What the Marriott Data Breach Means for the Travel Industry

You may be small, but your data security needs to be mighty. Cyber criminals increasingly target SMEs. Are you insured against the that risk?

Although it might seem like “last year’s news,” the 2018 Starwood Marriott data breach called attention to the cybersecurity challenges facing the travel industry.  In November 2018, the hotel giant announced that a security weakness for the Starwood preferred guest login left personal information of approximately 500 million guests exposed. The security flaw that led to the “unauthorized access” allowed cyber criminals to copy and encrypt personal information. Moreover, despite identifying the issue in 2018, it appears that the vulnerability had been in place since 2014. The real news for SMEs? If this can happen to a large organization, it can happen to you.

Data Breaches in the Hotel Industry Are on the Rise

Another piece of old news? Cyber attacks aren’t stopping any time soon. In 2018, SMEs paid, on average, between $1.1 million to $1.6 million for stolen or damaged IT assets and infrastructure. For most SMEs, these costs can lead to bankruptcy.

Between 2016 and 2018, 14 different hotel companies experienced data breaches. Although some of the biggest names in the hospitality industry landed on this list, so did some smaller members such as Rosen Hotels and Resorts. The small Florida-based company only operates nine hotels and all are located in Florida. Malware installed on the payment card system allowed cyber criminals to access the information of an unknown number of customers.

What is “Risk” in the Hospitality Industry?

The changing nature of the hotel and travel landscape means you are collecting more information, making your business more attractive to cyber criminals. You’re also sharing information between your database and third-party resellers like Expedia, Kayak, and Priceline. Databases and point-of-sale payment systems can put the following data at risk:

  • Names
  • Phone numbers
  • Email addresses
  • Passport numbers
  • Dates of birth
  • Arrival and departure information
  • Credit card numbers and expiration dates
  • Passport information
Your General Liability Policies Might Not Cover Data Breaches

Hit with a multimillion dollar claim from the payment card companies, Rosen filed for coverage under their general liability (“GL”) policies. St. Paul Fire & Marine Ins. Company denied coverage under the general liability policies. In response, Rosen sued their insurer for coverage.

The courts, however, seem to consistently be siding with the insurer on this issue.

In late January 2019,he District Court ruled against the hotel company in the coverage litigation. Courts seem to be supporting insurance companies denying coverage under GL policies.

With the District Court supporting the insurer, Rosen now plans to appeal to the Eleventh Circuit.

Don’t Bury Your Head in the Sand

As a small hotelier, Rosen never thought that “it would never happen to me.” However, not only did it happen to them, but they’re being hit with all the Payment Card Industry Data Security Standard (PCI DSS) fines imaginable.  

Even worse, Rosen didn’t find the data security weakness on their own. Former guests found unauthorized charges and informed the company of the breach. In other words, Rosen wasn’t continuously monitoring their data environment. In other words, they cared so little about data security that they left customer information at risk for approximately 18 months.

Their weak cybersecurity controls cost them money, business, and reputation. Anti-malware software is a basic protection for mitigating data threats. Yet, Rosen either wasn’t using it or wasn’t updating it.

What Does This Mean for the Travel Industry?

Hotels, travel agencies, and their business partners need to protect their data and their business. Rosen chose to rely on its GL policies and ignore the importance of cyber risk insurance. They weren’t monitoring their environment. They weren’t engaging in strong cyber hygiene.

If you think that insurance premiums and information security automation tools are a costly investment for your company, you might want to think again.

Most cyber security professionals predict that automated tools and machine learning are the wave of the future. These tools lower the amount of time it takes to identify a breach and thus save money in the event a breach occurs.

Cyber insurance provides the coverage you need to protect your financial and information assets. Instead of relying on your old, faithful GL policies, you need to refocus your approach to meet new risks. Cybersecurity coverage focuses on data loss, third-party lawsuits arising out of a data breach, business interruption and extortion, and payment fraud.

The right cyber insurance can protect you against the PCI fines and penalties as well as the regulatory fines and penalties associated with a data compromise. They focus specifically on cyber crimes, meaning that your coverage is intended to protect against malicious actors gaining unauthorized access to your data.

Why Zeguro?

Zeguro understands your needs. As developers of a comprehensive end-to-end solution for enabling data safety and security in the hotel industry, we want to help you define risk, secure data, and insure against cyber risks to protect you from cyber criminals. We focus on a security-first approach to compliance that focuses on driving cyber risk to zero through protection and insurance of your valuable digital assets.

Contact us today to get an insurance quote and learn more about how Zeguro can define your risks, secure your data, and insure your business.




Zeguro is a cyber safety solution and insurance provider for small to mid-sized businesses (SMBs), offering a comprehensive suite of tools for risk mitigation and compliance, as well as insurance premiums that are tailored to the size, sector and profile of a company.
Learn more →

No items found.
Karen Walsh
Written by

Karen Walsh

Contributing Editor

14 years internal audit experience.; award-winning writing professor. Cybersecurity writer focused on compliance and end-user awareness.

Sign up for the latest news

Oops! Please make sure your email is valid and try again.