December 17, 2019
In July 2019, the ICO imposed a fine of £96M on Marriott International after the personal information of some 500 million customers was compromised. The hotel chain said the guest reservation database of its recently acquired Starwood Hotels and Resorts division was the source of the breach, with hackers reportedly having unauthorised access to the network since 2014.
For about 327 million guests, the compromised data included – some combination of – name, address, phone number, email address, passport number, date of birth and arrival and departure information. Information which, in the wrong hands, could have been calamitous for the unsuspecting customers whose personal data had been harvested.
Such was the severity of the incident, the fine handed out by the ICO was the fourth largest resulting from a data breach in history. On the matter, ICO stated that Marriott had failed to undertake sufficient due diligence when it acquired Starwood and should have done more to ensure its IT systems were secure. Like London buses… the fine was also the second handed out in the same week after British Airways was fined £183M by the ICO after hackers stole the personal data of half a million of the airline’s customers.
Historically, the hotel industry has seen more than its fair share of data breaches, accounting for 12% of all reported incidents. But while networks and POS systems are the hardest hit, operators often overlook a more common, low-tech threat to information security: paper documents. In an industry that relies on customer-facing services, you need to be confident in the ability of employees to identify, handle and securely dispose of confidential data. Not forgetting all matters relating to GDPR, where staff must also be able to detect a breach as well as having the confidence to report an incident.
So, all things considered: the hospitality industry has a great many challenges to overcome as we enter the 2020s. But fret not, we’ve assembled some essential steps to help you reduce the risk of a data breach and to keep your hotel GDPR compliant.
Think compliance: Download our whitepaper and familiarise yourself with the official GDPR legislation of the ICO. Engage with your local governing body and staff to ensure everyone is aware of the specific requirements for your hotel.
Document the data you hold: Start by auditing your internal systems and identifying where personal data is stored in both physical and online files. Create a list of the software used across your estate and check your data partners – travel agents, booking systems – are also GDPR compliant and check what data they’re requesting from your customers.
Protect it: Use a document management process so all data is secured from creation to disposal. Remember to think about paper-based documents as well as digital records. A retention policy should identify which documents must be kept and for how long. Mark records in storage with their destruction dates.
Increase cyber security: Prevention and detection tools are critical. Keep everything up-to-date and password protected. In the case of a data breach, have a response plan in place and be ready to effectively and efficiently manage a security breach. Practice disaster and recovery plans and always back up digital information.
Record data breaches: If a data breach occurs, you need to establish the likelihood and severity of the resulting risk to people’s rights. If it’s likely that there will be a risk, you must notify the ICO. For any more information, please consult the ICO’s guide to Reporting a Data Breach and take the self-assessment to help determine whether your organisation needs to report to the ICO.
Destroy it: Have a formal procedure for the secure destruction of documents containing sensitive information or introduce a Shred-it All Policy so that all documents are securely shredded. Partner with a company that provides a secure chain of custody and a documented process for both paper and hard drives and e-media destruction.
We protect what matters and what matters to us is the security of your hotel. Our specialty shredding services are tailor-made for the hospitality industry, where we recommend destroying everything from employee ID cards and casino chips to old uniforms and badges. Our expertise is further reinforced with media and hard drive destruction services to ensure digital information found on USB devices, old room cards and computers is irretrievable.
To learn more about how we can protect the confidential information of your guests, contact us for a no obligation Data Security Survey. Our Data Security Survey is a crucial first step to ensuring vulnerable areas of your organisation are identified. Our team can provide efficient, expert recommendations on how to reduce the risk of a data breach and to help keep your hotel compliant.