businesstraveller.com MARCH 2019
83OPINION
I
n January there was a further update
from Marriott International about its
compromised Starwood guest
database. The press release declared a
majorintrusionintothesystem,
which affected more than 383 million
travellers (down from 500 million). In its
original statement in November last year, it
identified that the information theft started
more than four years ago.
Marriott now advises that the following
was possibly compromised: “Name, mailing
address, phone number, email address,
passport number, Starwood Preferred Guest
account information, date of birth, gender,
arrival and departure information,
reservation date and communication
preferences. For some, the information also
includes payment card numbers and
payment card expiration dates, but the card
numbers were encrypted.”
DUTY OF CARE
Before the Marriott press release, travellers
were already reeling from a data breach at
British Airways between July and August
last year. I had the tiresome experience
of having to change all of my passwords
and request new bank cards. Significantly
inconvenienced, I sought compensation
from the airline. After at least half a day’s
aggravated angst, several mails, a couple of
bank declarations and the cost of returning
my payment card, I received a British
Airways cheque for £3 in compensation,
this being the only cost I could verify with a
postage receipt. I had suggested an upgrade
to my Executive Club status, but was told
that this was impossible.
All of this reminded me that businesses
that request our personal data need to
BENJAMIN SOUTHANimprove considerably the
systems that are designed to
protect it, and to
compensate us properly
when, because of their
inadequacy, they prove
unable to keep it secure.
Reflecting on this
responsibility and the
increased exposure our lives
have on the web, I wondered how long it
had been since not just individual
hackers but organs of state had
been looking through my
details. The UK’s National
Cyber Security Centre,
established two years ago,
announced in its 2018 review that it defends
the country from ten attacks a week.
In the early nineties, when I was general
manager for a large hotel chain, I was
approached by the British security services
about an article they had read in a travel
journal. The piece that had caught their
attention concerned ITT (which owned
Sheraton at the time) promoting a new
concept for its hotel division. Its great leap
forward was to utilise the booking system to
pass guest information across continents. In
this way, any hotel in the chain would know
all about client preferences ahead of a stay.
What MI6 wanted to know was whether
the system could follow someone worldwide
that they were specifically interested in.
Could they trace where they were going?
Would the system let them know where
they stayed, what they bought and – most
important of all – who they called?
At the time, my level of computer literacy
was at about the same as a mountaineer’s
knowledge of deep-sea diving, so I was unableto answer the question
instantly. After they left, I
made further enquiries to
see if it was indeed possible
to track individual guests
around the globe.
It became clear that, at
the hotel level, only certain
preferences would be
passed on with an advance
reservation. But the
database held in the US had a
wealth of information that
was on the central system used
for marketing and business
performance measurement.
Today, we are in the strange situation
where we are all far more aware of how
much of our personal data is out there,
while at the same time frantically typing
even more of it into our social media
profiles every day, whether providing
updates to Facebook, or simply using
Google Maps to find out where our hotel is
located while unlocking our phones with
our fingerprints.
No one knows who has stolen the
Marriott/Starwood data, but given that
international corporations such as these
hotel groups dutifully record travellers’
itemised spending, preferences, habits and
personal data, it may be a government-
sponsored entity. Something of this
magnitude that has been going on for
several years might indicate an organisation
of scale. MI6 clearly had an inkling back in
the nineties how important all of this data
transfer was going to become and how the
internet would open the doors wide to an
anonymous invasion of our privacy. We are
all now finding out just what that entails.BT^The National Cyber
Security Centre stated
that it defends the
country from ten
attacks a weekGetting
personal
Recent data breaches have highlighted the vulnerability of
our information. But just who is pilfering our details?DEREK PICOT
A HOTELIER FOR MORE THAN 30 YEARS
AND AUTHOR OF HOTEL RESERVATIONS