virtual data room provider for hospitality and hotels dealmaking.